LAN Security PDF

LAN SECURITY LAN TECHNOLOGIES SBA, 12/2024 Subtopics 3.1 Security needs 3.2 Types of VLANs (already covered in chapter 1) 3.4 ARP attacks 3.5 VTP attacks 3.3 Port Security 3.6 Wireless Security (already covered in chapter 2) SBA, 12/2024 3.1 Security Needs SBA, 12/2024 Security Threats and Vulnerabilities Types of Threats Attacks on a network can be devastating and can result in a loss of time and money due to damage, or theft of important information or assets. Intruders can gain access to a network through software vulnerabilities, hardware attacks, or through guessing someone's username and password. Intruders who gain access by modifying software or exploiting software vulnerabilities are called threat actors. After the threat actor gains access to the network, four types of threats may arise: Information Theft Data Loss and manipulation Identity Theft Disruption of Service Security Threats and Vulnerabilities Types of Vulnerabilities Vulnerability is the degree of weakness in a network or a device. Some degree of vulnerability is inherent in routers, switches, desktops, servers, and even security devices. Typically, the network devices under attack are the endpoints, such as servers and desktop computers. Security Threats and Vulnerabilities Types of Vulnerabilities There are three primary vulnerabilities or weaknesses: Technological Vulnerabilities might include TCP/IP Protocol weaknesses, Operating System Weaknesses, and Network Equipment weaknesses. Configuration Vulnerabilities might include unsecured user accounts, system accounts with easily guessed passwords, misconfigured internet services, unsecure default settings, and misconfigured network equipment. Security Policy Vulnerabilities might include lack of a written security policy, politics, lack of authentication continuity, logical access controls not applied, software and hardware installation and changes not following policy, and a nonexistent disaster recovery plan. All three of these sources of vulnerabilities can leave a network or device open to various attacks, including malicious code attacks and network attacks. Security Threats and Vulnerabilities Physical Security If network resources can be physically compromised, a threat actor can deny the use of network resources. The four classes of physical threats are as follows: Hardware threats - This includes physical damage to servers, routers, switches, cabling plant, and workstations. Environmental threats - This includes temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry). Electrical threats - This includes voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss. Maintenance threats - This includes poor handling of key electrical components (electrostatic discharge), lack of critical spare parts, poor cabling, and poor labeling. A good plan for physical security must be created and implemented to address these issues. Endpoint Security Network Attacks Today The news media commonly covers attacks on enterprise networks. Simply search the internet for “latest network attacks” to find up-to-date information on current attacks. Most likely, these attacks will involve one or more of the following: Distributed Denial of Service (DDoS) – This is a coordinated attack from many devices, called zombies, with the intention of degrading or halting public access to an organization’s website and resources. Data Breach – This is an attack in which an organization’s data servers or hosts are compromised to steal confidential information. Malware – This is an attack in which an organization’s hosts are infected with malicious software that cause a variety of problems. For example, ransomware such as WannaCry encrypts the data on a host and locks access to it until a ransom is paid. Endpoint Security Endpoint Protection Endpoints are hosts which commonly consist of laptops, desktops, servers, and IP phones, as well as employee-owned devices. Endpoints are particularly susceptible to malware-related attacks that originate through email or web browsing. Endpoints have typically used traditional host- based security features, such as antivirus/antimalware, host-based firewalls, and host-based intrusion prevention systems (HIPSs). Endpoints today are best protected by a combination of NAC, AMP software, an email security appliance (ESA), and a web security appliance (WSA). Access Control Authentication with a Local Password Many types of authentication can be performed on networking devices, and each method offers varying levels of security. The simplest method of remote access authentication is to configure a login and password combination on console, vty lines, and aux ports. SSH is a more secure form of remote access: It requires a username and a password. The username and password can be authenticated locally. The local database method has some limitations: User accounts must be configured locally on each device which is not scalable. The method provides no fallback authentication method. Access Control AAA Components AAA stands for Authentication, Authorization, and Accounting, and provides the primary framework to set up access control on a network device. AAA is a way to control who is permitted to access a network (authenticate), what they can do while they are there (authorize), and to audit what actions they performed while accessing the network (accounting). Access Control Authentication Local and server-based are two common methods of implementing AAA authentication. Local AAA Authentication: Method stores usernames and passwords locally in a network device (e.g., Cisco router). Users authenticate against the local database. Local AAA is ideal for small networks. Server-Based AAA Authentication: With the server-based method, the router accesses a central AAA server. The AAA server contains the usernames and password for all users. The router uses either the Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System (TACACS+) protocols to communicate with the AAA server. When there are multiple routers and switches, server-based AAA is more appropriate. Access Control Authorization AAA authorization is automatic and does not require users to perform additional steps after authentication. Authorization governs what users can and cannot do on the network after they are authenticated. Authorization uses a set of attributes that describes the user’s access to the network. These attributes are used by the AAA server to determine privileges and restrictions for that user. Access Control Accounting AAA accounting collects and reports usage data. This data can be used for such purposes as auditing or billing. The collected data might include the start and stop connection times, executed commands, number of packets, and number of bytes. A primary use of accounting is to combine it with AAA authentication. The AAA server keeps a detailed log of exactly what the authenticated user does on the device, as shown in the figure. This includes all EXEC and configuration commands issued by the user. The log contains numerous data fields, including the username, the date and time, and the actual command that was entered by the user. This information is useful when troubleshooting devices. It also provides evidence for when individuals perform malicious acts. Access Control 802.1X The IEEE 802.1X standard is a port-based access control and authentication protocol. This protocol restricts unauthorized workstations from connecting to a LAN through publicly accessible switch ports. The authentication server authenticates each workstation that is connected to a switch port before making available any services offered by the switch or the LAN. With 802.1X port-based authentication, the devices in the network have specific roles: Client (Supplicant) - This is a device running 802.1X-compliant client software, which is available for wired or wireless devices. Switch (Authenticator) –The switch acts as an intermediary between the client and the authentication server. It requests identifying information from the client, verifies that information with the authentication server, and relays a response to the client. Another device that could act as authenticator is a wireless access point. Authentication server –The server validates the identity of the client and notifies the switch or wireless access point that the client is or is not authorized to access the LAN and switch services. 3.4,3.5 – Attacks SBA, 12/2024 Layer 2 Security Threats Layer 2 Vulnerabilities Recall that the OSI reference model is divided into seven layers which work independently of each other. The figure shows the function of each layer and the core elements that can be exploited. Network administrators routinely implement security solutions to protect the elements in Layer 3 up through Layer 7. They use VPNs, firewalls, and IPS devices to protect these elements. However, if Layer 2 is compromised, then all the layers above it are also affected. For example, if a threat actor with access to the internal network captured Layer 2 frames, then all the security implemented on the layers above would be useless. The threat actor could cause a lot of damage on the Layer 2 LAN networking infrastructure. Layer 2 Security Threats Switch Attack Categories Security is only as strong as the weakest link in the system, and Layer 2 is considered to be that weak link. This is because LANs were traditionally under the administrative control of a single organization. We inherently trusted all persons and devices connected to our LAN. Today, with BYOD and more sophisticated attacks, our LANs have become more vulnerable to penetration. Category Examples MAC Table Attacks Includes MAC address flooding attacks. Includes VLAN hopping and VLAN double-tagging VLAN Attacks attacks. It also includes attacks between devices on a common VLAN. DHCP Attacks Includes DHCP starvation and DHCP spoofing attacks. ARP Attacks Includes ARP spoofing and ARP poisoning attacks. Address Spoofing Includes MAC address and IP address spoofing attacks. Attacks STP Attacks Includes Spanning Tree Protocol manipulation attacks. MAC Address Table Attack © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 MAC Address Table Attack Switch Operation Review Recall that to make forwarding decisions, a Layer 2 LAN switch builds a table based on the source MAC addresses in received frames. This is called a MAC address table. MAC address tables are stored in memory and are used to more efficiently switch frames. MAC Address Table Attack MAC Address Table Flooding All MAC tables have a fixed size and consequently, a switch can run out of resources in which to store MAC addresses. MAC address flooding attacks take advantage of this limitation by bombarding the switch with fake source MAC addresses until the switch MAC address table is full. When this occurs, the switch treats the frame as an unknown unicast and begins to flood all incoming traffic out all ports on the same VLAN without referencing the MAC table. This condition now allows a threat actor to capture all of the frames sent from one host to another on the local LAN or local VLAN. Note: Traffic is flooded only within the local LAN or VLAN. The threat actor can only capture traffic within the local LAN or VLAN to which the threat actor is connected. MAC Address Table Attack MAC Address Table Attack Mitigation What makes tools such as macof so dangerous is that an attacker can create a MAC table overflow attack very quickly. For instance, a Catalyst 6500 switch can store 132,000 MAC addresses in its MAC address table. A tool such as macof can flood a switch with up to 8,000 bogus frames per second; creating a MAC address table overflow attack in a matter of a few seconds. Another reason why these attack tools are dangerous is because they not only affect the local switch, they can also affect other connected Layer 2 switches. When the MAC address table of a switch is full, it starts flooding out all ports including those connected to other Layer 2 switches. To mitigate MAC address table overflow attacks, network administrators must implement port security. Port security will only allow a specified number of source MAC addresses to be learned on the port. Port security is further discussed in another module. LAN Attacks © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 LAN Attacks VLAN Hopping Attacks A VLAN hopping attack enables traffic from one VLAN to be seen by another VLAN without the aid of a router. In a basic VLAN hopping attack, the threat actor configures a host to act like a switch to take advantage of the automatic trunking port feature enabled by default on most switch ports. The threat actor configures the host to spoof 802.1Q signaling and Cisco-proprietary Dynamic Trunking Protocol (DTP) signaling to trunk with the connecting switch. If successful, the switch establishes a trunk link with the host, as shown in the figure. Now the threat actor can access all the VLANs on the switch. The threat actor can send and receive traffic on any VLAN, effectively hopping between VLANs. LAN Attacks VLAN Double-Tagging Attacks A threat actor is specific situations could embed a hidden 802.1Q tag inside the frame that already has an 802.1Q tag. This tag allows the frame to go to a VLAN that the original 802.1Q tag did not specify. Step 1: The threat actor sends a double-tagged 802.1Q frame to the switch. The outer header has the VLAN tag of the threat actor, which is the same as the native VLAN of the trunk port. Step 2: The frame arrives on the first switch, which looks at the first 4-byte 802.1Q tag. The switch sees that the frame is destined for the native VLAN. The switch forwards the packet out all native VLAN ports after stripping the VLAN tag. The frame is not retagged because it is part of the native VLAN. At this point, the inner VLAN tag is still intact and has not been inspected by the first switch. Step 3: The frame arrives at the second switch which has no knowledge that it was supposed to be for the native VLAN. Native VLAN traffic is not tagged by the sending switch as specified in the 802.1Q specification. The second switch looks only at the inner 802.1Q tag that the threat actor inserted and sees that the frame is destined the target VLAN. The second switch sends the frame on to the target or floods it, depending on whether there is an existing MAC address table entry for the target. LAN Attacks VLAN Double-Tagging Attacks (Cont.) A VLAN double-tagging attack is unidirectional and works only when the attacker is connected to a port residing in the same VLAN as the native VLAN of the trunk port. The idea is that double tagging allows the attacker to send data to hosts or servers on a VLAN that otherwise would be blocked by some type of access control configuration. Presumably the return traffic will also be permitted, thus giving the attacker the ability to communicate with devices on the normally blocked VLAN. VLAN Attack Mitigation - VLAN hopping and VLAN double-tagging attacks can be prevented by implementing the following trunk security guidelines, as discussed in a previous module: Disable trunking on all access ports. Disable auto trunking on trunk links so that trunks must be manually enabled. Be sure that the native VLAN is only used for trunk links. LAN Attacks DHCP Attacks Two types of DHCP attacks are DHCP starvation and DHCP spoofing. Both attacks are mitigated by implementing DHCP snooping. 1. DHCP Starvation Attack – The goal of this attack is to create a DoS for connecting clients. DHCP starvation attacks require an attack tool such as Gobbler. Gobbler has the ability to look at the entire scope of leasable IP addresses and tries to lease them all. Specifically, it creates DHCP discovery messages with bogus MAC addresses. LAN Attacks DHCP Attacks 2. DHCP Spoofing Attack – This occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients. A rogue server can provide a variety of misleading information, including the following: ◦ Wrong default gateway - The rogue server provides an invalid gateway or the IP address of its host to create a man-in-the-middle attack. This may go entirely undetected as the intruder intercepts the data flow through the network. ◦ Wrong DNS server - The rogue server provides an incorrect DNS server address pointing the user to a nefarious website. ◦ Wrong IP address - The rogue server provides an invalid IP address effectively creating a DoS attack on the DHCP client. LAN Attacks ARP Attacks Hosts broadcast ARP Requests to determine the MAC address of a host with a destination IP address. All hosts on the subnet receive and process the ARP Request. The host with the matching IP address in the ARP Request sends an ARP Reply. A client can send an unsolicited ARP Reply called a “gratuitous ARP”. Other hosts on the subnet store the MAC address and IP address contained in the gratuitous ARP in their ARP tables. An attacker can send a gratuitous ARP message containing a spoofed MAC address to a switch, and the switch would update its MAC table accordingly. In a typical attack, a threat actor sends unsolicited ARP Replies to other hosts on the subnet with the MAC Address of the threat actor and the IP address of the default gateway, effectively setting up a man-in-the-middle attack. LAN Attacks ARP Attacks There are many tools available on the internet to create ARP man-in-the-middle attacks. IPv6 uses ICMPv6 Neighbor Discovery Protocol for Layer 2 address resolution. IPv6 includes strategies to mitigate Neighbor Advertisement spoofing, similar to the way IPv6 prevents a spoofed ARP Reply. ARP spoofing and ARP poisoning are mitigated by implementing Dynamic ARP Inspection (DAI). LAN Attacks Address Spoofing Attacks IP address spoofing is when a threat actor hijacks a valid IP address of another device on the subnet or uses a random IP address. IP address spoofing is difficult to mitigate, especially when it is used inside a subnet in which the IP belongs. MAC address spoofing attacks occur when the threat actors alter the MAC address of their host to match another known MAC address of a target host. The switch overwrites the current MAC table entry and assigns the MAC address to the new port. It then inadvertently forwards frames destined for the target host to the attacking host. LAN Attacks Address Spoofing Attacks When the target host sends traffic, the switch will correct the error, realigning the MAC address to the original port. To stop the switch from returning the port assignment to its correct state, the threat actor can create a program or script that will constantly send frames to the switch so that the switch maintains the incorrect or spoofed information. There is no security mechanism at Layer 2 that allows a switch to verify the source of MAC addresses, which is what makes it so vulnerable to spoofing. IP and MAC address spoofing can be mitigated by implementing IP Source Guard (IPSG). LAN Attacks STP Attack Network attackers can manipulate the Spanning Tree Protocol (STP) to conduct an attack by spoofing the root bridge and changing the topology of a network. Attackers can then capture all traffic for the immediate switched domain. To conduct an STP manipulation attack, the attacking host broadcasts STP bridge protocol data units (BPDUs) containing configuration and topology changes that will force spanning-tree recalculations. The BPDUs sent by the attacking host announce a lower bridge priority in an attempt to be elected as the root bridge. This STP attack is mitigated by implementing BPDU Guard on all access ports. BPDU Guard is discussed in more detail later in the course. LAN Attacks CDP Reconnaissance The Cisco Discovery Protocol (CDP) is a proprietary Layer 2 link discovery protocol. It is enabled on all Cisco devices by default. Network administrators also use CDP to help configure and troubleshoot network devices. CDP information is sent out CDP-enabled ports in periodic, unencrypted, unauthenticated broadcasts. CDP information includes the IP address of the device, IOS software version, platform, capabilities, and the native VLAN. The device receiving the CDP message updates its CDP database. To mitigate the exploitation of CDP, limit the use of CDP on devices or ports. For example, disable CDP on edge ports that connect to untrusted devices. To disable CDP globally on a device, use the no cdp run global configuration mode command. To enable CDP globally, use the cdp run global configuration command. To disable CDP on a port, use the no cdp enable interface configuration command. To enable CDP on a port, use the cdp enable interface configuration command. Note: Link Layer Discovery Protocol (LLDP) is also vulnerable to reconnaissance attacks. Configure no lldp run to disable LLDP globally. To disable LLDP on the interface, configure no lldp transmit and no lldp receive. 3.x ATTACK MITIGATION SBA, 12/2024 Layer 2 Security Threats Switch Attack Mitigation Techniques Solution Description Prevents many types of attacks including MAC address flooding attacks and DHCP Port Security starvation attacks. DHCP Snooping Prevents DHCP starvation and DHCP spoofing attacks. Dynamic ARP Inspection (DAI) Prevents ARP spoofing and ARP poisoning attacks. IP Source Guard (IPSG) Prevents MAC and IP address spoofing attacks. Layer 2 Security Threats Switch Attack Mitigation Techniques These Layer 2 solutions will not be effective if the management protocols are not secured. The following strategies are recommended: Always use secure variants of management protocols such as SSH, Secure Copy Protocol (SCP), Secure FTP (SFTP), and Secure Socket Layer/Transport Layer Security (SSL/TLS). Consider using out-of-band management network to manage devices. Use a dedicated management VLAN where nothing but management traffic resides. Use ACLs to filter unwanted access. 3.3 Port Security SBA, 12/2024 Implement Port Security Secure Unused Ports Layer 2 attacks are some of the easiest for hackers to deploy but these threats can also be mitigated with some common Layer 2 solutions. All switch ports (interfaces) should be secured before the switch is deployed for production use. How a port is secured depends on its function. A simple method that many administrators use to help secure the network from unauthorized access is to disable all unused ports on a switch. Navigate to each unused port and issue the Cisco IOS shutdown command. If a port must be reactivated at a later time, it can be enabled with the no shutdown command. To configure a range of ports, use the interface range command. Switch(config)# interface range type module/first-number – last-number Implement Port Security Mitigate MAC Address Table Attacks The simplest and most effective method to prevent MAC address table overflow attacks is to enable port security. Port security limits the number of valid MAC addresses allowed on a port. It allows an administrator to manually configure MAC addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses. When a port configured with port security receives a frame, the source MAC address of the frame is compared to the list of secure source MAC addresses that were manually configured or dynamically learned on the port. By limiting the number of permitted MAC addresses on a port to one, port security can be used to control unauthorized access to the network. Implement Port Security Enable Port Security Port security is enabled with the switchport port-security interface configuration command. Notice in the example, the switchport port-security command was rejected. This is because port security can only be configured on manually configured access ports or manually configured trunk ports. By default, Layer 2 switch ports are set to dynamic auto (trunking on). Therefore, in the example, the port is configured with the switchport mode access interface configuration command. Note: Trunk port security is beyond the scope of this course. Implement Port Security Enable Port Security (Cont.) Use the show port-security interface command to display the current port security settings for FastEthernet 0/1. Notice how port security is enabled, the violation mode is shutdown, and how the maximum number of MAC addresses is 1. If a device is connected to the port, the switch will automatically add the device’s MAC address as a secure MAC. In this example, no device is connected to the port. Note: If an active port is configured with the switchport port- security command and more than one device is connected to that port, the port will transition to the error-disabled state. Implement Port Security Enable Port Security (Cont.) After port security is enabled, other port security specifics can be configured, as shown in the example. Implement Port Security Limit and Learn MAC Addresses To set the maximum number of MAC addresses allowed on a port, use the following command: Switch(config-if)# switchport port-security maximum value The default port security value is 1. The maximum number of secure MAC addresses that can be configured depends the switch and the IOS. In this example, the maximum is 8192. Implement Port Security Limit and Learn MAC Addresses (Cont.) The switch can be configured to learn about MAC addresses on a secure port in one of three ways: 1. Manually Configured: The administrator manually configures a static MAC address(es) by using the following command for each secure MAC address on the port: Switch(config-if)# switchport port-security mac-address mac-address Implement Port Security Limit and Learn MAC Addresses (Cont.) 2. Dynamically Learned: When the switchport port-security command is entered, the current source MAC for the device connected to the port is automatically secured but is not added to the running configuration. If the switch is rebooted, the port will have to re-learn the device’s MAC address. 3. Dynamically Learned – Sticky: The administrator can enable the switch to dynamically learn the MAC address and “stick” them to the running configuration by using the following command: Switch(config-if)# switchport port-security mac-address sticky Saving the running configuration will commit the dynamically learned MAC address to NVRAM. Implement Port Security Limit and Learn MAC Addresses (Cont.) The example demonstrates a complete port security configuration for FastEthernet 0/1. The administrator specifies a maximum of 4 MAC addresses, manually configures one secure MAC address, and then configures the port to dynamically learn additional secure MAC addresses up to the 4 secure MAC address maximum. Use the show port-security interface and the show port-security address command to verify the configuration. Implement Port Security Port Security Aging Port security aging can be used to set the aging time for static and dynamic secure addresses on a port and two types of aging are supported per port: Absolute - The secure addresses on the port are deleted after the specified aging time. Inactivity - The secure addresses on the port are deleted if they are inactive for a specified time. Use aging to remove secure MAC addresses on a secure port without manually deleting the existing secure MAC addresses. Aging of statically configured secure addresses can be enabled or disabled on a per-port basis. Use the switchport port-security aging command to enable or disable static aging for the secure port, or to set the aging time or type. Switch(config-if)# switchport port-security aging {static | time time | type {absolute | inactivity}} Implement Port Security Port Security Aging (Cont.) The example shows an administrator configuring the aging type to 10 minutes of inactivity. The show port-security command confirms the changes. interface command to verify the configuration. Implement Port Security Port Security Violation Modes If the MAC address of a device attached to a port differs from the list of secure addresses, then a port violation occurs and the port enters the error-disabled state. To set the port security violation mode, use the following command: Switch(config-if)# switchport port-security violation {shutdown | restrict | protect} Implement Port Security Port Security Violation Modes The following table shows how a switch reacts based on the configured violation mode. Mode Description The port transitions to the error-disabled state immediately, turns off the port LED, and sends a syslog message. It shutdown increments the violation counter. When a secure port is in the error-disabled state, an administrator must re-enable (default) it by entering the shutdown and no shutdown commands. The port drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the maximum value. This mode causes the Security restrict Violation counter to increment and generates a syslog message. This is the least secure of the security violation modes. The port drops packets with unknown MAC source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the protect maximum value. No syslog message is sent. Implement Port Security Port Security Violation Modes (Cont.) The example shows an administrator changing the security violation to “Restrict”. The output of the show port-security interface command confirms that the change has been made. Implement Port Security Ports in error-disabled State When a port is shutdown and placed in the error-disabled state, no traffic is sent or received on that port. A series of port security related messages display on the console, as shown in the following example. Note: The port protocol and link status are changed to down and the port LED is turned off. Implement Port Security Ports in error-disabled State (Cont.) In the example, the show interface command identifies the port status as err-disabled. The output of the show port-security interface command now shows the port status as secure-shutdown. The Security Violation counter increments by 1. The administrator should determine what caused the security violation If an unauthorized device is connected to a secure port, the security threat is eliminated before re-enabling the port. To re-enable the port, first use the shutdown command, then, use the no shutdown command. Implement Port Security Verify Port Security After configuring port security on a switch, check each interface to verify that the port security is set correctly, and check to ensure that the static MAC addresses have been configured correctly. To display port security settings for the switch, use the show port-security command. The example indicates that all 24 interfaces are configured with the switchport port- security command because the maximum allowed is 1 and the violation mode is shutdown. No devices are connected, therefore, the CurrentAddr (Count) is 0 for each interface. Implement Port Security Verify Port Security (Cont.) Use the show port-security interface command to view details for a specific interface, as shown previously and in this example. Implement Port Security Verify Port Security (Cont.) To verify that MAC addresses are “sticking” to the configuration, use the show run command as shown in the example for FastEthernet 0/19. Implement Port Security Verify Port Security (Cont.) To display all secure MAC addresses that are manually configured or dynamically learned on all switch interfaces, use the show port- security address command as shown in the example. Mitigate VLAN Attacks © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59 Mitigate VLAN Attacks VLAN Attacks Review A VLAN hopping attack can be launched in one of three ways: 1. Spoofing DTP messages from the attacking host to cause the switch to enter trunking mode. From here, the attacker can send traffic tagged with the target VLAN, and the switch then delivers the packets to the destination. 2. Introducing a rogue switch and enabling trunking. The attacker can then access all the VLANs on the victim switch from the rogue switch. 3. Another type of VLAN hopping attack is a double-tagging (or double-encapsulated) attack. This attack takes advantage of the way hardware on most switches operate. Mitigate VLAN Attacks Steps to Mitigate VLAN Hopping Attacks Use the following steps to mitigate VLAN hopping attacks: Step 1: Disable DTP (auto trunking) negotiations on non-trunking ports by using the switchport mode access interface configuration command. Step 2: Disable unused ports and put them in an unused VLAN. Step 3: Manually enable the trunk link on a trunking port by using the switchport mode trunk command. Step 4: Disable DTP (auto trunking) negotiations on trunking ports by using the switchport nonegotiate command. Step 5: Set the native VLAN to a VLAN other than VLAN 1 by using the switchport trunk native vlan vlan_number command. Mitigate DHCP Attacks © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62 Mitigate DHCP Attacks DHCP Attack Review The goal of a DHCP starvation attack is to an attack tool such as Gobbler to create a Denial of Service (DoS) for connecting clients. Recall that DHCP starvation attacks can be effectively mitigated by using port security because Gobbler uses a unique source MAC address for each DHCP request sent. However, mitigating DHCP spoofing attacks requires more protection. Gobbler could be configured to use the actual interface MAC address as the source Ethernet address, but specify a different Ethernet address in the DHCP payload. This would render port security ineffective because the source MAC address would be legitimate. DHCP spoofing attacks can be mitigated by using DHCP snooping on trusted ports. Mitigate DHCP Attacks DHCP Snooping DHCP snooping filters DHCP messages and rate-limits DHCP traffic on untrusted ports. Devices under administrative control (e.g., switches, routers, and servers) are trusted sources. Trusted interfaces (e.g., trunk links, server ports) must be explicitly configured as trusted. Devices outside the network and all access ports are generally treated as untrusted sources. A DHCP table is built that includes the source MAC address of a device on an untrusted port and the IP address assigned by the DHCP server to that device. The MAC address and IP address are bound together. Therefore, this table is called the DHCP snooping binding table. Mitigate DHCP Attacks Steps to Implement DHCP Snooping Use the following steps to enable DHCP snooping: Step 1. Enable DHCP snooping by using the ip dhcp snooping global configuration command. Step 2. On trusted ports, use the ip dhcp snooping trust interface configuration command. Step 3: On untrusted interfaces, limit the number of DHCP discovery messages that can be received using the ip dhcp snooping limit rate packets-per-second interface configuration command. Step 4. Enable DHCP snooping by VLAN, or by a range of VLANs, by using the ip dhcp snooping vlan global configuration command. Mitigate DHCP Attacks DHCP Snooping Configuration Example Refer to the DHCP snooping sample topology with trusted and untrusted ports. DHCP snooping is first enabled on S1. The upstream interface to the DHCP server is explicitly trusted. F0/5 to F0/24 are untrusted and are, therefore, rate limited to six packets per second. Finally, DHCP snooping is enabled on VLANS 5, 10, 50, 51, and 52. Mitigate DHCP Attacks DHCP Snooping Configuration Example (Cont.) Use the show ip dhcp snooping privileged EXEC command to verify DHCP snooping settings. Use the show ip dhcp snooping binding command to view the clients that have received DHCP information. Note: DHCP snooping is also required by Dynamic ARP Inspection (DAI). Mitigate ARP Attacks © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68 Mitigate ARP Attacks Dynamic ARP Inspection In a typical ARP attack, a threat actor can send unsolicited ARP replies to other hosts on the subnet with the MAC Address of the threat actor and the IP address of the default gateway. To prevent ARP spoofing and the resulting ARP poisoning, a switch must ensure that only valid ARP Requests and Replies are relayed. Dynamic ARP inspection (DAI) requires DHCP snooping and helps prevent ARP attacks by: Not relaying invalid or gratuitous ARP Replies out to other ports in the same VLAN. Intercepting all ARP Requests and Replies on untrusted ports. Verifying each intercepted packet for a valid IP-to-MAC binding. Dropping and logging ARP Replies coming from invalid to prevent ARP poisoning. Error-disabling the interface if the configured DAI number of ARP packets is exceeded. Mitigate ARP Attacks DAI Implementation Guidelines To mitigate the chances of ARP spoofing and ARP poisoning, follow these DAI implementation guidelines: Enable DHCP snooping globally. Enable DHCP snooping on selected VLANs. Enable DAI on selected VLANs. Configure trusted interfaces for DHCP snooping and ARP inspection. It is generally advisable to configure all access switch ports as untrusted and to configure all uplink ports that are connected to other switches as trusted. Mitigate ARP Attacks DAI Configuration Example In the previous topology, S1 is connecting two users on VLAN 10. DAI will be configured to mitigate against ARP spoofing and ARP poisoning attacks. DHCP snooping is enabled because DAI requires the DHCP snooping binding table to operate. Next, DHCP snooping and ARP inspection are enabled for the PCs on VLAN10. The uplink port to the router is trusted, and therefore, is configured as trusted for DHCP snooping and ARP inspection. Mitigate ARP Attacks DAI Configuration Example (Cont.) DAI can also be configured to check for both destination or source MAC and IP addresses: Destination MAC - Checks the destination MAC address in the Ethernet header against the target MAC address in ARP body. Source MAC - Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. IP address - Checks the ARP body for invalid and unexpected IP addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Mitigate ARP Attacks DAI Configuration Example (Cont.) The ip arp inspection validate {[src-mac] [dst-mac] [ip]} global configuration command is used to configure DAI to drop ARP packets when the IP addresses are invalid. It can be used when the MAC addresses in the body of the ARP packets do not match the addresses that are specified in the Ethernet header. Notice in the following example how only one command can be configured. Therefore, entering multiple ip arp inspection validate commands overwrites the previous command. To include more than one validation method, enter them on the same command line as shown in the output. Mitigate STP Attacks © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74 Mitigate STP Attacks PortFast and BPDU Guard Recall that network attackers can manipulate the Spanning Tree Protocol (STP) to conduct an attack by spoofing the root bridge and changing the topology of a network. To mitigate STP attacks, use PortFast and Bridge Protocol Data Unit (BPDU) Guard: PortFast PortFast immediately brings a port to the forwarding state from a blocking state, bypassing the listening and learning states. Apply to all end-user access ports. BPDU Guard BPDU guard immediately error disables a port that receives a BPDU. Like PortFast, BPDU guard should only be configured on interfaces attached to end devices. Mitigate STP Attacks Configure PortFast PortFast bypasses the STP listening and learning states to minimize the time that access ports must wait for STP to converge. Only enable PortFast on access ports. PortFast on inter switch links can create a spanning-tree loop. Mitigate STP Attacks Configure PortFast PortFast can be enabled: On an interface – Use the spanning-tree portfast interface configuration command. Globally – Use the spanning-tree portfast default global configuration command to enable PortFast on all access ports. Mitigate STP Attacks Configure PortFast (Cont.) To verify whether PortFast is enabled globally you can use either the: show running-config | begin span command show spanning-tree summary command To verify if PortFast is enabled an interface, use the show running-config interface type/number command. The show spanning-tree interface type/number detail command can also be used for verification. Mitigate STP Attacks Configure BPDU Guard An access port could receive an unexpected BPDUs accidentally or because a user connected an unauthorized switch to the access port. If a BPDU is received on a BPDU Guard enabled access port, the port is put into error-disabled state. This means the port is shut down and must be manually re-enabled or automatically recovered through the errdisable recovery cause psecure_violation global command. Mitigate STP Attacks Configure BPDU Guard BPDU Guard can be enabled: On an interface – Use the spanning-tree bpduguard enable interface configuration command. Globally – Use the spanning-tree portfast bpduguard default global configuration command to enable BPDU Guard on all access ports.

Document Details

Tags

Related

Summary

Full Transcript