Layer 2 Security - Cisco

1 2006 Cisco Systems, Inc. All rights PublicLayer 2 SecurityEric VynckeDistinguished Consulting Engineer 2006 Cisco Systems, Inc. All rights PublicSEC-2062 Caveats All attacks and mitigation techniques assume a switched Ethernetnetwork running IPv4 All testing was done on Cisco Ethernet SwitchesEthernet switching attack resilience varies widely from vendor to vendor This is not a comprehensive talk on configuring Ethernet switches for Security or NAC or IEEE : the focus is mostly access L2 attacks and their mitigation 2006 Cisco Systems, Inc. All rights PublicSEC-2063 Agenda Layer 2 Attack Landscape Attacks and Counter MeasuresMAC AttacksDHCP AttacksARP AttacksSpoofing AttacksGeneral Attacks Summary 2006 Cisco Systems, Inc.

2 All rights PublicSEC-2064 OSI Was Built to Allow Different Layers to Work Without the Knowledge of Each OtherWhy Worry About Layer 2 Security ?Host BHost AMAC AddressesApplication StreamApplicationPresentationSessionTran sportNetworkData LinkPhysicalApplicationPresentationSessi onTransportNetworkData LinkPhysicalPhysical LinksIP AddressesProtocols/Ports 2006 Cisco Systems, Inc. All rights PublicSEC-2065 Lower Levels Affect Higher Levels Unfortunately this means if one Layer is hacked, communications are compromised without the other layers being aware of the problem Security is only as strong as the weakest link When it comes to networking, Layer 2 can be a veryweak linkMAC AddressesApplication StreamApplicationPresentationSessionTran sportNetworkData LinkPhysicalApplicationPresentationSessi onTransportNetworkData LinkPhysicalCompromisedInitial CompromisePOP3, IMAP, IM, SSL, SSHP hysical LinksIP AddressesProtocols/Ports 2006 Cisco Systems, Inc.

3 All rights PublicSEC-2066 NetOPS/SecOPS, Whose Problem Is It?Most NetOPSMost SecOPSQ uestions: What is your stance on L2 Security issues? Do you use VLAN soften? Do you ever put different Security levels on the same switch using VLANs? What is the process for allocating addresses for segments? I handle Security issues at L3 and above I have no idea if we are using VLANs Why would I care what the networkguy does withthe switch? I ask NetOPs for a segment, they give me ports and addresses There are L2 Security issues? I use VLANs all the time Routing in and out of the same switch is OK by me! That s what VLANs are for The Security guy asks me for a new segment, I create a VLAN and assign him an address space 2006 Cisco Systems, Inc.

4 All rights PublicSEC-2067 Agenda Layer 2 Attack Landscape Attacks and Counter MeasuresMAC AttacksDHCP AttacksARP AttacksSpoofing AttacksGeneral Attacks Summary 2006 Cisco Systems, Inc. All rights PublicSEC-2068 CAM Table Review CAM table stands for Content Addressable Memory The CAM table stores information such as MAC addresses available on physical ports with their associated VLAN parameters CAM tables have a fixed size 2006 Cisco Systems, Inc. All rights PublicSEC-2069 Normal CAM Behavior 1/3 MAC AMAC BMAC CPort 1 Port 2 Port 3 MACPortA1C3 ARP for BARP for BARP for BB Is Unknown Flood the Frame 2006 Cisco Systems, Inc. All rights PublicSEC-20610 Normal CAM Behavior 2/3 MAC APort 1 Port 2 Port 3A Is on Port 1 Learn:B Is on Port 2I Am MAC BI Am MAC BB2 MACPortA1C3 MAC BMAC C 2006 Cisco Systems, Inc.

5 All rights PublicSEC-20611 Normal CAM Behavior 3/3 MAC APort 1 Port 2 Port 3 Traffic A BB Is on Port 2 Traffic A BMAC BMAC CMACPortA1B2C3 Does Not See Traffic to B 2006 Cisco Systems, Inc. All rights PublicSEC-20612 CAM Overflow 1/2 Macof tool since 1999 About 100 lines of perlIncluded in dsniff Attack successful by exploiting the size limit on CAM tables Yersinia Flavor of the month attack tool 2006 Cisco Systems, Inc. All rights PublicSEC-20613 CAM Overflow 2/2I Am MAC YMAC APort 1 Port 2 Port 3Y Is on Port 3Z Is on Port 3 Traffic A BI See Traffic to B!Assume CAM Table Now FullI Am MAC ZTraffic A BTraffic A BMAC BMAC CMACPortA1B2C3Y3Z3 2006 Cisco Systems, Inc.

6 All rights PublicSEC-20614 CAM Table Full Once the CAM table is full, traffic without a CAM entry is flooded out every port on that VLANbut NOT traffic with an existing CAM entry This will turn a VLAN on a switch basicallyinto a hub This attack will also fill the CAM tables of adjacent switches BTW Cisco switches never overwrites an existing entryIdle entries are -> (broadcast) ARP C Who is , ? -> (broadcast) ARP C Who is , ? -> ICMP Echo request (ID: 256 Sequence number: 7424) -> ICMP Echo reply (ID: 256 Sequence number: 7424) OOPS 2006 Cisco Systems, Inc. All rights PublicSEC-20615 Port Security Limits the Amount of MAC s on an InterfaceCountermeasures for MAC Attacks Port Security limits MAC flooding attack and locks down port and sends an SNMP trap00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb13 2,000 Bogus MACsOnly One MAC Addresses Allowed on the Port: ShutdownSolution: 2006 Cisco Systems, Inc.

7 All rights PublicSEC-20616 Building the Layers Port Security preventsCAM attacks and DHCP starvation attacks Port Security 2006 Cisco Systems, Inc. All rights PublicSEC-20617 Agenda Layer 2 Attack Landscape Attacks and Counter MeasuresMAC AttacksDHCP AttacksARP AttacksSpoofing AttacksGeneral Attacks Summary 2006 Cisco Systems, Inc. All rights PublicSEC-20618 DHCP: quick overview DHCP Defined by RFC 2131 DHCP ServerClientDHCP Discover (Broadcast)DHCP Request (Broadcast)DHCP Ack (Unicast)DHCP Offer (Unicast)IP Address: Routers: Servers: , 2006 Cisco Systems, Inc. All rights PublicSEC-20619 DHCP Attack TypesDHCP Starvation Attack Gobbler/DHCPx looks at the entire DHCP scope and tries to lease all of the DHCP addresses available in the DHCP scope This is a Denial of Service DoS attack using DHCP leasesDHCP Discovery) x (Size of Scope)DHCP Offer x (Size of DHCPS cope)DHCP Request x (Size of Scope)DHCP Ack x (Size of Scope)ClientGobblerDHCPS erverDenial of Service 2006 Cisco Systems, Inc.

8 All rights PublicSEC-20620 Countermeasures for DHCP AttacksDHCP Starvation Attack = Port Security Gobbler uses a new MAC address to request a new DHCP lease Restrict the number of MAC addresses on an port with port Security Else use option 82option 82of DHCPDHCP server can track which port has already got one IP addressClientGobblerDHCPS erver 2006 Cisco Systems, Inc. All rights PublicSEC-20621 DHCP Attack TypesRogue DHCP Server AttackClientDHCPS erverRogue ServerDHCP Discovery (Broadcast)2 DHCP Offers (Unicast) (1 from Rogue, 1 genuine)DHCP Request (Broadcast) to 1stofferDHCP Ack (Unicast) from Rogue SeverVlan 5 Vlan 5 Vlan 165 2006 Cisco Systems, Inc. All rights PublicSEC-20622 DHCP Attack TypesRogue DHCP Server Attack What can the attacker do if he is the DHCP server?

9 IP Address: Mask: Routers: Servers: , Time: 10 daysHere is Your Configuration What do you see as a potential problem with incorrect information?Wrong Default Gateway Attacker is the gatewayWrong DNS server Attacker is DNS server Wrong IP Address Attacker does DOS with incorrect IP 2006 Cisco Systems, Inc. All rights PublicSEC-20623 Countermeasures for DHCP AttacksRogue DHCP Server = DHCP Snooping By default all ports in the VLAN are untrustedClientDHCPS erverRogue ServerTrustedUntrustedUntrustedDHCP Snooping EnabledDHCP Snooping UntrustedClientInterface Commandsno ip dhcp snooping trust (Default)ip dhcp snooping limit rate 10 (pps)IOSG lobal Commandsip dhcp snooping vlan 4,104no ip dhcp snooping information optionip dhcp snoopingDHCP Snooping TrustedServeror UplinkOK DHCP Responses: offer, ack, nakInterface Commandsip dhcp snooping trustBAD DHCP Responses:offer, ack, nak 2006 Cisco Systems, Inc.

10 All rights PublicSEC-20624 Countermeasures for DHCP AttacksRogue DHCP Server = DHCP Snooping Table is built by Snooping the DHCP reply to the client Entries stay in table until DHCP lease time expiresClientDHCPS erverRogue ServerTrustedUntrustedUntrustedDHCP Snooping EnabledBAD DHCP Responses: offer, ack, nakOK DHCP Responses: offer, ack, nakDHCP Snooping Binding Tablesh ip dhcp snooping bindingMacAddress IpAddress Lease(sec) Type VLAN Interface------------------ --------------- ---------- ------------- ---- --------------------00:03:47:B5:9F:AD 193185 dhcp-snooping 4 FastEthernet3/18 2006 Cisco Systems, Inc. All rights PublicSEC-20625 DHCPS noopingBuilding the Layers Port Security preventsCAM attacks and DHCP starvation attacks DHCP snooping prevents rogue DHCP server attacksPort Security 2006 Cisco Systems, Inc.