1 / 15

Securing Layer 2 Access

Securing Layer 2 Access. Mitigating Layer 2 Attacks. Layer 2 Security Issues. Campus access devices and Layer 2 communication are left largely unconsidered in most security discussions, and there is lack of security at this layer.

norman
Download Presentation

Securing Layer 2 Access

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Securing Layer 2 Access Mitigating Layer 2 Attacks

  2. Layer 2 Security Issues • Campus access devices and Layer 2 communication are left largely unconsidered in most security discussions, and there is lack of security at this layer. • Many security features are available for switches and routers, but they must be enabled to be effective. • However, as with access control lists (ACL) for upper-layer security, a policy must be established and appropriate features configured to protect against potential malicious acts while maintaining daily network operations.

  3. Security Infrastructure Services • Use private VLANs, IPS, logging and ACLs Server Farm • Do not perform security operations – increases performance Core • Use ACLs to provide security and filtering. Distribution • Use switchport security to control access to the network. Access

  4. Layer 2 Malicious Attacks • Layer 2 malicious attacks are typically launched by a device connected to the campus network. This can be a physical rogue device placed on the network or an external intrusion that takes control of and launches attacks from a trusted device. • In either case, the network sees all traffic as originating from a legitimate connected device. • The following lists the types of attacks launched against switches and Layer 2: • MAC layer attacks (e.g. MAC address flooding). • VLAN attacks (e.g. VLAN hopping). • Spoof attacks (e.g. DHCP, MAC & ARP spoofing). • Switch device attacks (e.g. CDP manipulation, Telnet attacks).    

  5. MAC Flood Attack • To mitigate against MAC flooding, port security is configured to define the number of MAC addresses that are allowed on a given port. • Port security can also specify which MAC address is allowed on a given port.

  6. Switch Configuration – Port Security • To limit the number of addresses that can be learned on an interface switches provide a feature called port security. • The number of MAC addresses per port can be limited to 1. • Secure addresses can be assigned statically or dynamically learned by the switch. S1(config)#interface fa0/1 S1(config-if)# switchport port-security ? aging Port-security aging commands mac-address secure mac address maximum max secure addrs violation security violation mode

  7. Switch Configuration – Port Security • Static secure MAC addresses: MAC addresses are manually configured by using the switchport port-security mac-address interface configuration command. MAC addresses configured in this way are stored in the address table and are added to the running configuration on the switch. • Dynamic secure MAC addresses: MAC addresses are dynamically learned and stored only in the address table. MAC addresses configured in this way are removed when the switch restarts. • Sticky secure MAC addresses: You can configure a port to dynamically learn MAC addresses and then save these MAC addresses to the running configuration.

  8. Port Security: Violation Switch(config-if)#switchport port-security violation {protect | restrict | shutdown} By default, if the maximum number of connections is achieved and a new MAC address attempts to access the port, the switch must take one of the following actions: • Protect:Frames from the non-allowed address are dropped, but there is no log of the violation. The protect argument is platform or version dependent. • Restrict: Frames from the non-allowed address are dropped, a log message is created and Simple Network Management Protocol (SNMP) trap sent. • Shut down: If any frames are seen from a non-allowed address, the interface is errdisabled, a log entry is made, SNMP trap sent and manual intervention (no shutdown) or errdisable recovery must be used to make the interface usable. Port LED is switched off.

  9. Switch Configuration – Port Security Server DLS1 PC1 Fa0/1 Fa0/2 DLS1(config)# interface FastEthernet 0/1 DLS1(config-if)# switchport DLS1(config-if)# switchport mode access DLS1(config-if)# switchport port-security DLS1(config-if)# switchport port-security mac-address 0000.0000.0008 DLS1(config-if)# switchport port-security maximum 1 DLS1(config-if)# switchport port-security aging static DLS1(config-if)# switchport port-security violation restrict DLS1(config-if)# switchport block unicast DLS1(config)# interface FastEthernet 0/2 DLS1(config-if)# switchport DLS1(config-if)# switchport mode access DLS1(config-if)# switchport port-security DLS1(config-if)# switchport port-security mac-address sticky DLS1(config-if)# switchport port-security maximum 2 DLS1(config-if)# switchport port-security aging static DLS1(config-if)# switchport port-security violation shutdown

  10. Verify Port Security DLS1# show running-config fastethernet 0/2 interface FastEthernet0/1 switchport access vlan 2 switchport mode access switchport port-security maximum 2 switchport port-security switchport port-security violation shutdown switchport port-security mac-address sticky switchport port-security mac-address sticky 001b.d513.2ad2 DLS1# show port-security address Secure Mac Address Table ------------------------------------------------------------------------ Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- --- ----- ------------- 2 001b.d513.2ad2 SecureSticky Fa0/2 -

  11. VLAN Hopping – Switch Spoofing Trunk Attacker 802.1q Native VLAN 1 VLANS 10 & 20 Trunk VLAN 20 VLAN 20 802.1q Native VLAN 1 S1 S2 VLAN 20 VLAN 10 • In a switch spoofing attack, the network attacker configures a system to spoof itself as a switch by performing Inter-Switch Link (ISL) or 802.1Q trunking, along with DTP negotiations, to establish a trunk connection to the switch. • By default, a trunk connection provides an attacker with access to all VLANs in the network.

  12. Data VLAN20 VLAN10 Data VLAN20 VLAN Hopping – Double Tagging Data Access Port Trunk VLAN 10 VLAN 10 802.1q Native VLAN 10 S1 S2 VLAN 20 VLAN 10 • Attacker sends a double-tagged broadcast packet into the local access-LAN. • Switch 1 forwards this across the trunk, removing the first tag, as it matches the native VLAN. • Switch 2 receives the packet, and forwards it into VLAN 20.

  13. Mitigating VLAN Hopping • Switch Spoofing: • Configure all unused ports as access ports so that trunking cannot be negotiated across those links. • Place all unused ports in the shutdown state and associate with a VLAN designated only for unused ports, carrying no user data traffic. • Switch Spoofing: • Configure the native VLAN with an unused VLAN, which can then be pruned off the trunk: • S1(conf)#vlan 800 • S1(conf-vlan)# name bogus_native • S1(conf)#int fa0/1 • S1(conf-if)#switchport trunk encap dot1q • S1(conf-if)#switchport trunk native vlan 800 • S1(conf-if)#switchport trunk allowed vlan remove 800 • S1(conf-if)# Switchport mode trunk

  14. VLAN Access Control Lists • Router access control list (RACL): Applied to Layer 3 interfaces such as SVI or L3 routed ports. It controls the access of routed traffic between VLANs. RACLs are applied on interfaces for specific directions (inbound or outbound). You can apply one access list in each direction. • Port access control list (PACL): Applied on a Layer 2 switch port, trunk port, or EtherChannel port. PACLs perform access control on traffic entering a Layer 2 interface. With PACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. When you apply a PACL to a trunk port, it filters traffic on all VLANs present on the trunk port. • VLAN access control list (VACL): Supported in software on Cisco multilayer switches. Filtering based on Layer 2 or Layer 3 parameters within a VLAN. Unlike RACLs, VACLs are not defined by direction (input or output).

  15. VACL Configuration DLS1 Host 2 192.168.20.20/24 VLAN 20 Deny all traffic from VLAN 20 reaching the VLAN 10 server Server 192.168.10.10/24 VLAN 10 Host 1 192.168.10.20/24 VLAN 10 1.Create ACL to define traffic to block: DLS1(config)#ip access-list extended DENY_SERVER DLS1(conf-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 host 192.168.10.10 2. Create VLAN map to block and forward traffic: DLS1(config)# vlan access-map DENY_MAP 10 DLS1(config-access-map)#match ip address DENY_SERVER DLS1(config-access-map)#action drop DLS1(config-access-map)#exit DLS1(config)#vlan access-map DENY_MAP 20 DLS1(config-access-map)#action forward 3. Apply VLAN map to VLAN 10 DLS1(config)#vlan filter DENY_MAP vlan-list 10

More Related