Lecture2 Secured Network Design W.Lilakiatsakun.  ARP  Problems with ARP / Countermeasures  VLAN  Attacking on VLAN / Countermeasures Topics.

Slides:



Advertisements
Similar presentations
Mitigating Layer 2 Attacks
Advertisements

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
Computer Networks21-1 Chapter 21. Network Layer: Address Mapping, Error Reporting, and Multicasting 21.1 Address Mapping 21.2 ICMP 21.3 IGMP 21.4 ICMPv6.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
Switching Topic 4 Inter-VLAN routing. Agenda Routing process Routing VLANs – Traditional model – Router-on-a-stick – Multilayer switches EtherChannel.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
Cisco 3 - Switch Perrine. J Page 15/8/2015 Chapter 8 What happens to the member ports of a VLAN when the VLAN is deleted? 1.They become inactive. 2.They.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
Copyright 2009 Kenneth M. Chipps Ph.D. Host Addressing Last Update
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
IP Routing: an Introduction. Quiz
VLANs- Chapter 3 CCNA Exploration Semester 3 Modified by Profs. Ward
Layer 2: Redundancy and High Availability Part 1: General Overview on Assignment 1.
Network Layer (Part IV). Overview A router is a type of internetworking device that passes data packets between networks based on Layer 3 addresses. A.
VLANs.ppt CCNA Exploration Semester 3 Chapter 3
Virtual LAN (VLAN) W.lilakiatsakun.
Mapping Internet Addresses to Physical Addresses (ARP)
TELE202 Lecture 10 Internet Protocols (2) 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »Internet Protocols (1) »Source: chapter 15 ¥This Lecture »Internet.
Chapter 4: Managing LAN Traffic
Voice VLANs Lecture 7 VLANs.ppt 21/04/ Apr-17
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching.
Virtual LAN Design Switches also have enabled the creation of Virtual LANs (VLANs). VLANs provide greater opportunities to manage the flow of traffic on.
IEEE 802.1q - VLANs Nick Poorman.
VLAN Trunking Protocol
VLAN V irtual L ocal A rea N etwork VLAN Network performance is a key factor in the productivity of an organization. One of the technologies used to.
CMPT 471 Networking II Address Resolution IPv4 ARP RARP 1© Janice Regan, 2012.
Connecting The Network Layer to Data Link Layer. ARP in the IP Layer The Address Resolution Protocol (ARP) The Address Resolution Protocol (ARP) Part.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Configure a Switch LAN Switching and Wireless – Chapter 3.
Mahindra-British Telecom Ltd. Exploiting Layer 2 By Balwant Rathore.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching.
1 Network Administration Module 3 ARP/RARP. 2 Address Resolution The problem Physical networks use physical addresses, not IP addresses Need the physical.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching 3.0.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 8 Virtual LANs Cisco Networking Academy.
STORE AND FORWARD & CUT THROUGH FORWARD Switches can use different forwarding techniques— two of these are store-and-forward switching and cut-through.
1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Dynamic Host Configuration Protocol (DHCP)
1 Kyung Hee University Chapter 8 ARP(Address Resolution Protocol)
Switching Topic 2 VLANs.
Virtual LAN (VLAN) W.lilakiatsakun. VLAN Overview (1) A VLAN allows a network administrator to create groups of logically networked devices that act as.
Virtual Local Area Networks (VLANs) Part II
Configuring VLAN Chapter 14 powered by DJ 1. Chapter Objectives At the end of this Chapter you will be able to:  Understand basic concept of VLAN  Configure.
Chapter 4 Version 1 Virtual LANs. Introduction By default, switches forward broadcasts, this means that all segments connected to a switch are in one.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
Virtual LAN (VLAN) W.lilakiatsakun.
Cisco Confidential © 2013 Cisco and/or its affiliates. All rights reserved. 1 Cisco Networking Training (CCENT/CCT/CCNA R&S) Rick Rowe Ron Giannetti.
Interconnecting Cisco Networking Devices Part 1 Pass4sureusa Pass4sure.
Address Resolution Protocol Yasir Jan 20 th March 2008 Future Internet.
+ Lecture#8: VLAN Asma AlOsaimi Topics VLAN Segmentation VLAN Implementation VLAN Security and Design 3.0.
LAN Switching Virtual LANs. Virtual LAN Concepts A LAN includes all devices in the same broadcast domain. A broadcast domain includes the set of all LAN-connected.
Cisco Implementing Cisco IP Switched Networks (SWITCH )
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 VLANs.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 VLANs.
Introduction to Networks v6.0
IP: Addressing, ARP, Routing
Instructor Materials Chapter 6: VLANs
Instructor Materials Chapter 5: Ethernet
Virtual Local Area Networks (VLANs) Part I
Chapter 8 ARP(Address Resolution Protocol)
Objective: ARP.
LAN Switching and Wireless – Chapter 3
ARP and RARP Objectives Chapter 7 Upon completion you will be able to:
BOOTP and DHCP Objectives
Net 323: NETWORK Protocols
Routing and Switching Essentials v6.0
CCNA Routing and Switching Routing and Switching Essentials v6.0
Chapter 3: Implementing VLAN Security
1 ADDRESS RESOLUTION PROTOCOL (ARP) & REVERSE ADDRESS RESOLUTION PROTOCOL ( RARP) K. PALANIVEL Systems Analyst, Computer Centre Pondicherry University,
Ch 17 - Binding Protocol Addresses
Sécurisation au niveau 2 pour certains matériels Cisco
Presentation transcript:

Lecture2 Secured Network Design W.Lilakiatsakun

 ARP  Problems with ARP / Countermeasures  VLAN  Attacking on VLAN / Countermeasures Topics

 Why do we need ARP  ARP Operation  ARP Packet  Attack by using ARP  How to protect Address Resolution Protocol (ARP) (1)

Address Resolution Protocol (ARP) (2)  Related RFC  RFC826 : Ethernet Address Resolution Protocol, Internet Standard STD 37.  RFC 5227 : IPv4 Address Conflict Detection, proposed standard

 When the packets are forwarded to the destination network by routers  But, how the packets will be forwarded to destination host ?  IP addresses cannot be used within LAN,instead, MAC addresses are using to forward frame within LAN  So, we need to map between IP address and MAC Why do we need ARP (1)

ARP Purpose  Sending node needs a way to find the MAC address of the destination for a given Ethernet link The ARP protocol provides two basic functions:  Resolving IPv4 addresses to MAC addresses  Maintaining a table of mappings Why do we need ARP (2)

ARP Operation (1)

 ARP Table –  Used to find the data link layer address that is mapped to the destination IPv4 address  As a node receives frames from the media, it records the source IP and MAC address as a mapping in the ARP table  ARP request –  Layer 2 broadcast to all devices on the Ethernet LAN  The node that matches the IP address in the broadcast will reply  If no device responds to the ARP request, the packet is dropped because a frame cannot be created ARP Operation (2)

ARP Operation (3)

ARP Operation (4)

ARP Operation (5)

ARP Operation (6)

 If the destination IPv4 host is on the local network, the frame will use the MAC address of this device as the destination MAC address  If the destination IPv4 host is not on the local network, the source uses the ARP process to determine a MAC address for the router interface serving as the gateway  In the event that the gateway entry is not in the table, an ARP request is used to retrieve the MAC address associated with the IP address of the router interface ARP in Remote network (1)

ARP in Remote network (2)

 Ethernet Destination Address ff:ff:ff:ff:ff:ff (broadcast) for ARP request  Ethernet Source Address of ARP requester  Frame Type  ARP request/reply: 0x0806  RARP request/reply: 0x8035  IP datagram: 0x0800 ARP in Ethernet Frame

ARP Format (1)

 Hardware type: 1 for ethernet  Protocol type: 0x0800 for IP ( )  same of Ethernet header field carrying IP datagram!  Hardware len= length in bytes of hardware addresses  (6 bytes for ethernet)  Protocol len= length in bytes of logical addresses  (4 bytes for IP)  ARP operation: 1=request; 2=reply; 3/4=RARP req/reply ARP Format (2)

ARP Format (3)

 Avoids ARP request for every IP datagram  Entry lifetime defaults to 20min  deleted if not used in this time  3 minutes for “incomplete”cache entries (i.e. arp requests to non existent host)  it may be changed in some implementations in particularly stable (or dynamic)  arp-a to display all cache entries (arp–d to delete) ARP Cache (1)

 ARP cache of each node needs to be updated periodically by sending ARP requests.  ARP requests carry requestor IP/MAC pair  ARP requests are broadcast thus, they MUST be read by everyone  Therefore, it comes for free, for every computer, to update its cache with requestor pair ARP Cache (2)

Proxy ARP (1)  Proxy ARP is the technique in which one host, usually a router, answers ARP requests intended for another machine.  By "faking" its identity, the router accepts responsibility for routing packets to the "real" destination.

Proxy ARP (2)  Proxy ARP can help machines on a subnet reach remote subnets without the need to configure routing or a default gateway.  Proxy ARP is defined in RFC 1027RFC 1027

 ARP request issued by an IP address and addressed to the same IP address  Clearly nobody else than ME can answer  WHY asking the network which MAC address do I have Gratuitous ARP (1)

 2 main reasons:  Determine if another host is configured with the same IP address  this case respond occurs, and MAC address of duplicated IP address is known.  Use gratuitous ARP when just changed hardware address  all other hosts update their cache entries!  A problem is that, despite specified in RFC, not all ARP cache implementations operate as described Gratuitous ARP (2)

 Performance  ARP operations are basically based on broadcast frame  Alleviated by LAN Segmentation  Security  ARP poisoning Problems with ARP (1)

Problems with ARP (2)

Problems with ARP (3)

Problems with ARP (4)

 Dynamic ARP Inspection  Based on information from DHCP snooping  Others ? Countermeasure on ARP poisoning (1)

 DHCP Snooping Binding Database  The DHCP snooping binding database is also referred to as the DHCP snooping binding table.  The DHCP snooping feature dynamically builds and maintains the database using information extracted from intercepted DHCP messages.  The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled.  The database does not contain entries for hosts connected through trusted interfaces. Countermeasure on ARP poisoning (2)

 The DHCP snooping feature updates the database when the switch receives specific DHCP messages.  For example, the feature adds an entry to the database when the switch receives a DHCPACK message from the server.  The feature removes the entry in the database when the IP address lease expires or the switch receives a DHCPRELEASE message from the host.  Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host. Countermeasure on ARP poisoning (3)

 Dynamic ARP Inspection (DAI)  DAI is a security feature that validates ARP packets in a network.  DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings.  DAI ensures that only valid ARP requests and responses are relayed. The switch performs these activities: Intercepts all ARP requests and responses on untrusted ports Verifies that each of these intercepted packets has a valid IP-to- MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination Drops invalid ARP packets Countermeasure on ARP poisoning (4)

 DAI Rate Limiting of ARP Packets (1)  The switch performs DAI validation checks, which rate limits incoming ARP packets to prevent a denial-of- service attack.  By default, the rate for untrusted interfaces is 15 packets per second (pps).  Trusted interfaces are not rate limited.  You can change this setting by using the ip arp inspection limit interface configuration command. Countermeasure on ARP poisoning (5)

 DAI Rate Limiting of ARP Packets (2)  When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the error-disabled state.  The port remains in that state until you intervene.  You can use the errdisable recovery global configuration command to enable error disable recovery so that ports automatically emerge from this state after a specified timeout period. Countermeasure on ARP poisoning (6)

 ARP Authentication (Pongsure/Woraphon) Countermeasure on ARP poisoning (7)

VLAN (1)  A VLAN is a logically separate IP subnetwork.  VLANs allow multiple IP networks and subnets to exist on the same switched network.  For computers to communicate on the same VLAN, each must have an IP address and a subnet mask that is consistent for that VLAN.  The switch has to be configured with the VLAN and each port in the VLAN must be assigned to the VLAN.

VLAN (2)  A switch port with a singular VLAN configured on it is called an access port.  Remember, just because two computers are physically connected to the same switch does not mean that they can communicate.  Devices on two separate networks and subnets must communicate via a router (Layer 3), whether or not VLANs are used.

VLAN (3)

Type of VLAN  Data VLAN  Default VLAN  Native VLAN  Management VLAN  Voice VLAN

Types of VLANs - Data VLAN (1)  Data VLAN - a VLAN that is configured to carry only user- generated traffic.  It is common practice to separate voice and management traffic from data traffic.  A data VLAN is sometimes referred to as a user VLAN.

Types of VLANs - Data VLAN (2) Data VLAN

Types of VLANs- Default VLAN (1)  All switch ports become a member of the default VLAN after the initial boot up of the switch.  Having all the switch ports participate in the default VLAN makes them all part of the same broadcast domain.  This allows any device connected to any switch port to communicate with other devices on other switch ports.  The default VLAN for Cisco switches is VLAN 1.  VLAN 1 has all the features of any VLAN, except that you cannot rename it and you can not delete it.

Types of VLANs- Default VLAN (2)  Layer 2 control traffic, such as CDP and spanning tree protocol traffic, will always be associated with VLAN 1 - this cannot be changed.  In the figure, VLAN 1 traffic is forwarded over the VLAN trunks connecting the S1, S2, and S3 switches.  It is a security best practice to change the default VLAN to a VLAN other than VLAN 1; this entails configuring all the ports on the switch to be associated with a default VLAN other than VLAN 1.

Types of VLANs- Default VLAN (3) Default VLAN

Types of VLANs - Native VLAN (1)  A native VLAN is assigned to an 802.1Q trunk port.  An 802.1Q trunk port supports traffic coming from many VLANs (tagged traffic) as well as traffic that does not come from a VLAN (untagged traffic).  The 802.1Q trunk port places untagged traffic on the native VLAN.  In the figure, the native VLAN is VLAN 99.  Untagged traffic is generated by a computer attached to a switch port that is configured with the native VLAN.

Types of VLANs - Native VLAN (2)  Native VLANs are set out in the IEEE 802.1Q specification to maintain backward compatibility with untagged traffic common to legacy LAN scenarios.  For our purposes, a native VLAN serves as a common identifier on opposing ends of a trunk link.  It is a best practice to use a VLAN other than VLAN 1 as the native VLAN.

Types of VLANs - Native VLAN (3)

Types of VLANs - Management VLAN (1)  A management VLAN is any VLAN you configure to access the management capabilities of a switch.  VLAN 1 would serve as the management VLAN if you did not proactively define a unique VLAN to serve as the management VLAN.  You assign the management VLAN an IP address and subnet mask.  A switch can be managed via HTTP, Telnet, SSH, or SNMP.  VLAN 1 is normally used as the default VLAN,  VLAN1 would be a bad choice as the management VLAN; you wouldn't want an arbitrary user connecting to a switch to default to the management VLAN.

Types of VLANs - Management VLAN (2)

Types of VLANs - Voice VLAN (1)  It is easy to appreciate why a separate VLAN is needed to support Voice over IP (VoIP).  VoIP traffic requires:  Assured bandwidth to ensure voice quality  Transmission priority over other types of network traffic  Ability to be routed around congested areas on the network  Delay of less than 150 milliseconds (ms) across the network

Types of VLANs - Voice VLAN (2)

Types of VLANs - Voice VLAN (3)  A Cisco Phone is a Switch  The Cisco IP Phone contains an integrated three-port 10/100 switch as shown in the Figure. The ports provide dedicated connections to these devices:  Port 1 connects to the switch or other voice-over-IP (VoIP) device.  Port 2 is an internal 10/100 interface that carries the IP phone traffic.  Port 3 (access port) connects to a PC or other device.

Types of VLANs - Voice VLAN (4)

Types of VLANs - Voice VLAN (5)

VLAN Trunk (1)  A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device, such as a router or a switch.  Ethernet trunks carry the traffic of multiple VLANs over a single link.  A VLAN trunk allows you to extend the VLANs across an entire network.  Cisco supports IEEE 802.1Q for coordinating trunks on Fast Ethernet and Gigabit Ethernet interfaces.

VLAN Trunk (2)

VLAN Trunk (3) Without VLAN trunking

VLAN Trunk (4) With VLAN trunks

VLAN Trunk Q Frame tagging (1)  The VLAN tag field consists of an EtherType field, a tag control information field,and the FCS field.  EtherType field  Set to the hexadecimal value of 0x8100.  This value is called the tag protocol ID (TPID) value.  With the EtherType field set to the TPID value, the switch receiving the frame knows to look for information in the tag control information field.

VLAN Trunk Q Frame tagging (2)  Tag control information field  3 bits of user priority - Used by the 802.1p standard, which specifies how to provide expedited transmission of Layer 2 frames.  1 bit of Canonical Format Identifier (CFI) - Enables Token Ring frames to be carried across Ethernet links easily.  12 bits of VLAN ID (VID) - VLAN identification numbers; supports up to 4096 VLAN IDs.  FCS field  After the switch inserts the EtherType and tag control information fields, it recalculates the FCS values and inserts it into the frame.

VLAN Trunk Q Frame tagging (3)

 VLAN hopping describes when an attacker connects to a VLAN to gain access to traffic on other VLANs that would normally not be accessible.  There are two VLAN hopping exploit methods:  Switch spoofing  Double tagging VLAN Hopping (1)

 Switch Spoofing  Switch spoofing can occur when the switch port an attacker connects to is either in trunking mode or in DTP auto-negotiation mode – both allowing devices that use 802.1q encapsulation to tag traffic with different VLAN identifiers.  An attacker adds 802.1q encapsulation headers with VLAN tags for remote VLANs to its outgoing frames.  The receiving switch interprets those frames as sourced from another 802.1q switch (only switches usually use 802.1q encapsulation after all), and forwards the frames into the appropriate VLAN. VLAN Hopping (2)

VLAN Hopping (3) In a basic switch spoofing attack, the attacker takes advantage of the fact that the default configuration of the switch port is dynamic auto.

 Double Tagging  This type of attack takes advantage of the way that hardware on most switches operates.  Most switches perform only one level of 802.1Q deencapsulation, which allows an attacker to embed a hidden 802.1Q tag inside the frame.  This tag allows the frame to be forwarded to a VLAN that the original 802.1Q tag did not specify. An important characteristic of the double-encapsulated VLAN hopping attack is that it works even if trunk ports are disabled, because a host typically sends a frame on a segment that is not a trunk link. VLAN Hopping (4)

VLAN Hopping (5) VLAN Double Tagging

 Switch Spoofing  The two preventive measures against switch spoofing attacks are [1] to set edge ports to static access mode and [2] disable DTP auto-negotiation on all ports.  The switchport mode access command forces the port to act as an access port, disabling any chance that it could become a trunk port and send traffic for multiple VLANs.  Manually disabling Dynamic Trunking Protocol (DTP) on all ports prevents access ports configured as dynamic from forming a trunk relationship with a potential attacker.  Switch Spoofing  Switch(config-if)# switchport mode access  Switch(config-if)# switchport nonegotiate Mitigate VLAN Hopping (1)

 The key feature of a double tagging attack is exploiting the native VLAN.  Since VLAN 1 is the default VLAN for access ports and the default native VLAN on trunks, it’s an easy target.  The first countermeasure is to remove access ports from the default VLAN 1 since the attacker’s port must match that of the switch’s native VLAN.  Switch(config-if)# switchport access vlan 10  Switch(config-if)# description access_port Mitigate VLAN Hopping (2)

 The second countermeasure is to assign the native VLAN on all switch trunks to an unused VLAN. Switch(config-if)# switchport trunk native vlan 99  Or tag the native VLAN over all trunks, disabling all untagged traffic over the interface. Switch(config-if)# switchport trunk native vlan tag Mitigate VLAN Hopping (3)