Lock the doors…… and hope theydon’t have blasters!
The infamous Star Wars quote. Generally at a campus edge we lock the doors. Firewalls, IDS, IPS and astro droids. The problem is often we forget about the network behind that. In this day and age an attacker could be anywhere. Cubicle D row 4, an integrator, the air con man or the CTO sent in on a mission. Alright, the last two were two far but hey I enjoy elaborating!
The importance of layer 2 security should be respected and as well regarded as layer 3. A combination of monitoring as well as considering the technologies in this post, you will be on your way to securing your network. Well, you will be better than a network with none! Included are some tasty treats you can go and bake an implementation plan with.
CAM Flooding/MAC spoofing is one sure fire way to ruin one’s day. CAM flooding essentially is the ability fill the CAM with bogus mac addresses. When legitimate requests come to the full CAM table the switch essentially turns into a hub mode. We know how hubs work right? Flooding. Lot’s of flooding. It’s a nice way to sniff the traffic as every request to that MAC address is flooded out all ports. Delicious sniffer waiting on Mike from accounting’s desktop and precious data seized.
The way to stop against this style of attack is implementing port security. I find this feature fantastic for devices that SHOULD be staying put. Servers, IP Cameras, WAPs. If desktops are deployed then lock them down too. How do you do this? Is it work it? In my opinion….
Port security gives the ability to dynamically or statically learn the MAC address of expected devices on the switch port. When a device transmits frames with a MAC address that is not expected the port can shut, shut and report or err-disable and report.
Under the interface let’s configure a statically assigned
3550(config-if)# switchport port-security 3550(config-if)# switchport port-security mac-address 0000.0000.0000.000a 3550(config-if)# switchport port-security violation shutdown
Firstly we enable port-security then define the mac-address we expect and last but not least the expected action that is taken when an unexpected frame is generated from the port. By default the maximum value is 1 MAC address. You can change this with
3550(config-if)# switchport port-security maximum 5
This set’s the expected amount of different MAC addresses to 5. Easy. Next hot feature to use in conjunction with port security would have to be the aging feature. By default learned mac addresses are not aged out. You can set a time for them to do so and the switch flushes them from the interface.
3550(config-if)# switchport port-security aging 10 --or--3550(config-if)# switchport port-security aging static
MAC addressed learned dynamically are cleared in 10 minutes with the first command. The second command ages statically configured secure addresses. It is worth knowing the three modes in which the port-state can enter when a maximum mac-address is reached.
- Protect: Frames are dropped from non-allowed addresses. No log.
- Restrict: Again frames are dropped this time a log message is created and SNMP trap sent
- Shutdown: Interface is errdisabled, log entry made and SNMP trap sent when a non-allowed frame is received.
3550(config-if)# switchport port-security mac-address sticky
Instead of typing the previous commands to specify the mac-address the switch will learn and keep the mac-address of the first frame it captures. Any new frame received on that port will violate it based on the terms listed above.
Blocking Uni/Multicast floods
It is possible to avoid broadcasts on ports that do not need to receive them. When a switch floods a packet with an unknown destination mac address to all ports in the same VLAN. No need to flood to ports that have a set mac address. Use the commands below
3550(config-if)# interface gi0/4 3550(config-if)# switchport block unicast 3550(config-if)# switchport block multicast
A network attack that allows access to a vlan that an end device should not be in. By tagging invasive traffic with a specific VID or manipulating the creation of a dynamic trunk can cause a switch to become compromised. The initial exploit of DTP is done when an attacker sends a malicious DTP frame. Essentially forms a trunk between the device and the port allowed access to all Vlan’s. Once the attacker has access to all the Vlan’s they may intercept data or further launch an attack.
Vlan hopping with Double Tagging
Sounds cool because it is. In a shortened sense there is two VID’s per frame. This secondary VID is classed as an “inner header”. Once the original VID is stripped from the “Outer Header” there is still a VID on the frame. This fake frame tricks a switch into thinking the traffic was assigned to that vlan.
- Disable trunk negotiation on unused ports as access.
- Place unused ports into shutdown state.
- Purposefully configure non ‘auto-magical’ features.
- Explicitly define trunks (no-negotiate or on), native vlan.
- Don’t let your end user’s reign havoc across your desktop fleet.
But wait, there’s more. More types of ACL’s. Just when you thought it wasn’t enough. Holy Joseph and the magic sheep. I like VLAN ACLs. In education it allows quite defined boundaries for Faculties/Students/Staff. Considering at some sites VLAN’s are room based or lab based it can be quite handy.
On a multi-layer switch there are three types of access lists
- RACL – Router ACL’s work on the TCAM hardware. Applied to the Routed interface (SVI)
- PACL – Port ACL filters traffic at the port level. Can be applied to L2 switch port, trunk or port channel. Although L2 they can filter L3 and L4 info.
- VACL – Vlan access maps. Apply to all traffic in a vlan. Can control traffic in a vlan or switched traffic. RACL’s can only do routed traffic.
- Order-Independant merge – Turned from order-dependent to order-independent masks and patterns. ACE entry is large. Processor and memory intensive!
- Order Dependent is newer – New and far more efficient. Maintains order.
3750(switch)# ip dhcp snooping 3750(switch)# ip dhcp snooping information option
Enable snooping as a global command. The information option requests switchport origin. <– Handy
3750(switch-if)# ip dhcp snooping trust
Under the interface we enable trust. This port connects to our DHCP server. By default all ports are not trusted.
3750(switch-if)# ip dhcp snooping limit rate 5
On an un-trusted port we limit the rate of DHCP requests to 5 per second. This is a way to combat DHCP starvation attempts. Finally we confirm the following settings with
3750# show ip dhcp snooping
Very handy way to prevent DHCP Starvation or man-in-the-middle attacks.
ARP Spoofing attacks
ARP. One of the first networking fundamentals I learnt when I was a little tacker. Address resolution protocol! Think of it as mapping an IP address to a MAC address. Simple as that. That is where it is dangerous. We trust that ARP is right. Well of course it is? Right?
It is possible to spoof an ARP reply from a legitimate device with a gratuitous ARP. This allows a device to appear/masquerade as something else. An attacker will bind his MAC to a legitimate devices IP and then can intercept traffic. I have briefly brushed over the explanation and there is plenty of detail in how to launch an attack with gratuitous ARP.
ARP has no authentication. Ettercap, dsniff, ARPspoof poison ARP tables. When I was young I did some great party tricks at high school and caused the then admin’s some headache. Now that the shoes on the other foot I am implementing safeguards to stop “inquisitive” kids like me.
By ensuring valid ARP requests and responses Dynamic ARP inspection will do the following
- Forward ARP packets on trusted interfaces – no checking.
- Intercepts ARP packets on untrusted interfaces
- Verify untrusted intercepted packets have a valid IP-to-MAC binding before forwarding.
- Drop and log ARP packets with invalid IP-to-MAC bindings.
2960-01(config)# ip arp inspection vlan 100 2960-01(config)# int gi1/0/1 2960-01(config-if)# desc Fiberuplink to 3560-01 2960-01(config-if)# ip arp inspection trust
First of we enable inspection across vlan 100. We assign to our uplink port the trusted status. By default all ports are marked as untrusted.
2960-01(config)# ip arp inspection validate [src-mac [dst-mac] [ip]
This command enables DAI to drop ARP packets when IP’s are invalid or when the MAC address in the body of ARP packets do not match the Ethernet header.
IP Spoofing and IP Source Guard
IP source guard protects innocent people from being spoofed by a malicious attacker. Dynamically assigns a per port VACL based on IP-to-MAC-to-switch port binding. Bindings can be populated through DHCP snooping or through a static binding. Deployed on untrusted switchports in the access layer.
There are two levels of L2 security filtering
- Source IP filter : Only traffic with a source IP that matches the binding entry is allowed.
- Source IP and MAC : IP traffic filtered based on source IP and additionally the MAC address.
3750(switch-if)# ip verify source vlan dhcp-snooping or 3750(switch-if)# ip verifiy source vlan dhcp-snooping port-security
These commands are configured on ports with dhcp snooping set. First enables without MAC filtering. Second enables with MAC filtering.
Wow. That was alot. Some things I have worked with for a while and some was new to me. I feel these easy steps will help mitigate common attacks. Go out there and re-do your access layer templates. You might be surprised the number of people out there doing things. Education/University level campuses yielded a few tasty treats. Next blog we will discuss things pertaining to “switch hardening”.