Network Security - Layer 2 - SlideShare

Loading...
SlideShare Explore Search You

Upload Login Signup

Search

Submit Search

Home Explore Presentation Courses PowerPoint Courses by LinkedIn Learning Search Successfully reported this slideshow. We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

1 of 15

Network Security - Layer 2 11,978 views Share Like ...

samis Follow The Threat
  • The OSI model was built to allow different layers to work without knowledge of each other, and that mea... Published on Apr 5, 2008

    The Data link layer is often overlooked and trusted as it is limited by the ... Published in: Technology License: CC Attribution License 1 Comment 15 Likes Statistics Notes

    Full Name Comment goes here. 12 hours ago Delete Reply Block Are you sure you want to Yes No Your message goes here Data link layer technologies Background about technologies affected by the following attacks
    • Switch operation (Un... Share your thoughts… Post

      kaur12345 it should be download 1 year ago Reply Are you sure you want to Yes No Your message goes here

      AhmedAlshibany 3 weeks ago

      imonaim 1 year ago Attack Types
        • CAM table overflow.
        • VLAN hopping.
        • Spannin... Hui Cheng , CEO & Founder of UnitedStack Inc. at UnitedStack Inc. 2 years ago

          Sammy Liu , CTO @ Polex at Polex () 2 years ago

          alperkirac 2 years ago Show More No Downloads Views Total views 11,978 On SlideShare 0 From Embeds 0 MAC Flood
          • Dsniff (macof) can generate 155,000 mac/min.
          • CAM tables size (cisco switches 16kb to 1... Number of Embeds 116 Actions Shares 0 Downloads 0 Comments 1 Likes 15 Embeds 0 No embeds No notes for slide

            Network Security - Layer 2

            1. 1. Layer 2 Security
              • Toronto Information Security
              • Sami Kamel
              • [email_address]
              • February 2008
            2. 2. The Threat
            • The OSI model was built to allow different layers to work without knowledge of each other, and that means that if a layer is compromised the other layers will not be aware “ Domino effect” .
            • i.e layer 3 will not be aware if layer 2 is attacked.
            • Facts:
            • A layer2 attack is hard to achieve from the outside world, but never underestimate the local attacker. the attacker may not be so local after all—backdoors and wireless hacking allow remote crackers.
            • 99% of enterprise network ports are open(according to FBI report).
            • 59% Insider attacks by employees.
            • Being in the LAN layer 2 is considered trusted by Security Ops and firewall/IDS/IPS technologies offer limited capabilities at layer 2.
            • More Broadband providers deploy access networks based exclusively on L2 for many reasons, worth mentioning the convergence time of RSTP is faster compared to OSPF and EIGRP, Ethernet interfaces are cheaper (Ex Wireless, Metro Ethernet), ease of connection to customer network.
            • The effect of a DOS attack on on L2 takes another dimension than in WAN as the BW is considerably higher.
            3. 3. Data link layer technologies Background about technologies affected by the following attacks
            • Switch operation (Unicast, Broadcast/Multicast)
              VLAN Hopping
              • A malicious user on a VLAN trying to send packets to a system on a different VLAN.
              • ...
              • Content-Addressable Memory (CAM) (ARP)table address-learning process.
              • VLAN,Cisco Inter switch Link (ISL), IEEE 802.1q.
              • Spanning tree Protocol(STP).
              • Rapid STP (RSTP).
              • Bridge Protocol Data Unit (BPDU).
              4. 4. Attack Types
                • CAM table overflow.
                • VLAN hopping.
                • Spanning Tree Protocol (STP) manipulation.
                • MAC Spoofing(ARP poisoning).
                • Private VLAN.
                • DHCP attacks.
                • Attacks techniques achieve Access, DOS, MITM.
              5. 5. MAC Flood
              • Dsniff (macof) can generate 155,000 mac/min.
              • CAM tables size (cisco switches 16kb to 128kb),(100 to over 100,000 entries) hence even if the CAM table refresh time is short it will not be short enough. (default in cisco is 5min).
              • After the CAM table is flooded the switch enters a fail-open mode acting as a hub, forwarding traffic to all ports making sniffing easier, or achieving a DOS attack consuming switch processing power.
              • This attack can flood adjacent switches as well.
              • It is limited to the attacker VLAN.
              • MAC flood mitigation
              • Limit amount of MAC addresses to be learned / port.
              • Static mac addresses configuration (not scalable but most secure).
              6. 6. VLAN Hopping
              • A malicious user on a VLAN trying to send packets to a system on a different VLAN.
              • Two main techniques are:
                • Switch Spoofing.
                • 802.1q Double Tagging.
              7. 7. Switch Spoofing
              • Trunk ports have access to all VLANs traffic
              • When the malicious user can spoof as a switch with ISL or 802.1q he will have access to all traffic, as trunk ports have access to all VLANs.
              • Port must be set to Trunk or to Auto (basically negotiates trunking), Or has DTP Dynamic trunking protocol on.
              • Tools
                • Yersinia can spoof many protocols STP,ISL,802.1q,CDP,DTP,DHCP,HSRP,VTP.
                • Some Unix operating systems come with “brctl” a bridging utility STP capable.
              • Mitigation
              • Disable unused Ports, set them to access mode. Disable unused Ports, set them to access mode, disable Dynamic trunking protocol on access ports(DTP allows the port to negotiate the trunking protocol with the other device )
              8. 8. Double tagging 802.1q
              • Attacker send a double encapsulated frame 802.1q. The first tag will get stripped off by the switch to which we are connected, and the packet will get forwarded to the next switch. However, a remaining tag contains a different VLAN to which the packet will be sent.
              • Works even if trunk port is set to off.
              • Limitations
                • Unidirectional. (Not really as it can be DOS / turned Bidirectional using WEPWedgie )
                • There must be multi-switches and obviously trunking.
                • Attacker and Trunk must have same native VLAN.
                • Does not work on ISL that does not have the concept of native VLAN.
                • Attacker cannot push data to a target on the same switch.
              9. 9. STP Manipulation
              • Spanning Tree Protocol (STP) exists to prevent Layer 2 loops from being formed when switches or bridges are interconnected via multiple paths for redundancy reasons.
              • Switches exchange BPDU messages to
                • Elect a root bridge for all LANs, and calculate the shortest path to it.
                • Switch Spoofing
                  • Trunk ports have access to all VLANs traffic
                  • When the malicious user can spoof...
                  • Elect a per LAN designated bridge.
                  • Designated bridge sends a BPDU in case of topology change up the tree to the root bridge that forwards it to other LANs.
                10. 10. STP/RSTP Pitfalls
                • Lack of authentication in BPDU messages
                • If a malicious user impersonates a switch and participates in the STP process, can create a DOS by consequently sending topology change BPDU messages all the switches will continuously recompute the algorithm. The user can also participate in the STP process by impersonating the root bridge and redirect traffic/sniff it.
                • Mitigation
                • Enable root guard on cisco equipment that enforces the placement of the root bridge in the network, or BPDU guard on users ports to disable the use of priority zero and hence becoming a root bridge.
                11. 11. MAC Spoof
                • ARP works by sending broadcasts to find the MAC address corresponding to an IP.
                • The attacker overrides the CAM table entry so the switch forwards the packets destined for the host to the attacker. This allows the hacker to play MITM between two hosts or between the gateway and all hosts.
                • The attacker takes advantage of the GARP Gratuitous ARPs (unsolicited ARP replies).
                • Tools Ettercap and Arpspoof, they send less than an ARP per second so they are not detected by switch security features.
                • This attack is limited to the VLAN, cannot Hop vlans.
                • Mitigation
                • The DHCP messages are used to build an IP to MAC binding table containing (MAC, IP, lease time, binding type, VLAN number). The DHCP snooping feature builds the binding table and the Dynamic ARP inspection verifies the messages based on the binding table.
                • Use Arpwatch an open source that generates a log of IP-MAC pairings with timestamps.
                • Hard code static arp entries on OS “arp -s ”
                12. 12. Private VLAN
                • PVLAN restricts communication between ports in the same VLAN by assigning ports roles (Isolated, Promiscuous and Community).
                • The Proxy attack sends a packet with his IP/MAC and destination IP of target system and MAC of the router. (since switches are only MAC aware and routers only IP aware).
                • This attack is unidirectional as the PVLAN will block the victim response.
                • Mitigation
                • Configure access list on the router
                13. 13. DHCP Starvation
                • Broadcasts of DHCP requests with spoofed MAC addresses to exhaust the DHCP server IP pool.
                • According to RFC 2131 a hacker can introduce a rogue DHCP server assigning clients IP addresses and acting as MITM while a DHCP server is already running.
                • Mitigation
                • DHCP authentication - RFC 3118
                • No known usage by any commercial or private implementation since its adoption in 2001, most probably due to non scalable key distribution.
                14. 14. Configuration best practice
                • Use dedicated VPAN for all trunk ports.
                • Avoid using VLAN 1.
                • Deploy port security.
                • Set users ports to non trunking.
                • Use ARP security options.
                • Use BPDU guard, Root guard.
                • Use PVLANs.
                • Disable CDP.
                • Disable unused ports and put them in an unused vlan.
                • Ensure DHCP attack prevention.
                Double tagging 802.1q
                • Attacker send a double encapsulated frame 802.1q. The first tag will get stripped off by th... 15. 15. References & Links
                  • http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/sfblu_wp.pdf
                  • http://www.terena.org/events/archive/tnc2003/programme/slides/s1c3.ppt
                  • http://www.sanog.org/resources/sanog7/yusuf-L2-attack-mitigation.pdf
                  • http://www.cisco.at/endkunden/pdf/Tkrewedl_abrauma_CISF_SW_L2_Sec_TK.pdf
                  • http://www.seanconvery.com/SEC-2002.pdf
                  • http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.pdf
                  • http://seclab.cs.ucdavis.edu/papers/Marro_masters_thesis.pdf
                  • http://www.blackhat.com/presentations/bh-usa-01/MikeBeekey/bh-usa-01-Mike-Beekey.ppt
                  • http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2004.pdf
                  • http://monkey.org/~dugsong/dsniff
                  • http://www.yersinia.net/


                  Recommended STP Manipulation
                  • Spanning Tree Protocol (STP) exists to prevent Layer 2 loops from being formed when switches or b...

                    STP/RSTP Pitfalls
                    • Lack of authentication in BPDU messages
                    • If a malicious user impersonates a s...

                      Common Core: Exploring K-12 Standards Online Course - LinkedIn Learning

                      MAC Spoof
                      • ARP works by sending broadcasts to find the MAC address corresponding to an IP.
                      • The at...

                        Teaching Techniques: Classroom Management Online Course - LinkedIn Learning

                        Private VLAN
                        • PVLAN restricts communication between ports in the same VLAN by assigning ports roles (Isolated, Prom...

                          Flipping the Classroom Online Course - LinkedIn Learning DHCP Starvation
                          • Broadcasts of DHCP requests with spoofed MAC addresses to exhaust the DHCP server IP pool.
Loading...

Network Security - Layer 2 - SlideShare

SlideShare Explore Search You Upload Login Signup Search Submit Search Home Explore Presentation Courses PowerPoint Courses by LinkedIn Learning ...

338KB Sizes 2 Downloads 8 Views

Recommend Documents

No documents