Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Network Security
Mohamed Sabt
Univ Rennes, CNRS, IRISA
Wednesday, September 16th, 2019
Villain VLANs &Cutting Down the (Spanning) Trees
Layer 2 Attack Landscape
Lower Networks layers affect higher levels.• Layering principle.
• If one layer is hacked, communications are compromised without the other layers being aware of the problem.
Security is only as strong as the weakest link.
When it comes to networking, layer 2 can be a very weak link.
Most of Layer 2 protocols were designed under the assumption that only trusted people are connected to the LAN.
2
Part I
Virtual LANs
Reminders
LAN:• Includes all devices in the same broadcast domain.
Broadcast Domain:• When any of the devices sends a broadcast frame, all other devices get a copy
of the frame.
• You just can think of a LAN and a broadcast domain as being basically the same thing.
4
First Overview of a VLAN
VLANs allow us to put some devices
into one broadcast domain and some
into another; thereby creating multiple
broadcast domains.
These individual broadcast domains
are called virtual LANS.
5
Why VLANs
Better performance• To create more flexible designs.
• To reduce overhead caused to each host.
• To reduce the workload for LAN related protocols (e.g. STP).
More security:• To keep hosts that work with sensitive data on a separate VLAN.
• To isolate the traffic coming from untrusted parts from the network.
6
VLANs Interconnection
The same VLAN can be connected to different switches.
7
VLANs Tagging
Switches need to tag the VLAN frames.
8
VLAN Trunking
The need:• The switches need to use VLAN trunking in the segment between switches.
Advantage:• The use of trunking allows switches to pass frames from multiple VLANs over
a single physical connection.
How:• VLAN trunking causes the switches to use a process called VLAN tagging, by
which the sending switch adds another header to the frame before sending it over a trunck.
9
IEEE 802.1Q
The IEEE standardizes the trunking protocol.• 802.1Q does not encapsulate the original frame into another
Instead, it just inserts an extra 4-byte VLAN header into the original frame’s Ethernet header.
10
4
Native VLAN
No VLAN:• 802.1Q does not add an 802.1Q header to frames in the native VLAN.
Processing:• When a switch receives a frame that does not have an 802.1Q header, it
decides that the frame is part of the native VLAN.
11
VLAN Trunking Protocol (VTP)
VTP allows switches to exchange VLAN configuration information.• VTP advertises about the existence of each VLAN based on its VLAN ID and
the VLAN name.
Synchronization:• Periodic VTP messages.• VTP messages as soon as their VLAN configuration have been changed.
Three modes:• Server: to set the VLAN configurations.• Client: to receive/send VTP messages• Transparent: to ignore the received VTP messages.
12
VTP Update Process
13
The complete process by which a serverchanges VLAN configuration, resulting in allSwitches knowing the same VLAN IDs andnames, is called synchronization.
VTP Update Steps
Someone configures a new VLAN from the command-line interface (CLI) of a VTP server.
The VTP server updates its VLAN database revision number.
The server sends VTP update messages out its trunk interfaces, stating the new revision number.
The VTP clients/servers notice that the updates list a higher revision number than their current revision number.
The switches update their VLAN databases based on the new VTP updates.
14
Part II
Security ofVirtual LANs
Dynamic Trunking Protocol (DTP)
DTP is a Cisco proprietary protocol that negotiates trunking parameters between switches.• Operates on a point-to-point basis only between network devices.
• Designed to make interconnecting switches with VLANs easier.
16
Basic Trunk Port Defined
Trunk ports have access to all VLANs by default.
Used to route traffic for multiple VLANs across the same physical link (generally between switches).
17
DTP and Security
DTP is important from a security perspective.• The default DTP state of many switches is auto.
• Switches will happily trunk (pass traffic on multiple VLANs) with anyone who notifies them that they would like to do so.
18
Basic VLAN Hopping Attack
An end station can behave as a switch.
The station is then a member of all VLANs.
19
Basic Hopping Attack
This attack can be achieved in one of two ways:• Spoof the DTP messages from the attacking host to cause the switch to enter
trunking mode. From here, the attacker can send traffic tagged with the target VLAN, and the switch will happily deliver the packets to the destination.
• Introduce a rogue switch and turn trunking on. The attacker can then access all the VLANs on the victim switch from the rogue switch.
To mitigate these attacks, do not activate DTP on any port that does not need trunking.
20
Creative VLAN Hopping Attack
Send 802.1q double encapsulated frames.
Switch performs only one level of decapsulation.
Works even if trunk ports are set to off.
21
Double Hopping AttackThe attacker sends a double-tagged 802.1q frame to the switch.
• The outer header has the VLAN attacker tag and the inner one has the victim’s.• For the purposes of this attack, let's assume that the outer tag is VLAN 10 and the
inner tag is VLAN 20.
The frame arrives on the switch, which looks at the first 4-byte 802.1q tag.• The switch sees that the frame is destined for VLAN 10 and sends it out on all VLAN
10 ports (including the trunk) if there is no CAM table entry.• Remember that, at this point, the second VLAN tag is still intact and was never
inspected by the first switch.
The frame arrives at the second switch. • It has no knowledge that it was supposed to be for VLAN 10. • Remember, native VLAN traffic is not tagged.
The second switch looks at only the 802.1q tag.• It sees that the frame is destined for VLAN 20 (the victim one).• It sends the frame to the victim host.
22
Mitigation of the Double Hopping Attack
Always use a dedicated VLAN ID for all trunk ports.• Never use the Native VLANs for anything.
• Use all tagged mode for the Native VLAN on trunks.
For switches to prevent this attack, they must look further into the packet to determine whether more than one VLAN tag is attached to a given frame.
23
Best Practices for VLANs and Trunking
Always use a dedicated VLAN ID for all trunk ports.• Never use the Native VLANs for anything.
• Use all tagged mode for the Native VLAN on trunks.
Unused interfaces:• Administratively disable the unused interface.
• Assign them to unused VLAN, called the parking lot VLAN.
Prevent trunking from being negotiated.Explicitly configure trunking on infrastructure ports.
Explicitly permit only the specific VLANs that need to be allowed on the trunk.
24
Exercise
Guess some attacks related to VTP.
How these attacks can be mitigated ?
25
Part III
Spanning TreeProtocol (STP)
Redundant Links
Redundant links allow the LAN to recover in case a failure occurs to one of the networks links.
27
Broadcast Storm I
Switches send broadcast frames out all interfaces in the same VLAN, except the interface in which the frame arrived.
28
Broadcast Storm II
The broadcast frames start the loop.
29
Broadcast Storm III
Broadcasts storms cause broadcast frames to lo loop around a LAN indefinitely.
30
Broadcast Storm Problems
Resource Saturation:• The forwarding of a frame repeatedly on the same links, consuming
significant parts of the links capacity.
MAC Table instability:• The continual updating of a switch MAC address table with incorrect entries,
resulting in frames being sent to the wrong locations.
Multiple frame transmission• Multiple copies of the same frame are delivered to the intended host, thereby
confusing the host.
31
The Need for Spanning Tree Protocol
The STP allow switches to automatically block the ports causing the broadcast storm.
32
How STP Works
The STP creates a spanning tree of interfaces forwarding frames.• The tree structure creates a single path to and from each Ethernet segment.
• Any interface not choosing by the STP is placed in Blocking State.
STP uses 3 criteria to choose whether to put an interface in the Forwarding State:• STP elects a root switch. All associated interfaces are in the Forwarding State.
• Each nonroot switch considers one of its port and makes it Forwarding.
• The lowest-cost switch on each segment is placed on Forwarding State.
33
Exercise STP
Supposing that Switch C is the root, describe the constructed ST.
34
Cost = 4 Cost = 5
Root
Reacting to Changes in the Network
The steady-state operation:• The root creates and sends a Hello STP message, with a cost 0, out all its
working interfaces.
• The nonroot switches receive the Hello on their root ports. The switch forwards the Hello out all designated ports after changing the sender ID.
When a switch ceases to receive the Hellos, something has failed, so the switch reacts and starts the process of changing the spanning-tree topology.
35
STP Timers
Hello:• 2 sec.
• The time period between Hellos created by the root.
Max Age:• 10 times Hello.
• How long any switch should wait, after ceasing to hear Hellos, before trying to change the STP topology.
Forward Delay:• 15 sec.
• Delay that affects the process that occurs when an interface changes from Blocking State to Forwarding State. A port stays in an interim Listening State, and then an interim Learning State.
36
Part IV
STP Security
Security Considerations
STP has no provisions for authentication as switches exchange STP information.• These STP messages could easily be sent from an unauthorized device that
could have any number of undesirable effects.
• If the attacker can cause a failure, it generally takes 30 to 45 seconds for STP to reconverge the topology.
Root hijacking:• The attacker could end up forwarding a lot of traffic in the LAN.
• The most obvious resulting attacks are man-in-the-middle, sniffing traffic, and creating a Denial of Service attacks.
38
STP Root Hijacking
The attacker becomes the root.
39
BPDU Guard
BPDU Guard Features• It disables a port of any STP message is received on the port.
• User ports have no reason to receive STP messages.
Advantages:• Particularly useful for ports that should
only be used as an access port and never
connected to another switch.
• prevent attackers from sending STP
messages from their computers.
40
Root GuardRoot Guard Features
• It disables any port that would have become the root switch as a result of the STP messages.
• When enabled, the Root Guard reacts if the switch receives any superior STP message from the neighboring switch.
• In this case, the Root Guard ignores thesuperior STP message. In addition, theswitch disables the interface, not sendingor receiving frames, as long as the superiorSTP message keep arriving.
Advantages:• It prevents a rogue switch from being theroot switch.• Less restrictive than BPDU Guard.
41