1 / 27

Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2

Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2. Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007. Caveats and Assumptions.

isaiah-myers
Download Presentation

Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Layer 2 Security – No Longer IgnoredSecurity Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007

  2. Caveats and Assumptions • Opinions expressed are my own and do not represent the views of UBC, my employer, any vendor, or any organization to which I am associated • Internet Protocol (IP) implementation in a switched environment is assumed • Familiarity with basic networking assumed • Control of user traffic, not management of the network device • Secure management of the switch is assumed

  3. Caveats and Assumptions • Concepts are from a context of Cisco Systems equipment, but sufficiently general to apply to other network hardware vendors • Switch features are not available on all product lines – check with your vendor • Remediations presented are possibilities not necessarily recommended best practise • Test before implementation as bugs may be present are

  4. Assertion Intelligence built into the new generation of switches will permit greater control of data as it enters your network

  5. Application Presentation Session Transport Network Data Link Physical Application OSI Layers transmit receive Presentation Session Transport Network Data Link Physical GET /home.html HTTP/1.1 1024 TCP 80 192.168.1.100 10.11.12.13 00:04:05:06:07:08 00:1A:1B:C3:87:25

  6. Traditional Network Security • OSI Layers 3 and 4 where most network controls are implemented • e.g.,192.168.1.2 can only be contacted on TCP port 80 from subnets beginning with 172.16. • Firewall rules and router access lists • Specialized devices now looking at layer 7

  7. 192.168.1.2 on TCP port 80 Not Involved 192.168.1.2 on TCP port 99 Traditional Network Security Full Access Full Access Full Access Full Access

  8. VulnerabilityAttack within subnet • Compromised machines can access others on the same VLAN by default Limited Access Full Access Full Access

  9. RemediationPrivate VLANs • Promiscuous: talks to any port • Isolated: talks only to promiscuous • Community: talks only to same community or promiscuous

  10. RemediationProtected Ports • Simpler form of a Private VLAN • Protected: similar to Isolated • Not protected: similar to Promiscuous • Only applicable to the local switch however

  11. RemediationPrivate VLANs or Protected Ports promiscuous or not protected Limited Access No Access No Access isolated or protected

  12. broadcast VulnerabilityBroadcast Storm • All devices in VLAN / subnet must handle broadcasts, consuming resources. • OS or application bugs may produce constant broadcasts. May also be malicious. busy handling broadcasts broadcast storm

  13. RemediationStorm Control • Can apply to broadcasts, multicasts, or unicasts • Set threshold as percentage of bandwidth over a 1 second period • If threshold is exceeded, drop this type of packet for next 1 second period

  14. VulnerabilityFlooding for Data Capture or Performance Hit • Switches flood to all ports when MAC unknown • Switches learn MAC addresses at each port • Table of addresses is a finite size Normal flood flood flood address table full new source MAC starts macof or dsniff

  15. VulnerabilityDHCP Denial of Service • Attacker requests new addresses for bogus MACs • Finite number of DHCP addresses in a subnet • PCs coming on the network can not get address offer request no address no more addresses starts DHCP Gobbler

  16. RemediationPort Security • Limits the source MAC addresses on a port • Can specify static addresses or maximum number • Violations on ports can • disable port • send trap and syslog • continue forwarding; drop frames with new MACs • continue forwarding; age out MAC entries from inactivity

  17. VulnerabilityDHCP Rogue Server • Attacker uses rogue DHCP server to provide false settings (e.g., DNS, default gateway, etc.) good offer bad DHCP information provides true DHCP bad offer request starts rogue DHCP server

  18. RemediationDHCP Snooping • Define trusted ports for DHCP responses Untrusted DHCP Trusted DHCP good offer gets good DHCP information bad offer request starts rogue DHCP server

  19. RemediationDHCP Snooping – other vulnerabilities covered • Comparison of MAC address in layers 2 and 7 • hardware address must match “chaddr” (client hardware address) field in DHCP packet from untrusted ports • recall DHCP Gobbler attack and Port Security • Switch keeps track of the DHCP bindings to prevent DoS release attacks • DHCP releases or declines must have the hardware address match the original bound address

  20. VulnerabilitySpanning Tree Root Hijackfor Data Capture or Performance Hit • Spanning Tree Protocol resolves loops • Bridge Protocol Data Units sent from switches • Loops broken based on root selection STP block BPDU BPDU becomes root bridge connects to both switches sends BPDU root frames

  21. RemediationBPDU Guard • BPDUs should not be received on an access port • BPDU receipt may indicate unauthorized switch or hub, or an attack • BPDU receipt puts port into error disabled mode

  22. VulnerabilityARP Table Poisoning • ARPs (Address Resolution Protocol) associate layer 3 addresses to layer 2 (IP to MAC) • Requests are broadcast • Responses unauthenticated and can be sent without a request (gratuitous) Normal hijack ARP tables poisoned hijack I am also Router I am PC A starts ettercap

  23. RemediationDynamic ARP Inspection • Validates against DHCP Snooping binding table (if DHCP Snooping used) • Can build access lists of MAC and IP pairs for non-DHCP environments or set port to be trusted • Can limit the rate of ARPs to prevent DoS attacks

  24. source 192.168.1.1 VulnerabilityIP Address Spoofing • Attacker sends packet with spoofed source IP address • Victim’s response packet dies or goes to wrong source (another victim) dest. 192.168.1.1

  25. RemediationIngress Access List • RFC 2827 normally done by router can be done at layer 2 device closer to end device • Helps protect other devices on subnet • Source IP address should always be 0.0.0.0 for DHCP request or within subnet (e.g., 207.206.205.x) • Vulnerability: Attacker could still use another IP address within that subnet

  26. RemediationIP Source Guard • Based on DHCP Snooping — source IP address must be the one listed in DHCP Snooping table. • Can add static mappings for non-DHCP devices • Can also check MAC address source source 192.168.1.1

  27. Conclusion • Private VLANs • Protected Ports • Storm Control • Port Security • DHCP Snooping • BPDU Guard • Dynamic ARP Inspection • Anti-spoofing access lists • IP Source Guard • Attack within subnet • Broadcast storm • MAC Flooding • DHCP DoS • DHCP rogue • Spanning Tree hijack • ARP table poisoning • IP address spoofing Further Reading: SAFE Layer 2 Security In-depth Version 2http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/sfblu_wp.pdf

More Related