Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
1/
Basic L2 and L3 security in Campus networks
Matěj Grégr
CNMS 2016
2
Communication in IPv4 network
�Assigning IPv4 address using DHCPv4
�Finding a MAC address of a default gateway
�Finding mapping between DNS name and IP address
�TCP connection
�HTTP request
3/
DHCP Spoofing
4
5
DHCP spoofing
�Steal an IP address of another device
�Forge DNS sever
�Forge default gateway
�Several softwares „available“� Trojan.Flush.M ,
� Trojan:W32/DNSChanger
6
DHCP spoofing
DHCP Discover
ETH:src mac: AA:AA:AA:AA:AA:AAdst mac: FF:FF:FF:FF:FF:FF (broadcast)IPsrc: 0.0.0.0dst: 255.255.255.255 (broadcast)UDPsrc port 68dst port 67DHCPClient MAC addr: AA:AA:AA:AA:AA:AARequests: IP, Router, DNS …
MAC: DD:DD:DD:DD:DD:DDIP: 192.168.0.254
MAC: CC:CC:CC:CC:CC:CCIP: 192.168.0.3
MAC: BB:BB:BB:BB:BB:BBIP: 192.168.0.2
MAC: AA:AA:AA:AA:AA:AAIP: ?
DHCP server
Attacker
7
DHCP spoofingDHCP Offer
ETH:src mac: DD:DD:DD:DD:DD:DDdst mac: AA:AA:AA:AA:AA:AA IPsrc: 192.168.0.254dst: 192.168.0.4UDPsrc port 67dst port 68DHCPClient MAC addr: AA:AA:AA:AA:AA:AAClient IP: 192.168.0.4Router: 192.168.0.1DNS: 8.8.8.8
MAC: DD:DD:DD:DD:DD:DDIP: 192.168.0.254
MAC: CC:CC:CC:CC:CC:CCIP: 192.168.0.3
MAC: BB:BB:BB:BB:BB:BBIP: 192.168.0.2
MAC: AA:AA:AA:AA:AA:AAIP: ?
DHCP Offer
ETH:src mac: CC:CC:CC:CC:CC:CCdst mac: AA:AA:AA:AA:AA:AA IPsrc: 192.168.0.3dst: 192.168.0.4UDPsrc port 67, dst port 68DHCPClient MAC addr: AA:AA:AA:AA:AA:AAClient IP: 192.168.0.4Router: 192.168.0.3DNS: 192.168.0.3
Attacker
DHCP server
8
DHCP spoofing
�The attack can compromise only newly connecting clients� Already connected clients renew address old DHCP server
�There are two variants of the attack:� Attacker can exhaust address pool of DHCP server
� Attacker can try to answer quicker than DHCP server
� If a client assign an address from attacker’s DHCP pool� MitM attack – all traffic flows through the attacker
� Attacker can forge only specific DNS addresses (harder to detect)
9
Defense: DHCP snooping
DHCP Discover
ETH:src mac: AA:AA:AA:AA:AA:AAdst mac: FF:FF:FF:FF:FF:FF (broadcast)IPsrc: 0.0.0.0dst: 255.255.255.255 (broadcast)UDPsrc port 68dst port 67DHCPClient MAC addr: AA:AA:AA:AA:AA:AARequests: IP, Router, DNS …
MAC: DD:DD:DD:DD:DD:DDIP: 192.168.0.254
MAC: CC:CC:CC:CC:CC:CCIP: 192.168.0.3
MAC: BB:BB:BB:BB:BB:BBIP: 192.168.0.2
MAC: AA:AA:AA:AA:AA:AAIP: ?
10
Defense: DHCP spoofingDHCP Offer
ETH:src mac: DD:DD:DD:DD:DD:DDdst mac: AA:AA:AA:AA:AA:AA IPsrc: 192.168.0.254dst: 192.168.0.4UDPsrc port 67dst port 68DHCPClient MAC addr: AA:AA:AA:AA:AA:AAClient IP: 192.168.0.4Router: 192.168.0.1DNS: 8.8.8.8
MAC: DD:DD:DD:DD:DD:DDIP: 192.168.0.254
MAC: CC:CC:CC:CC:CC:CCIP: 192.168.0.3
MAC: BB:BB:BB:BB:BB:BBIP: 192.168.0.2
MAC: AA:AA:AA:AA:AA:AAIP: ?
DHCP Offer
ETH:src mac: CC:CC:CC:CC:CC:CCdst mac: AA:AA:AA:AA:AA:AA IPsrc: 192.168.0.3dst: 192.168.0.4UDPsrc port 67, dst port 68DHCPClient MAC addr: AA:AA:AA:AA:AA:AAClient IP: 192.168.0.4Router: 192.168.0.3DNS: 192.168.0.3
11
DHCP snooping example configuration
12/
CAM overflow
13
14
CAM Overflow Attack
Port MAC
2 W
2 X
2 Y
2 Z
1
2 4
3PC: A
PC: B
PC: C
PC: D
15
CAM Overflow attack
Port MAC
2 W
2 X
2 Y
2 Z
1
2 4
3PC: A
PC: B
PC: C
PC: D
A -> C?Don‘t know, can‘t insert!
16
CAM Table
� Implementation dependent� Older records usually are not deleted
Platform Size
Cisco Catalyst 2950 8 000
Cisco Catalyst 3560 12 000
Cisco Catalyst 3750 12 000
Linksys SRW224 4 000
Module to Cisco Catalyst 6500 128 000
HP ProCurve 2610 8 000
HP ProCurve 1400 8 000
17
CAM overflow defese – Port security
�Limited number of MAC addresses per port
Switch# show port-security interface fa 0/1Violation Mode :ShutdownMaximum MAC addresses :2…
Switch# show port-security interface fa 0/1 addrVlan Mac Address Type Ports----- ------------- ------------ -----1 CC:CC:CC:CC:CC:CC SecureSticky FastEthernet0/1
18
CAM overflow defese – Port security
MAC: DD:DD:DD:DD:DD:DDIP: 192.168.0.254
MAC: CC:CC:CC:CC:CC:CCIP: 192.168.0.3
MAC: BB:BB:BB:BB:BB:BBIP: 192.168.0.2
MAC: AA:AA:AA:AA:AA:AAIP: 192.168.0.4
ETH:src mac: DD:DD:DD:DD:DD:DDdst mac: FF:FF:FF:FF:FF:FF …
19
Example of the attack
20
Impact of Port Security defense
�Filtration is usually in HW without performance impact
� If security policy is SHUTDOWN, user losses connection and admin cannot send him information what is wrong� It is better to configure less restrictive policy – only drop and inform
the admin, but do not shut down the port
21/
ARP spoofing
22
23
Normal behavior
IP MAC
C C
IP MAC
A A
24
ARP MitM
IP MAC IP MAC
IP MAC
C C
A A
25
ARP MitM : Cache poisoning ①
IP MAC IP MAC
IP MAC
C C
A A
Sender HW addres: B
Sender proto address: C
Target HW address: A
Target proto address A
26
ARP MitM : Cache poisoning ②
IP MAC
C B
IP MAC
IP MAC
C C
A A
27
ARP MitM : Cache poisoning ③
IP MAC
C B
IP MAC
IP MAC
C C
A A
Sender HW addres: B
Sender proto address: A
Target HW address: C
Target proto address C
28
ARP MitM : Cache poisoning ④
IP MAC
C B
IP MAC
A B
IP MAC
C C
A A
29
ARP MitM : Forwarding ③
IP MAC
C B
IP MAC
A B
IP MAC
C C
A A
30
Dynamic ARP Inspection
�Port security cannot be used for mitigation� Does not look further than L2 header
�DHCP snooping mechanism can be reused� DHCP snooping can create MAC-IP-Port binding
�Dynamic ARP Inspection tests only ARP packets� Does not provent IP spoofing
Switch# show ip source bindingMacAddress IpAddress Lease(sec) Type VLAN Interfa ce------------------ ------------ ---------- ----------- -- ---- ----------CC:CC:CC:CC:CC:CC 192.168.0.3 6522 dhcp-snooping 1 Fast Ethernet2/1
31
Dynamic ARP Inspection
MAC: DD:DD:DD:DD:DD:DDIP: 192.168.0.254
MAC: CC:CC:CC:CC:CC:CCIP: 192.168.0.3
MAC: BB:BB:BB:BB:BB:BBIP: 192.168.0.2
MAC: AA:AA:AA:AA:AA:AAIP: 192.168.0.4
ETH:src mac: CC:CC:CC:CC:CC:CCdst mac: FF:FF:FF:FF:FF:FF ARP ReplySender MAC: CC:CC:CC:CC:CC:CCSender IP: 192.168.0.4Target MAC: AA:AA:AA:AA:AA:AATarget IP: 192.168.0.4
Switch# show ip source bindingMacAddress IpAddress------------------ ------------CC:CC:CC:CC:CC:CC 192.168.0.3
32/
IPv6
33
IPv6
�Different methods of autoconfiguration� Stateless address autoconfiguration
� DHCPv6
�A network interface can have several IPv6 addresses
34
Link local address
RouterLL: fe80::204:96ff:fe1d:4e30GL: 2001:67c:1220:80e::1
Neighbor Solicitation
src: ::dst: ff02::1:ff21:ee49 (solicitated node)
Target address: fe80::c9ee:98f6:d621:ee49
A B
LL: fe80:: c9ee:98f6:d621:ee49 [TENT]
35
MLD Report
RouterLL: fe80::204:96ff:fe1d:4e30GL: 2001:67c:1220:80e::1
Multicast Listener Report v2
src: ::dst: ff02::16 (All MLDv2-capable routers)
Hop-by-hop – Router Alert
Changed to exclude: ff02::1:ff21:ee49
A B
LL: fe80::c9ee:98f6:d621:ee49 [TENT]
36
Global address
RouterLL: fe80::204:96ff:fe1d:4e30GL: 2001:67c:1220:80e::1
ALL: fe80::c9ee:98f6:d621:ee49
B
Router Solicitation
src: fe80::c9ee:98f6:d621:ee49dst: ff02::2 (All Routers)
37
Global address
RouterLL: fe80::204:96ff:fe1d:4e30GL: 2001:67c:1220:80e::1
ALL: fe80::c9ee:98f6:d621:ee49GL: 2001:67c:1220:80e : d4a3:cd1b:bac:942b [TENT]
B
Router Advertisement
src: fe80::204:96ff:fe1d:4e30dst: ff02::1 (All Nodes)M: 0O: 0
Prefix InformationPrfLen: 64A: 1Prefix: 2001:67c:1220:80e ::
38
IPv6 address autoconfiguration
�DAD, RS/RA, DHCPv6, MLDv2, ND
39
IPv6 address autoconfiguration
�DAD, RS/RA, DHCPv6, MLDv2, ND
MLDv2MLDv2 G: ff02::1:ff4b:d6:e3
G: ff02::1:ff4b:d6:e3
40
IPv6 address autoconfiguration
�DAD, RS/RA, DHCPv6, MLDv2, ND
DADDAD
41
IPv6 address autoconfiguration
�DAD, RS/RA, DHCPv6, MLDv2, ND
SLAACSLAAC
42
IPv6 address autoconfiguration
�DAD, RS/RA, DHCPv6, MLDv2, ND
DHCPv6DHCPv6
43
IPv6 address autoconfiguration
�DAD, RS/RA, DHCPv6, MLDv2, ND
MLDv2MLDv2 G: ff02::1:ffb0:5ec2
G: ff02::1:ffb0:5ec2
44
IPv6 address autoconfiguration
�DAD, RS/RA, DHCPv6, MLDv2, ND
NDND
45
IPv6 address autoconfiguration
�DAD, RS/RA, DHCPv6, MLDv2, ND
TCP handshake
46
IPv6 L2, L3 security
� Similar attacks as in IPv4 world with some exceptions� DAD, RA Flood, RA MitM
� Port-security can be used for mitigation CAM overflow similar to IPv4
� Three protocols must be secured (MLD, NDP, DHCPv6)
47
ND snooping
� Switch creates binding between port-MAC-IPv6 address based on DAD process
� Beware! � Different vendors have different behavior!� First come first serve approach!
� Opens DoS attack vector – address is registred on an attacker
Switch#show ipv6 neighbors bindingBinding Table has 4 entries, 4 dynamicCodes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API -API created
(truncated output)
IPv6 address Link-Layer addr Interface vlan age state Time left
ND FE80::81E2:1562:E5A0:43EE 28D2.4448.E276 Gi1/ 15 1 3mn REACHABLE 94 sND FE80::3AEA:A7FF:FE85:C926 38EA.A785.C926 Gi1/ 2 1 26mn STALE 86999 sND FE80::10 38EA.A785.C926 Gi1/ 2 1 26mn STALE 85533 sND FE80::1 E4C7.228B.F180 Gi1/ 7 1 35s REACHABLE 272 s
48
DHCPv6 Guard
�Similar to DHCPv6 snooping feature� Based on assigned IPv6 address, switch creates and maintains
binding table
Switch#show ipv6 neighbors bindingBinding Table has 4 entries, 4 dynamicCodes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API -API created
(truncated output)
IPv6 address Link-Layer addr Interface vlan age state Time left
ND FE80::81E2:1562:E5A0:43EE 28D2.4448.E276 Gi1/ 15 1 3mn REACHABLE 94 sND FE80::3AEA:A7FF:FE85:C926 38EA.A785.C926 Gi1/ 2 1 26mn STALE 869 sND FE80::10 38EA.A785.C926 Gi1/ 2 1 26mn STALE 855 sND FE80::1 E4C7.228B.F180 Gi1/ 7 1 35s REACHABLE 172 sDH 2001:DB8::E1B9 28D2.4448.E276 Gi1/15 1 3m n REACHABLE 67 s
49
RA Guard
�Protect against rogue RA messages – similar feature as DHCP snooping
50/
Summary
51
�Both IP protocols must be secured!
�Hardware and software have limitations! You have to do your due diligence. Skim-read the vendor PDF is not enough!
�To secure your network, you should at least configure:� DHCP snooping, ARP inspection, Port security, DHCPv6 guard, ND
snooping, RA guard