CCNA Security 07-Securing the local area network
Download as PPT, PDF10 likes2,679 views
This document discusses techniques for securing the local area network layer 2, including mitigating MAC address spoofing, STP manipulation, broadcast storms, and VLAN hopping attacks. It provides examples of how these attacks work and recommends configuration options like port security, BPDU guard, root guard, and controlling trunking to enhance network security. Specific commands are shown to enable these security features on Cisco switches to prevent common layer 2 attacks.
CCNA Security 07-Securing the local area network
- 1. 06- Securing the Local Area Network Ahmed Sultan CCNA | CCNA Security | CCNP Security | JNCIA-Junos | CEH © 2009 Cisco Learning Institute. 1
- 2. IPS Layer 2 Security Perimeter VPN ACS Firewall Web Server Email Server DNS Hosts Internet © 2009 Cisco Learning Institute. 2
- 3. OSI Model When it comes to networking, Layer 2 is often a very weak link. Application Application Stream Protocols and Ports IP Addresses Initial Compromise MAC Addresses Physical Links Presentation Session Transport Network Data Link Physical Compromised Application Presentation Session Transport Network Data Link Physical © 2009 Cisco Learning Institute. 3
- 4. MAC Address Spoofing Attack 1 2 Switch Port AABBcc 12AbDd MAC Address: AABBcc The switch keeps track of the endpoints by maintaining a MAC address table. In MAC spoofing, the attacker poses as another host—in this case, AABBcc MAC Address: 12AbDd MAC Address: AABBcc Attacker Port 1 Port 2 I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly. © 2009 Cisco Learning Institute. 4
- 5. MAC Address Spoofing Attack MAC Address: AABBcc Switch Port 1 2 AABBcc I have changed the MAC 1 2 address on my computer to match the server. Attacker MAC Address: AABBcc Port 1 Port 2 AABBcc The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly. © 2009 Cisco Learning Institute. 5
- 6. MAC Address Table Overflow Attack The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MAC-address mappings in the MAC address table for these PCs. © 2009 Cisco Learning Institute. 6
- 7. MAC Address Table Overflow Attack VLAN 10 VLAN 10 A B C D 2 1 Intruder runs macof to begin sending unknown bogus MAC addresses. Bogus addresses are added to the CAM table. CAM table is full. MAC Port X 3/25 Y 3/25 C 3/25 3/25 3/25 MAC X 3/25 MAC Y 3/25 MAC Z XYZ flood Host C VLAN 10 The switch floods the frames. 4 Attacker sees traffic to servers B and D. 3 © 2009 Cisco Learning Institute. 7
- 8. LAB MAC ADDRESS TABLE OVERFLOW ATTACK © 2009 Cisco Learning Institute. 8
- 9. STP Manipulation Attack • Spanning tree protocol operates by electing a root bridge • STP builds a tree topology • STP manipulation changes the topology of a network—the attacking host appears to be the root bridge F F Root Bridge Priority = 8192 MAC Address= 0000.00C0.1234 F F F B © 2009 Cisco Learning Institute. 9
- 10. Configure Portfast Server Workstatio Command Description Switch(config-if)# spanning-tree portfast n Enables PortFast on a Layer 2 access port and forces it to enter the forwarding stateimmediately. Switch(config-if)# no spanning-tree portfast Disables PortFast on a Layer 2 access port. PortFast is disabled by default. Switch(config)# spanning-tree portfast default Globally enables the PortFast feature on all nontrunking ports. Switch# show running-config interface type slot/port Indicates whether PortFast has been configured on a port. © 2009 Cisco Learning Institute. 10
- 11. STP Manipulation Attack Root Bridge Priority = 8192 F B F F F Root Bridge F F F F F B STP BPDU Priority = 0 STP BPDU Priority = 0 F Attacker The attacking host broadcasts out STP configuration and topology change BPDUs. This is an attempt to force spanning tree recalculations. © 2009 Cisco Learning Institute. 11
- 12. BPDU Guard F F F F F B Root Bridge BPDU Guard Enabled Attacker STP BPDU Switch(config)# spanning-tree portfast bpduguard default • Globally enables BPDU guard on all ports with PortFast enabled © 2009 Cisco Learning Institute. 12
- 13. Root Guard Root Bridge Priority = 0 MAC Address = 0000.0c45.1a5d F F F F F B F STP BPDU Priority = 0 Root Guard Enabled MAC Address = 0000.0c45.1234 Attacker Switch(config-if)# spanning-tree guard root • Enables root guard on a per-interface basis © 2009 Cisco Learning Institute. 13
- 14. LAN Storm Attack Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast • Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN. • These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network. © 2009 Cisco Learning Institute. 14
- 15. VLAN Attacks Segmentatio n Flexibility Security VLAN = Broadcast Domain = Logical Network (Subnet) © 2009 Cisco Learning Institute. 15
- 16. VLAN Hopping Attack 802.1Q Trunk 802.1Q Server Trunk VLAN 20 VLAN 10 Attacker sees traffic destined for servers Server A VLAN hopping attack can be launched by spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode. © 2009 Cisco Learning Institute. 16
- 17. Port Security Overview MAC A MAC A Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C Attacker 1 MAC F Attacker 2 0/1 0/2 0/3 Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses © 2009 Cisco Learning Institute. 17
- 18. CLI Commands Switch(config-if)# switchport mode access • Sets the interface mode as access Switch(config-if)# switchport port-security • Enables port security on the interface Switch(config-if)# switchport port-security maximum value • Sets the maximum number of secure MAC addresses for the interface (optional) © 2009 Cisco Learning Institute. 18
- 19. LAB MAC ADDRESS TABLE OVERFLOW ATTACK © 2009 Cisco Learning Institute. 19
- 20. Mitigating VLAN Attacks Trunk (Native VLAN = 10) 1. Disable trunking on all access ports. 2. Disable auto trunking and manually enable trunking 3. Be sure that the native VLAN is used only for trunk lines and no where else © 2009 Cisco Learning Institute. 20
- 21. Controlling Trunking Switch(config-if)# switchport mode trunk • Specifies an interface as a trunk link . Switch(config-if)# switchport nonegotiate • Prevents the generation of DTP frames. Switch(config-if)# switchport trunk native vlan vlan_number • Set the native VLAN on the trunk to an unused VLAN © 2009 Cisco Learning Institute. 21