CCNA Security 07-Securing the local area network

1© 2009 Cisco Learning Institute.

06- Securing the Local Area Network

Ahmed Sultan CCNA | CCNA Security | CCNP Security | JNCIA-Junos | CEH


IPSVPN

ACS

Firewall

Web Server

Email Server DNS

Hosts

Perimeter

Internet

Layer 2 Security


OSI Model

MAC Addresses

When it comes to networking, Layer 2 is often a very weak link.

Physical Links

IP Addresses

Protocols and Ports

Application StreamApplication

Presentation

Session

Transport

Network

Data Link

Physical

Co

mp

rom

ised

Application

Presentation

Session

Transport

Network

Data Link

Physical

Initial Compromise


MAC Address Spoofing Attack

MAC Address: AABBcc

AABBcc 12AbDdSwitch Port

1 2

MAC Address: AABBcc

Attacker

Port 1Port 2

MAC Address: 12AbDd

I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly.

The switch keeps track of theendpoints by maintaining aMAC address table. In MAC spoofing, the attacker posesas another host—in this case,AABBcc


MAC Address Spoofing Attack

MAC Address: AABBcc

AABBcc

Switch Port

1 2

MAC Address: AABBcc

Attacker

Port 1 Port 2

AABBcc

1 2I have changed the MACaddress on my computer to match the server.

The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly.


MAC Address Table Overflow Attack

The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MAC-address mappings in the MAC address table for these PCs.


MAC Address Table Overflow Attack

A B

C D

VLAN 10 VLAN 10

Intruder runs macof to begin sending unknown bogus MAC addresses.

3/25

3/25 MAC X 3/25 MAC Y 3/25 MAC Z

XYZ

flood

MAC PortX 3/25Y 3/25C 3/25

Bogus addresses are added to the CAM table. CAM table is full.

Host C

The switch floods the frames.

Attacker sees traffic to servers B and D.

VLAN 10

12

3

4


MAC ADDRESS TABLE OVERFLOW ATTACK

LAB


STP Manipulation Attack

• Spanning tree protocol operates by electing a root bridge

• STP builds a tree topology

• STP manipulation changes the topology of a network—the attacking host appears to be the root bridge

F F

F F

F B

Root BridgePriority = 8192MAC Address=

0000.00C0.1234


Configure Portfast

Command Description

Switch(config-if)# spanning-tree portfast

Enables PortFast on a Layer 2 access port and forces it to enter the forwarding stateimmediately.

Switch(config-if)# no spanning-tree portfast

Disables PortFast on a Layer 2 access port. PortFast is disabled by default.

Switch(config)# spanning-tree portfast default

Globally enables the PortFast feature on all nontrunking ports.

Switch# show running-config interface type slot/port

Indicates whether PortFast has been configured on a port.

Server Workstation


STP Manipulation Attack

Root BridgePriority = 8192

Root Bridge

F F

F F

F BSTP

BP

DU

Priority = 0 S

TP B

PD

U P

riorit

y =

0

F B

FF

F F

Attacker The attacking host broadcasts out STPconfiguration and topology change BPDUs.This is an attempt to force spanning treerecalculations.


BPDU Guard

Switch(config)#spanning-tree portfast bpduguard default

• Globally enables BPDU guard on all ports with PortFast enabled

F F

FF

F B

Root Bridge

BPDU Guard

Enabled

AttackerSTP

BPDU


Root Guard

Switch(config-if)#

spanning-tree guard root

• Enables root guard on a per-interface basis

Root BridgePriority = 0

MAC Address = 0000.0c45.1a5d

F F

F F

F BF

STP BPDUPriority = 0

MAC Address = 0000.0c45.1234

Root Guard

Enabled

Attacker


LAN Storm Attack

• Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN.

• These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network.

Broadcast

Broadcast

Broadcast

Broadcast

Broadcast

Broadcast

Broadcast

BroadcastBroadcast

Broad

cast

Broad

cast

Broad

cast


VLAN Attacks

VLAN = Broadcast Domain = Logical Network (Subnet)

Segmentation

Flexibility

Security


VLAN Hopping Attack

802.1Q

802.1Q

ServerAttacker sees traffic destined for servers

Server

Trunk

Trunk

VLAN 20

VLAN 10

A VLAN hopping attack can be launched by spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode.


Port Security Overview

MAC A

MAC A

Port 0/1 allows MAC APort 0/2 allows MAC BPort 0/3 allows MAC C

Attacker 1

Attacker 2

0/1

0/20/3

MAC F

Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MACaddresses


CLI Commands

switchport mode accessSwitch(config-if)#

• Sets the interface mode as access

switchport port-securitySwitch(config-if)#

• Enables port security on the interface

switchport port-security maximum valueSwitch(config-if)#

• Sets the maximum number of secure MAC addresses for the interface (optional)


MAC ADDRESS TABLE OVERFLOW ATTACK

LAB


Trunk(Native VLAN = 10)

1. Disable trunking on all access ports.

2. Disable auto trunking and manually enable trunking

3. Be sure that the native VLAN is used only for trunk lines and no where else

Mitigating VLAN Attacks


switchport mode trunk

switchport trunk native vlan vlan_number

switchport nonegotiate

.

Switch(config-if)#

• Specifies an interface as a trunk link

Switch(config-if)#

• Prevents the generation of DTP frames.

Switch(config-if)#

• Set the native VLAN on the trunk to an unused VLAN

Controlling Trunking

Education

CCNA Security 07-Securing the local area network