Layer 2 Security - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

Layer 2 Security

Description:

Layer 2 Security No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP ISACA / ISSA April 25, 2006 – PowerPoint PPT presentation

Number of Views:107
Avg rating:3.0/5.0
Slides: 28
Provided by: Allan148
Category:

less

Transcript and Presenter's Notes

Title: Layer 2 Security


1
Layer 2 Security No Longer IgnoredSecurity
Possibilities at Layer 2
  • Allan Alton, BSc CISA CISSP
  • ISACA / ISSA
  • April 25, 2006

2
Caveats and Assumptions
  • Opinions expressed are my own and do not
    represent the views of ISACA, ISSA, my employer,
    any vendor, or any organization to which I am
    associated
  • Internet Protocol (IP) implementation in a
    switched environment is assumed
  • Familiarity with basic networking assumed
  • Control of user traffic, not management of the
    network device
  • Secure management of the switch is assumed

3
Caveats and Assumptions
  • Concepts are from a context of Cisco Systems
    equipment, but sufficiently general to apply to
    other network hardware vendors
  • Switch features are not available on all product
    lines check with your vendor
  • Remediations presented are possibilities not
    necessarily recommended best practise
  • Test before implementation as bugs may be present

are
4
Assertion
  • Intelligence built into the new generation of
    switches will permit greater control of data as
    it enters your network

5
Traditional Network Security
  • OSI Layers 3 and 4 where most network controls
    are implemented
  • e.g.,192.168.1.2 can only be contacted on TCP
    port 80 from subnets beginning with 172.16.
  • Firewall rules and router access lists
  • Specialized devices now looking at layer 7

6
Traditional Network Security
Full Access
Full Access
Full Access
Full Access
7
VulnerabilityAttack within subnet
  • Compromised machines can access others on the
    same VLAN by default

Limited Access
Full Access
Full Access
8
RemediationPrivate VLANs
  • Promiscuous talks to any port
  • Isolated talks only to promiscuous
  • Community talks only to same community or
    promiscuous

promiscuous isolated community A community B
promiscuous Yes Yes Yes Yes
isolated Yes No No No
community A Yes No Yes No
community B Yes No No Yes
9
RemediationProtected Ports
  • Simpler form of a Private VLAN
  • Protected similar to Isolated
  • Not protected similar to Promiscuous
  • Only applicable to the local switch however

protected not protected
protected No Yes
not protected Yes Yes
10
Remediation Private VLANs or Protected Ports
promiscuous or not protected
Limited Access
No Access
No Access
isolated or protected
11
VulnerabilityBroadcast Storm
  • All devices in VLAN / subnet must handle
    broadcasts, consuming resources.
  • OS or application bugs may produce constant
    broadcasts. May also be malicious.

busy handling broadcasts
broadcast storm
12
RemediationStorm Control
  • Can apply to broadcasts, multicasts, or unicasts
  • Set threshold as percentage of bandwidth over a 1
    second period
  • If threshold is exceeded, drop this type of
    packet for next 1 second period

13
VulnerabilityFlooding for Data Capture or
Performance Hit
  • Switches flood to all ports when MAC unknown
  • Switches learn MAC addresses at each port
  • Table of addresses is a finite size

Normal
flood
flood
flood
address table full
new source MAC
starts macof or dsniff
14
VulnerabilityDHCP Denial of Service
  • Attacker requests new addresses for bogus MACs
  • Finite number of DHCP addresses in a subnet
  • PCs coming on the network can not get address

offer
request
no address
no more addresses
starts DHCP Gobbler
15
RemediationPort Security
  • Limits the source MAC addresses on a port
  • Can specify static addresses or maximum number
  • Violations on ports can
  • disable port
  • send trap and syslog
  • continue forwarding drop frames with new MACs
  • continue forwarding age out MAC entries from
    inactivity

16
VulnerabilityDHCP Rogue Server
  • Attacker uses rogue DHCP server to provide false
    settings (e.g., DNS, default gateway, etc.)

good offer
bad DHCP information
provides true DHCP
bad offer
request
starts rogue DHCP server
17
RemediationDHCP Snooping
  • Define trusted ports for DHCP responses

Untrusted DHCP
Trusted DHCP
good offer
gets good DHCP information
bad offer
request
starts rogue DHCP server
18
RemediationDHCP Snooping other vulnerabilities
covered
  • Comparison of MAC address in layers 2 and 7
  • hardware address must match chaddr (client
    hardware address) field in DHCP packet from
    untrusted ports
  • recall DHCP Gobbler attack and Port Security
  • Switch keeps track of the DHCP bindings to
    prevent DoS release attacks
  • DHCP releases or declines must have the hardware
    address match the original bound address

19
VulnerabilitySpanning Tree Root Hijackfor Data
Capture or Performance Hit
  • Spanning Tree Protocol resolves loops
  • Bridge Protocol Data Units sent from switches
  • Loops broken based on root selection

STP block
BPDU
BPDU
becomes root bridge
connects to both switches
sends BPDU root frames
20
RemediationBPDU Guard
  • BPDUs should not be received on an access port
  • BPDU receipt may indicate unauthorized switch or
    hub, or an attack
  • BPDU receipt puts port into error disabled mode

21
VulnerabilityARP Table Poisoning
  • ARPs (Address Resolution Protocol) associate
    layer 3 addresses to layer 2 (IP to MAC)
  • Requests are broadcast
  • Responses unauthenticated and can be sent without
    a request (gratuitous)

Normal
hijack
ARP tables poisoned
hijack
I am also Router
I am PC A
starts ettercap
22
RemediationDynamic ARP Inspection
  • Validates against DHCP Snooping binding table (if
    DHCP Snooping used)
  • Can build access lists of MAC and IP pairs for
    non-DHCP environments or set port to be trusted
  • Can limit the rate of ARPs to prevent DoS attacks

23
VulnerabilityIP Address Spoofing
  • Attacker sends packet with spoofed source IP
    address
  • Victims response packet dies or goes to wrong
    source (another victim)

dest. 192.168.1.1
24
RemediationIngress Access List
  • RFC 2827 normally done by router can be done at
    layer 2 device closer to end device
  • Helps protect other devices on subnet
  • Source IP address should always be 0.0.0.0 for
    DHCP request or within subnet (e.g.,
    207.206.205.x)
  • Vulnerability Attacker could still use another
    IP address within that subnet

25
RemediationIP Source Guard
  • Based on DHCP Snooping source IP address must
    be the one listed in DHCP Snooping table.
  • Can add static mappings for non-DHCP devices
  • Can also check MAC address source

source 192.168.1.1
26
Conclusion
  • Private VLANs
  • Protected Ports
  • Storm Control
  • Port Security
  • DHCP Snooping
  • BPDU Guard
  • Dynamic ARP Inspection
  • Anti-spoofing access lists
  • IP Source Guard
  • Attack within subnet
  • Broadcast storm
  • MAC Flooding
  • DHCP DoS
  • DHCP rogue
  • Spanning Tree hijack
  • ARP table poisoning
  • IP address spoofing

27
Further Reading
  • SAFE Layer 2 Security In-depth Version
    2http//www.cisco.com/warp/public/cc/so/cuso/epso
    /sqfr/sfblu_wp.pdf
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Layer 2 Security " is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!