Upload
ahmed-habib
View
391
Download
3
Tags:
Embed Size (px)
DESCRIPTION
CCNA Security 640-554 By Eng-Ahmed Sultan
Citation preview
1© 2009 Cisco Learning Institute.
06- Securing the Local Area Network
Ahmed Sultan CCNA | CCNA Security | CCNP Security | JNCIA-Junos | CEH
222© 2009 Cisco Learning Institute.
IPSVPN
ACS
Firewall
Web Server
Email Server DNS
Hosts
Perimeter
Internet
Layer 2 Security
333© 2009 Cisco Learning Institute.
OSI Model
MAC Addresses
When it comes to networking, Layer 2 is often a very weak link.
Physical Links
IP Addresses
Protocols and Ports
Application StreamApplication
Presentation
Session
Transport
Network
Data Link
Physical
Co
mp
rom
ised
Application
Presentation
Session
Transport
Network
Data Link
Physical
Initial Compromise
444© 2009 Cisco Learning Institute.
MAC Address Spoofing Attack
MAC Address: AABBcc
AABBcc 12AbDdSwitch Port
1 2
MAC Address: AABBcc
Attacker
Port 1Port 2
MAC Address: 12AbDd
I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly.
The switch keeps track of theendpoints by maintaining aMAC address table. In MAC spoofing, the attacker posesas another host—in this case,AABBcc
555© 2009 Cisco Learning Institute.
MAC Address Spoofing Attack
MAC Address: AABBcc
AABBcc
Switch Port
1 2
MAC Address: AABBcc
Attacker
Port 1 Port 2
AABBcc
1 2I have changed the MACaddress on my computer to match the server.
The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly.
666© 2009 Cisco Learning Institute.
MAC Address Table Overflow Attack
The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MAC-address mappings in the MAC address table for these PCs.
777© 2009 Cisco Learning Institute.
MAC Address Table Overflow Attack
A B
C D
VLAN 10 VLAN 10
Intruder runs macof to begin sending unknown bogus MAC addresses.
3/25
3/25 MAC X 3/25 MAC Y 3/25 MAC Z
XYZ
flood
MAC PortX 3/25Y 3/25C 3/25
Bogus addresses are added to the CAM table. CAM table is full.
Host C
The switch floods the frames.
Attacker sees traffic to servers B and D.
VLAN 10
12
3
4
888© 2009 Cisco Learning Institute.
MAC ADDRESS TABLE OVERFLOW ATTACK
LAB
999© 2009 Cisco Learning Institute.
STP Manipulation Attack
• Spanning tree protocol operates by electing a root bridge
• STP builds a tree topology
• STP manipulation changes the topology of a network—the attacking host appears to be the root bridge
F F
F F
F B
Root BridgePriority = 8192MAC Address=
0000.00C0.1234
101010© 2009 Cisco Learning Institute.
Configure Portfast
Command Description
Switch(config-if)# spanning-tree portfast
Enables PortFast on a Layer 2 access port and forces it to enter the forwarding stateimmediately.
Switch(config-if)# no spanning-tree portfast
Disables PortFast on a Layer 2 access port. PortFast is disabled by default.
Switch(config)# spanning-tree portfast default
Globally enables the PortFast feature on all nontrunking ports.
Switch# show running-config interface type slot/port
Indicates whether PortFast has been configured on a port.
Server Workstation
111111© 2009 Cisco Learning Institute.
STP Manipulation Attack
Root BridgePriority = 8192
Root Bridge
F F
F F
F BSTP
BP
DU
Priority = 0 S
TP B
PD
U P
riorit
y =
0
F B
FF
F F
Attacker The attacking host broadcasts out STPconfiguration and topology change BPDUs.This is an attempt to force spanning treerecalculations.
121212© 2009 Cisco Learning Institute.
BPDU Guard
Switch(config)#spanning-tree portfast bpduguard default
• Globally enables BPDU guard on all ports with PortFast enabled
F F
FF
F B
Root Bridge
BPDU Guard
Enabled
AttackerSTP
BPDU
131313© 2009 Cisco Learning Institute.
Root Guard
Switch(config-if)#
spanning-tree guard root
• Enables root guard on a per-interface basis
Root BridgePriority = 0
MAC Address = 0000.0c45.1a5d
F F
F F
F BF
STP BPDUPriority = 0
MAC Address = 0000.0c45.1234
Root Guard
Enabled
Attacker
141414© 2009 Cisco Learning Institute.
LAN Storm Attack
• Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN.
• These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network.
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
BroadcastBroadcast
Broad
cast
Broad
cast
Broad
cast
151515© 2009 Cisco Learning Institute.
VLAN Attacks
VLAN = Broadcast Domain = Logical Network (Subnet)
Segmentation
Flexibility
Security
161616© 2009 Cisco Learning Institute.
VLAN Hopping Attack
802.1Q
802.1Q
ServerAttacker sees traffic destined for servers
Server
Trunk
Trunk
VLAN 20
VLAN 10
A VLAN hopping attack can be launched by spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode.
171717© 2009 Cisco Learning Institute.
Port Security Overview
MAC A
MAC A
Port 0/1 allows MAC APort 0/2 allows MAC BPort 0/3 allows MAC C
Attacker 1
Attacker 2
0/1
0/20/3
MAC F
Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MACaddresses
181818© 2009 Cisco Learning Institute.
CLI Commands
switchport mode accessSwitch(config-if)#
• Sets the interface mode as access
switchport port-securitySwitch(config-if)#
• Enables port security on the interface
switchport port-security maximum valueSwitch(config-if)#
• Sets the maximum number of secure MAC addresses for the interface (optional)
191919© 2009 Cisco Learning Institute.
MAC ADDRESS TABLE OVERFLOW ATTACK
LAB
202020© 2009 Cisco Learning Institute.
Trunk(Native VLAN = 10)
1. Disable trunking on all access ports.
2. Disable auto trunking and manually enable trunking
3. Be sure that the native VLAN is used only for trunk lines and no where else
Mitigating VLAN Attacks
212121© 2009 Cisco Learning Institute.
switchport mode trunk
switchport trunk native vlan vlan_number
switchport nonegotiate
.
Switch(config-if)#
• Specifies an interface as a trunk link
Switch(config-if)#
• Prevents the generation of DTP frames.
Switch(config-if)#
• Set the native VLAN on the trunk to an unused VLAN
Controlling Trunking