06- Securing the Local Area Network

7/30/2019 06- Securing the Local Area Network

1/22

1 2009 Cisco Learning Institute.

06- Securing the Local Area Network

Ahmed Sultan

CCNA | CCNA Security | CCNP Security | JNCIA-Junos | CEH


2/22


IPSVPN

ACS

Firewall

WebServer

EmailServer DNS

Hosts

Perimeter

Internet

Layer 2 Security


3/22


OSI Model

MAC Addresses

When it comes to networking, Layer 2 is often a very weak link.

Physical Links

IP Addresses

Protocols and Ports

Application StreamApplication

Presentation

Session

Transport

Network

Data Link

Physical

C

ompromised

Application

Presentation

Session

Transport

Network

Data Link

Physical

Initial Compromise


4/22


MAC Address Spoofing Attack

MACAddress:AABBcc

AABBcc 12AbDdSwitch Port

1 2

MAC Address:AABBcc

Attacker

Port 1

Port 2

MACAddress:12AbDd

I have associated Ports 1 and 2 withthe MAC addresses of the devicesattached. Traffic destined for eachdevice will be forwarded directly.

The switch keeps track of the

endpoints by maintaining aMAC address table. In MACspoofing, the attacker posesas another hostin this case,

AABBcc


5/22


MAC Address Spoofing Attack

MACAddress:AABBcc

AABBcc

Switch Port

1 2

MAC Address:AABBcc

Attacker

Port 1 Port 2

AABBcc

1 2I have changed the MACaddress on my computerto match the server.

The device with MACaddress AABBcc haschanged locations to Port2.I must adjust my MACaddress table accordingly.


6/22


MAC Address Table Overflow Attack

The switch can forward frames between PC1 and PC2 withoutflooding because the MAC address table contains port-to-MAC-address mappings in the MAC address table for these PCs.


7/22777 2009 Cisco Learning Institute.

MAC Address Table Overflow Attack

A B

C D

VLAN 10 VLAN 10

Intruder runs macofto begin sendingunknown bogus MACaddresses.

3/25

3/25 MAC X3/25 MAC Y

3/25 MAC Z

XYZ

flood

MAC Port

X 3/25

Y 3/25

C 3/25

Bogus addresses areadded to the CAMtable. CAM table is full.

Host C

The switch floods

the frames.Attacker sees trafficto servers B and D.

VLAN 10

12

3

4



MAC ADDRESS TABLEOVERFLOW ATTACK

LAB



STP Manipulation Attack

Spanning tree protocoloperates by electing aroot bridge

STP builds a tree topology STP manipulation

changes the topology of anetworkthe attacking

host appears to be theroot bridge

F F

F F

F B

Root BridgePriority = 8192MAC Address=

0000.00C0.1234



Configure Portfast

Command Description

Switch(config-if)# spanning-

tree portfastEnables PortFast on a Layer 2 access port and forces it to

enter the forwarding stateimmediately.

Switch(config-if)# no

spanning-tree portfastDisables PortFast on a Layer 2 access port. PortFast is

disabled by default.

Switch(config)# spanning-tree

portfast defaultGlobally enables the PortFast feature on all nontrunking

ports.

Switch#show running-config

interface typeslot/portIndicates whether PortFast has been configured on a port.

Server Workstation



STP Manipulation Attack

Root BridgePriority = 8192

RootBridge

F F

F F

F B

F B

FF

F F

Attacker The attacking host broadcasts out STPconfiguration and topology change BPDUs.This is an attempt to force spanning treerecalculations.



BPDU Guard

Switch(config)#

spanning-tree portfast bpduguard default

Globally enables BPDU guard on all ports with PortFastenabled

F F

FF

F B

RootBridge

BPDUGuard

Enabled

AttackerSTP

BPDU



Root Guard

Switch(config-if)#

spanning-tree guard root

Enables root guard on a per-interface basis

Root BridgePriority = 0

MAC Address =0000.0c45.1a5d

F F

F F

F BF

STP BPDUPriority = 0

MAC Address = 0000.0c45.1234

RootGuard

Enabled

Attacker



LAN Storm Attack

Broadcast, multicast, or unicast packets are flooded on all ports in thesame VLAN.

These storms can increase the CPU utilization on a switch to 100%,reducing the performance of the network.

Broadcast

Broadcast

Broadcast

Broadcast

Broadcast

Broadcast



VLAN Attacks

VLAN = Broadcast Domain = Logical Network (Subnet)

Segmentation

Flexibility

Security



VLAN Hopping Attack

802.1Q

ServerAttacker sees traffic destined for servers

Server

Trunk

VLAN20

VLAN10

A VLAN hopping attack can be launched byspoofing DTP Messages from the attacking host tocause the switch to enter trunking mode.



Port Security Overview

MAC A

MAC A

Port 0/1 allows MAC A

Port 0/2 allows MAC BPort 0/3 allows MAC C

Attacker 1

Attacker 2

0/1

0/2

0/3MAC F

Allows an administrator to statically specify MACAddresses for a port or to permit the switch todynamically learn a limited number of MACaddresses



CLI Commands

switchport mode accessSwitch(config-if)#

Sets the interface mode as access

switchport port-security

Switch(config-if)#

Enables port security on the interface

switchport port-security maximum value

Switch(config-if)#

Sets the maximum number of secure MAC addresses forthe interface (optional)



MAC ADDRESS TABLEOVERFLOW ATTACK

LAB


20/22


Trunk(Native VLAN = 10)

1. Disable trunking on all accessports.

2. Disable auto trunking and manuallyenable trunking

3. Be sure that the native VLAN isused only for trunk lines and nowhere else

Mitigating VLAN Attacks


21/22


switchport mode trunk

switchport trunk native vlanvlan_number

switchport nonegotiate

.

Switch(config-if)#

Specifies an interface as a trunk link

Switch(config-if)#

Prevents the generation of DTP frames.

Switch(config-if)#

Set the native VLAN on the trunk to an unused VLAN

Controlling Trunking


22/22

Documents

06- Securing the Local Area Network