Presentation is loading. Please wait.

Presentation is loading. Please wait.

Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.

Published byMaximillian Martin Modified over 9 years ago

Similar presentations

Presentation on theme: "Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007."— Presentation transcript:

1 Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007

2 Caveats and Assumptions Opinions expressed are my own and do not represent the views of UBC, my employer, any vendor, or any organization to which I am associated Internet Protocol (IP) implementation in a switched environment is assumed Familiarity with basic networking assumed Control of user traffic, not management of the network device –Secure management of the switch is assumed

3 Caveats and Assumptions Concepts are from a context of Cisco Systems equipment, but sufficiently general to apply to other network hardware vendors Switch features are not available on all product lines – check with your vendor Remediations presented are possibilities not necessarily recommended best practise Test before implementation as bugs may be present

4 Assertion Intelligence built into the new generation of switches will permit greater control of data as it enters your network

5 Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical transmit receive GET /home.html HTTP/1.1 1024 TCP 80 192.168.1.100 10.11.12.13 00:04:05:06:07:08 00:1A:1B:C3:87:25 OSI Layers

6 Traditional Network Security OSI Layers 3 and 4 where most network controls are implemented –e.g.,192.168.1.2 can only be contacted on TCP port 80 from subnets beginning with 172.16. Firewall rules and router access lists Specialized devices now looking at layer 7

7 Traditional Network Security 192.168.1.2 on TCP port 80 192.168.1.2 on TCP port 99 Full Access Not Involved

8 Vulnerability Attack within subnet Compromised machines can access others on the same VLAN by default Limited Access Full Access

9 Remediation Private VLANs Promiscuous:talks to any port Isolated:talks only to promiscuous Community:talks only to same community or promiscuous promiscuousisolated community A community B promiscuousYesYesYesYes isolatedYesNoNoNo community A YesNoYesNo community B YesNoNoYes

10 Remediation Protected Ports Simpler form of a Private VLAN –Protected:similar to Isolated –Not protected:similar to Promiscuous Only applicable to the local switch however protected not protected protectedNoYes YesYes

11 Remediation Private VLANs or Protected Ports promiscuous or not protected isolated or protected Limited Access No Access

12 Vulnerability Broadcast Storm All devices in VLAN / subnet must handle broadcasts, consuming resources. OS or application bugs may produce constant broadcasts. May also be malicious. broadcast storm broadcast busy handling broadcasts

13 Remediation Storm Control Can apply to broadcasts, multicasts, or unicasts Set threshold as percentage of bandwidth over a 1 second period If threshold is exceeded, drop this type of packet for next 1 second period

14 Vulnerability Flooding for Data Capture or Performance Hit Switches flood to all ports when MAC unknown Switches learn MAC addresses at each port Table of addresses is a finite size Normal starts macof or dsniff address table full flood new source MAC

15 Vulnerability DHCP Denial of Service Attacker requests new addresses for bogus MACs Finite number of DHCP addresses in a subnet PCs coming on the network can not get address starts DHCP Gobbler no more addresses no address request offer

16 Remediation Port Security Limits the source MAC addresses on a port Can specify static addresses or maximum number Violations on ports can –disable port –send trap and syslog –continue forwarding; drop frames with new MACs –continue forwarding; age out MAC entries from inactivity

17 Vulnerability DHCP Rogue Server Attacker uses rogue DHCP server to provide false settings (e.g., DNS, default gateway, etc.) starts rogue DHCP server provides true DHCP bad DHCP information bad offer good offer request

18 Remediation DHCP Snooping Define trusted ports for DHCP responses Trusted DHCP Untrusted DHCP starts rogue DHCP server bad offer request good offer gets good DHCP information

19 Remediation DHCP Snooping – other vulnerabilities covered Comparison of MAC address in layers 2 and 7 –hardware address must match “chaddr” (client hardware address) field in DHCP packet from untrusted ports –recall DHCP Gobbler attack and Port Security Switch keeps track of the DHCP bindings to prevent DoS release attacks –DHCP releases or declines must have the hardware address match the original bound address

20 Vulnerability Spanning Tree Root Hijack for Data Capture or Performance Hit Spanning Tree Protocol resolves loops Bridge Protocol Data Units sent from switches Loops broken based on root selection sends BPDU root frames becomes root bridge STP block connects to both switches BPDU

21 Remediation BPDU Guard BPDUs should not be received on an access port BPDU receipt may indicate unauthorized switch or hub, or an attack BPDU receipt puts port into error disabled mode

22 Vulnerability ARP Table Poisoning ARPs (Address Resolution Protocol) associate layer 3 addresses to layer 2 (IP to MAC) Requests are broadcast Responses unauthenticated and can be sent without a request (gratuitous) Normal starts ettercap hijack I am also Router I am PC A ARP tables poisoned

23 Remediation Dynamic ARP Inspection Validates against DHCP Snooping binding table (if DHCP Snooping used) Can build access lists of MAC and IP pairs for non-DHCP environments or set port to be trusted Can limit the rate of ARPs to prevent DoS attacks

24 Vulnerability IP Address Spoofing Attacker sends packet with spoofed source IP address Victim’s response packet dies or goes to wrong source (another victim) source 192.168.1.1 dest. 192.168.1.1

25 Remediation Ingress Access List RFC 2827 normally done by router can be done at layer 2 device closer to end device Helps protect other devices on subnet Source IP address should always be 0.0.0.0 for DHCP request or within subnet ( e.g., 207.206.205.x ) –Vulnerability: Attacker could still use another IP address within that subnet

26 Remediation IP Source Guard Based on DHCP Snooping — source IP address must be the one listed in DHCP Snooping table. Can add static mappings for non-DHCP devices Can also check MAC address source source 192.168.1.1

27 Conclusion Attack within subnet Broadcast storm MAC Flooding DHCP DoS DHCP rogue Spanning Tree hijack ARP table poisoning IP address spoofing Private VLANs Protected Ports Storm Control Port Security DHCP Snooping BPDU Guard Dynamic ARP Inspection Anti-spoofing access lists IP Source Guard Further Reading: SAFE Layer 2 Security In-depth Version 2 http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/sfblu_wp.pdf

Download ppt "Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007."

Similar presentations

Ethernet Switch Features Important to EtherNet/IP

Ethernet Switch Features Important to EtherNet/IP
Mitigating Layer 2 Attacks

Mitigating Layer 2 Attacks
CCNA3 v3 Module 7 v3 CCNA 3 Module 7 JEOPARDY K. Martin.

CCNA3 v3 Module 7 v3 CCNA 3 Module 7 JEOPARDY K. Martin.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
© 2007 Cisco Systems, Inc. All rights reserved. 1 Network Addressing Networking for Home and Small Businesses – Chapter 5.

© 2007 Cisco Systems, Inc. All rights reserved. 1 Network Addressing Networking for Home and Small Businesses – Chapter 5.
1 © 2004, Cisco Systems, Inc. All rights reserved IP Telephony Security Cisco Systems.

1 © 2004, Cisco Systems, Inc. All rights reserved IP Telephony Security Cisco Systems.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.
1 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security Ethernet: Layer 2 Security Eric Vyncke Cisco Systems Distinguished Engineer.

1 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security Ethernet: Layer 2 Security Eric Vyncke Cisco Systems Distinguished Engineer.
1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.

1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.
Subnetting.

Subnetting.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Securing the Local Area Network

Securing the Local Area Network
Networking Components

Networking Components
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Layer 2 Switch  Layer 2 Switching is hardware based.  Uses the host's Media Access Control (MAC) address.  Uses Application Specific Integrated Circuits.

Layer 2 Switch  Layer 2 Switching is hardware based.  Uses the host's Media Access Control (MAC) address.  Uses Application Specific Integrated Circuits.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.

Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

Similar presentations

Ads by Google