Lock the doors…… and hope theydon’t have blasters!

The infamous Star Wars quote. Generally at a campus edge we lock the doors. Firewalls, IDS, IPS and astro droids. The problem is often we forget about the network behind that. In this day and age an attacker could be anywhere. Cubicle D row 4, an integrator, the air con man or the CTO sent in on a mission. Alright, the last two were two far but hey I enjoy elaborating!

The importance of layer 2 security should be respected and as well regarded as layer 3. A combination of monitoring as well as considering the technologies in this post, you will be on your way to securing your network. Well, you will be better than a network with none! Included are some tasty treats you can go and bake an implementation plan with.

Port Security

CAM Flooding/MAC spoofing is one sure fire way to ruin one’s day. CAM flooding essentially is the ability fill the CAM with bogus mac addresses. When legitimate requests come to the full CAM table the switch essentially turns into a hub mode. We know how hubs work right? Flooding. Lot’s of flooding. It’s a nice way to sniff the traffic as every request to that MAC address is flooded out all ports. Delicious sniffer waiting on Mike from accounting’s desktop and precious data seized.

The way to stop against this style of attack is implementing port security. I find this feature fantastic for devices that SHOULD be staying put. Servers, IP Cameras, WAPs. If desktops are deployed then lock them down too. How do you do this? Is it work it? In my opinion….
YES!

Port security gives the ability to dynamically or statically learn the MAC address of expected devices on the switch port. When a device transmits frames with a MAC address that is not expected the port can shut, shut and report or err-disable and report.

Under the interface let’s configure a statically assigned

3550(config-if)# switchport port-security
3550(config-if)# switchport port-security mac-address 0000.0000.0000.000a
3550(config-if)# switchport port-security violation shutdown

Firstly we enable port-security then define the mac-address we expect and last but not least the expected action that is taken when an unexpected frame is generated from the port. By default the maximum value is 1 MAC address. You can change this with

3550(config-if)# switchport port-security maximum 5

This set’s the expected amount of different MAC addresses to 5. Easy. Next hot feature to use in conjunction with port security would have to be the aging feature. By default learned mac addresses are not aged out. You can set a time for them to do so and the switch flushes them from the interface.

3550(config-if)# switchport port-security aging 10
                      --or--
3550(config-if)# switchport port-security aging static

MAC addressed learned dynamically are cleared in 10 minutes with the first command. The second command ages statically configured secure addresses. It is worth knowing the three modes in which the port-state can enter when a maximum mac-address is reached.

  • Protect: Frames are dropped from non-allowed addresses. No log.
  • Restrict: Again frames are dropped this time a log message is created and SNMP trap sent
  • Shutdown: Interface is errdisabled, log entry made and SNMP trap sent when a non-allowed frame is received.
There are other ways to assign port security with a feature known as mac address sticky. When I first discovered this back when I was a networking tacker I thought it was great. I didn’t have to find out mac addresses of my ap’s or servers. Instead I issued the following command
3550(config-if)# switchport port-security mac-address sticky

Instead of typing the previous commands to specify the mac-address the switch will learn and keep the mac-address of the first frame it captures. Any new frame received on that port will violate it based on the terms listed above.

Blocking Uni/Multicast floods

It is possible to avoid broadcasts on ports that do not need to receive them. When a switch floods a packet with an unknown destination mac address to all ports in the same VLAN. No need to flood to ports that have a set mac address. Use the commands below

3550(config-if)# interface gi0/4
3550(config-if)# switchport block unicast
3550(config-if)# switchport block multicast


Vlan hopping


A network attack that allows access to a vlan that an end device should not be in. By tagging invasive traffic with a specific VID or manipulating the creation of a dynamic trunk  can cause a switch to become compromised. The initial exploit of DTP is done when an attacker sends a malicious DTP frame. Essentially forms a trunk between the device and the port allowed access to all Vlan’s.  Once the attacker has access to all the Vlan’s they may intercept data or further launch an attack.


Vlan hopping with Double Tagging


Sounds cool because it is. In a shortened sense there is two VID’s per frame. This secondary VID is classed as an “inner header”. Once the original VID is stripped from the “Outer Header” there is still a VID on the frame. This fake frame tricks a switch into thinking the traffic was assigned to that vlan.


Mitigation


    

  • Disable trunk negotiation on unused ports as access.
    • 

  • Place unused ports into shutdown state.
    • 

  • Purposefully configure non ‘auto-magical’ features.
    • 

  • Explicitly define trunks (no-negotiate or on), native vlan.
    • 

  • Don’t let your end user’s reign havoc across your desktop fleet.
    • 



VLAN ACL’s


But wait, there’s more. More types of ACL’s. Just when you thought it wasn’t enough. Holy Joseph and the magic sheep. I like VLAN ACLs. In education it allows quite defined boundaries for Faculties/Students/Staff. Considering at some sites VLAN’s are room based or lab based it can be quite handy.


On a multi-layer switch there are three types of access lists


    

  • RACL – Router ACL’s work on the TCAM hardware. Applied to the Routed interface (SVI)
    • 

  • PACL – Port ACL filters traffic at the port level. Can be applied to L2 switch port, trunk or port channel. Although L2 they can filter L3 and L4 info.
    • 

  • VACL – Vlan access maps. Apply to all traffic in a vlan. Can control traffic in a vlan or switched traffic. RACL’s can only do routed traffic.
    • 



NOTE: Catalysts support four lookups per packet. Input and Output security ACL and input and output QoS ACL. This is known as ACL merge. There are two methods of performing this. Order in/dependent.




    

  • Order-Independant merge – Turned from order-dependent to order-independent masks and patterns. ACE entry is large. Processor and memory intensive!
    • 

  • Order Dependent is newer – New and far more efficient. Maintains order.
    • 





Spoof attacks. Sounds funky.


There are many layers of security in a campus network. Port Security -> DHCP Snooping -> Dynamic ARP -> IP Source Guard. This onion of security can lock down any would be attackers*. This set of tools can be used in conjunction with one another to form a formidable defense against the treacherous cube farmer.


*I do not take liability for you trusting my blog and getting in strife.


Port security will save against MAC floods. DHCP snooping will prevent attacks and silliness there. Dynamic ARP will minimize ARP poisoning. IP source guard prevents IP spoofing by using DHCP snooping.


DHCP Snooping


So you block Facebook. Michael in cubicle 4a is seething. He thinks he knows how to bring you to your knees and have the office staff looking to wring the USB cables around your neck. Well he may just do it. The time is 8:00. PC boot on time. Michael has a little laptop plugged into a cubicle point. DHCP server up and running – Subnet options, router options and other stuff. Dishing out fake addresses to desktops, they act as normal except all data goes through his laptop. Running wireshark he is able to sniff a lot of information. Bad Michael.


Another attack that he could perform would be flood the network with bogus DHCP requests and deplete the scope. No one would then get a valid IP and that can hurt productivity.


To prevent this situations from occurring it is possible to set up DHCP snooping. This allows a switch to mark switch ports as trusted or un-trusted. Trusted switch ports host a DHCP server or serve as an uplink to one. They respond to the DHCP requests that are broadcasted out upon boot of a device. If a DHCP response packet is sent out an untrusted port the port disables and shuts down. This is designed to avoid the above scenario.






3750(switch)# ip dhcp snooping
3750(switch)# ip dhcp snooping information option








Enable snooping as a global command. The information option requests switchport origin. <– Handy




3750(switch-if)# ip dhcp snooping trust




Under the interface we enable trust. This port connects to our DHCP server. By default all ports are not trusted.




3750(switch-if)# ip dhcp snooping limit rate 5




On an un-trusted port we limit the rate of DHCP requests to 5 per second. This is a way to combat DHCP starvation attempts. Finally we confirm the following settings with




3750# show ip dhcp snooping




Very handy way to prevent DHCP Starvation or man-in-the-middle attacks.


ARP Spoofing attacks


ARP. One of the first networking fundamentals I learnt when I was a little tacker. Address resolution protocol! Think of it as mapping an IP address to a MAC address. Simple as that. That is where it is dangerous. We trust that ARP is right. Well of course it is? Right?


It is possible to spoof an ARP reply from a legitimate device with a gratuitous ARP. This allows a device to appear/masquerade as something else. An attacker will bind his MAC to a legitimate devices IP and then can intercept traffic. I have briefly brushed over the explanation and there is plenty of detail in how to launch an attack with gratuitous ARP.


ARP has no authentication. Ettercap, dsniff, ARPspoof poison ARP tables. When I was young I did some great party tricks at high school and caused the then admin’s some headache. Now that the shoes on the other foot I am implementing safeguards to stop “inquisitive” kids like me.


By ensuring valid ARP requests and responses Dynamic ARP inspection will do the following


    

  • Forward ARP packets on trusted interfaces – no checking.
    • 

  • Intercepts ARP packets on untrusted interfaces
    • 

  • Verify untrusted intercepted packets have a valid IP-to-MAC binding before forwarding.
    • 

  • Drop and log ARP packets with invalid IP-to-MAC bindings.
    • 





The best place to configure this is on the access layer. Access layer ports that attach to end user devices should be untrusted. All switch ports that connect to other switches should be marked as trusted. Dynamic ARP Inspection can be configured to limit the number of ARP requests on an interface and errdisable can seize the interface if a threshold is reached.




2960-01(config)# ip arp inspection vlan 100
2960-01(config)# int gi1/0/1
2960-01(config-if)# desc Fiberuplink to 3560-01
2960-01(config-if)# ip arp inspection trust




First of we enable inspection across vlan 100. We assign to our uplink port the trusted status. By default all ports are marked as untrusted.




2960-01(config)# ip arp inspection validate [src-mac [dst-mac] [ip]




This command enables DAI to drop ARP packets when IP’s are invalid or when the MAC address in the body of  ARP packets do not match the Ethernet header.


IP Spoofing and IP Source Guard


IP source guard protects innocent people from being spoofed by a malicious attacker. Dynamically assigns a per port VACL based on IP-to-MAC-to-switch port binding. Bindings can be populated through DHCP snooping or through a static binding. Deployed on untrusted switchports in the access layer.


There are two levels of L2 security filtering


    

  • Source IP filter : Only traffic with a source IP that matches the binding entry is allowed.
    • 

  • Source IP and MAC : IP traffic filtered based on source IP and additionally the MAC address.
    • 







3750(switch-if)# ip verify source vlan dhcp-snooping
		or
3750(switch-if)# ip verifiy source vlan dhcp-snooping port-security








These commands are configured on ports with dhcp snooping set. First enables without MAC filtering. Second enables with MAC filtering.


Ant’s views


Wow. That was alot. Some things I have worked with for a while and some was new to me. I feel these easy steps will help mitigate common attacks. Go out there and re-do your access layer templates. You might be surprised the number of people out there doing things. Education/University level campuses yielded a few tasty treats. Next blog we will discuss things pertaining to “switch hardening”.


 




 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 














Leave a Reply 
 


Your email address will not be published. Required fields are marked *
 
 



 


 
 


CAPTCHA







 *