© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-1

Securing LAN and WLAN Devices

Mitigating Layer 2 Attacks

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-2

Outline

•

Overview

•

Mitigating VLAN Hopping Attacks

•

Preventing STP Manipulation

•

Migrating DHCP Server Spooting with DHCP Snooping

•

Mitigating ARP Spoofing with DAI

•

CAM Table Overflow Attacks

•

MAC Address Spoofing Attacks

•

Using Port Security to Prevent Attacks

•

Configuring Cisco Catalyst Switch Port Security

•

Layer 2 Best Practices

•

Summary

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-3

VLAN Hopping by Switch Spoofing

Trunk Port

Rogue

Trunk Port

•

An attacker tricks a network switch into believing that it is a legitimate switch on
the network needing trunking.

•

Auto trunking

allows the rogue station to become a member of all VLANs.

Note: There is no way to execute switch spoofing attacks unless the switch is misconfigured.

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-4

VLAN Hopping by Double Tagging

•

The attacker sends double-encapsulated 802.1Q frames.

•

The switch performs only one level of decapsulation.

•

Only unidirectional traffic is passed.

•

The attack works even if the trunk ports are set to “off”.

Attacker

(VLAN 10)

Victim

(VLAN 20)

Frame

Note:

This attack works only if the trunk has the same

native VLAN as the attacker.

802

.1Q

, 80

2.1

Q

The first switch

strips off the first

tag and sends it

back out.

802.1Q, Frame

20

10

20

Trunk

(Native VLAN = 10)

Note: There is no way to execute these attacks unless the switch is

misconfigured.

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-5

Mitigating VLAN Hopping Network Attacks

Router(config-if)# switchport mode access

Example 1: If no trunking is required on an interface

Router(config-if)# switchport mode trunk
Router(config-if)# switchport nonegotiate

Example 2: If trunking is required

Example 3: If trunking is required

Router(config-if)# switchport trunk native vlan vlan number

•

Disable trunking on the interface.

•

Enable trunking but prevent DTP frames from being generated.

•

Set the native VLAN on the trunk to an unused VLAN.

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-6

STP Attack

•

On booting the switch, STP identifies one switch as a root
bridge and blocks other redundant data paths.

•

STP uses BPDUs to maintain a loop-free topology.

X

F

F

F

F

B

F

F

F

A

Root

B

F = Forwarding Port

B

= Blocking Port

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-7

F

STP Attack (Cont.)

The attacker sends spoofed BPDUs to

change the STP topology.

Access Switches

F

The attacker now becomes the

root bridge.

Access Switches

Root

F

F

F

F

Root

B

X

Root

F

F

F

F

B

F

S

T

P

S

T

P

X

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-8

Mitigating STP Attacks with bpdu-guard and

guard root Commands

•

Mitigates STP manipulation with bpduguard command

IOS(config)#spanning-tree portfast bpduguard

•

Mitigates STP manipulation with guard root command

IOS(config-if)#spanning-tree guard root

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-9

Spoofing the DHCP Server

1.

An attacker activates a DHCP
server on a network segment.

2.

The client broadcasts a
request for DHCP
configuration information.

3.

The rogue DHCP server
responds before the legitimate
DHCP server can respond,
assigning attacker-defined IP
configuration information.

4.

Host packets are redirected to
the attacker address as it
emulates a default gateway for
the erroneous DHCP address
provided to the client.

Client

Rogue DHCP

Attacker

Legitimate

DHCP

Server

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-10

DHCP Snooping

•

DHCP snooping allows the

configuration of ports as

trusted

or

untrusted

.

–

Trusted ports can send

DHCP requests and

acknowledgements.

–

Untrusted ports can

forward only DHCP

requests.

•

DHCP snooping enables the

switch to build a DHCP

binding table that maps a

client MAC address, IP

address, VLAN, and port ID.

•

Use the ip dhcp snooping

command.

Client

Rogue DHCP

Attacker

Legitimate

DHCP

Server

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-11

ARP Spoofing: Man-in-the-Middle Attacks

10.1.1.1 = MAC C.C.C.C

ARP Table in Host A

IP 10.1.1.2
MAC A.A.A.A

A

B

10.1.1.2 = MAC C.C.C.C

ARP Table in Host B

10.1.1.1 = MAC B.B.B.B
10.1.1.2 = MAC A.A.A.A

ARP Table in Host C

C

IP 10.1.1.3
MAC C.C.C.C

1.

IP 10.1.1.2

? MAC for 10.1.1.1

2.

Legitimate ARP reply

10.1.1.1 = MAC B.B.B.B

3.

Subsequent gratuitous ARP

replies overwrite legitimate replies

10.1.1.1 bound to C.C.C.C

10.1.1.2 bound to C.C.C.C

Attacker

IP 10.1.1.1
MAC B.B.B.B

A

B

C

A = host A

B = host B

C = host C

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-12

10.1.1.1

Mitigating Man-in-the-Middle Attacks with

DAI

MAC or IP Tracking Built on DHCP Snooping

10.1.1.2

DHCP Server

DHCP Discovery (BCAST)

DHCP Offer (UCAST)

DAI provides protection against attacks such as ARP poisoning using
spoofing tools such as ettercap, dsniff, and arpspoof.

DAI Function:

Track Discovery

Track DHCP Offer MAC or IP
Track Subsequent ARPs for MAC or IP

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-13

DAI in Action

A binding table containing IP-address and MAC-address associations is

dynamically

populated using DHCP snooping.

10.1.1.1

10.1.1.2

10.1.1.2

GARP is sent to attempt to change the IP
address to MAC bindings.

Gateway

is

10.1.1.1

Attacker is not

gateway according to

this binding table

I am your

gateway:

10.1.1.1

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-14

“Learns” by Flooding the Network

MAC A

MAC B

MAC C

Port 1

Port 2

Port 3

A->B

A->B

A->B

MAC

Port

A

1

C

3

The CAM

table is

incomplete.

MAC B is unknown,

so the switch will

flood the frame.

MAC C

“sees”

traffic

to MAC B.

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-15

B->A

B->A

MAC A

MAC B

MAC C

Port 1

MAC

Port

A

1

C

3

Port 2

Port 3

B

2

Host C drops the

packet addressed

to host B.

CAM learns

that MAC B

is on Port 2.

CAM Learns MAC B Is on Port 2

MAC A = host A

MAC B = host B

MAC C = host C

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-16

A->B

A->B

MAC A

MAC B

MAC C

Port 1

MAC

Port

A

1

C

3

Port 2

Port 3

B

2

CAM has learned

MAC B is on Port 2.

MAC C does

not

“see”

traffic to MAC B

anymore.

CAM

tables are

limited in

size.

CAM Table Is Updated—Flooding Stops

MAC A = host A

MAC B = host B

MAC C = host C

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-17

Y->?

MAC A

MAC B

Port 1

MAC

Port

A

1

B

2

C

3

Port 2

Port 3

MAC

Port

X

3

B

2

C

3

MAC

Port

X

3

Y

3

C

3

MAC C

X->

?

Macof starts

sending

unknown bogus

MAC addresses.

Intruder runs macof

on MAC C.

Y is on Port

3 and CAM

is updated.

X is on Port

3 and CAM

is updated.

Bogus

addresses are

added to the

CAM table.

Intruder Launches macof Utility

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-18

The CAM

table is full,

so Port 3 is

closed.

The CAM Table Overflows—Switch

Crumbles Under the Pressure

MAC A

MAC B

MAC C

Port 1

Port 2

Port 3

A->B

A->B

A->B

MAC

Port

X

3

Y

3

C

3

MAC B is unknown,

so the switch floods

the frame looking for

MAC B.

MAC A = host A

MAC B = host B

MAC C = host C

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-19

MAC Address Spoofing Attack

1

1

1

1

2

2

2

2

3

3

3

3

A

A

A

A

B

B

(Attacker)

B

Switch Port Table

B

DEST MAC: A

DEST MAC: A

Switch Port Table

A B C

A B C

A B C

A,B C

1

1

1

1

2

3

2

3

2

3

2

3

Host

Host

Host

Host

Spoofed Switch Port Table

Updated Switch Port Table

SRC: MAC (A)

SRC: MAC (A)

SRC = Source

DEST = Destination

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-20

Using Port Security to Mitigate Attacks

Port security can mitigate attacks by these methods:

•

Blocking input to a port from unauthorized MAC addresses

•

Filtering traffic to or from a specific host based on the host
MAC address

Port security mitigates these:

•

CAM table overflow attacks

•

MAC address spoofing attacks

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-21

Port Security Fundamentals

•

This feature restricts input to an interface by limiting and
identifying MAC addresses of end devices.

•

Secure MAC addresses are included in an address table in one
of these ways:

–

Use the switchport port-security mac-address mac_address
interface configuration command to configure all secure
MAC addresses

–

Allow the port to dynamically configure secure MAC
addresses with the MAC addresses of connected devices

–

Configure some addresses and allow the rest to be
configured dynamically

•

Configure “restrict” or “shutdown” violation rules.

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-22

Port Security Configuration

Secure MAC addresses are these types:

•

Static secure MAC addresses

•

Dynamic secure MAC addresses

•

Sticky secure MAC addresses

Security violations occur in these situations:

•

A station whose MAC address is not in the address table
attempts to access the interface when the table is full.

•

An address is being used on two secure interfaces in the
same VLAN.

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-23

Port Security Defaults

Feature

Default Setting

Port security

Disabled on a port

Maximum number of secure
MAC addresses

1

Violation mode

Shutdown
(The port shuts down when the
maximum number of secure MAC
addresses is exceeded, and an
SNMP trap notification is sent.)

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-24

Configuring Port Security on a Cisco

Catalyst Switch

1.

Enter global configuration mode.

2.

Enter interface configuration mode for the port that you want
to secure.

3.

Enable basic port security on the interface.

4.

Set the maximum number of MAC addresses allowed on this
interface.

5.

Set the interface security violation mode. The default is
shutdown. For mode, select one of these keywords:

•

shutdown

•

restrict

•

protect

6.

Return to privileged EXEC mode.

7.

Verify the entry.

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-25

Port Security Configuration Script

Switch#

configure terminal

Switch(config)#

interface fastethernet0/1

Switch(config-if)#

switchport mode access

Switch(config-if)#

switchport port-security

Switch(config-if)#

switchport port-security maximum 50

Switch(config-if)#

switchport port-security mac-address sticky

Switch(config-if)#

switchport port-security aging time 20

Switch(config-if)#

end

Use these configuration parameters:

•

Enable port security on Fast Ethernet port 1

•

Set the maximum number of secure addresses to 50

•

Set violation mode to default

•

No static secure MAC addresses needed

•

Enable sticky learning

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-26

Verify the Configuration

Switch#

show port-security interface fastethernet0/1

Port Security: Enabled
Port status: SecureUp
Violation mode: Shutdown
Maximum MAC Addresses :50
Total MAC Addresses: 11
Configured MAC Addresses: 0
Sticky MAC Addresses :11
Aging time: 20 mins
Aging type: Inactivity
SecureStatic address aging: Enabled
Security Violation count: 0

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-27

Layer 2 Best Practices

•

Restrict

management access to the switch so that parties on

nontrusted networks cannot exploit management interfaces and
protocols such as SNMP.

•

Avoid

using clear text management protocols on a hostile network.

•

Turn off

unused and unneeded network services.

•

Use

port security mechanisms to limit the number of allowed MAC

addresses to provide protection against a MAC flooding attack.

•

Use

a dedicated native VLAN ID for all trunk ports.

•

Shut down

unused ports in the VLAN.

•

Prevent

denial-of-service attacks and other exploits by locking

down the Spanning Tree Protocol and other dynamic protocols.

•

Avoid

using VLAN 1, where possible, for trunk and user ports.

•

Use

DHCP snooping and DAI to mitigate man-in-the-middle attacks.

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-28

Summary

•

Disabling auto trunking mitigates VLAN hopping attacks.

•

The guard root command and the bpduguard command

mitigate STP attacks.

•

DAI can protect against man-in-the-middle attacks.

•

To prevent DHCP attacks, use the DHCP snooping and the

port security feature on the Cisco Catalyst switches.

•

Mitigate CAM table overflow attacks with Cisco IOS software

commands.

•

Configuring port security can prevent MAC address spoofing

attacks.

•

Limiting the number of valid MAC addresses allowed on a

port provides many benefits.

•

Configure port security with Cisco IOS software commands.

•

Following best practices mitigates Layer 2 attacks.

© 2006 Cisco Systems, Inc. All rights reserved.

SND v2.0—3-29