Sunday, 1 April 2012

L2 security



VLAN hopping
Can be done via switch spoofing and double tagging. Switch spoofing means to connect rogue switch to a switch port. To avoid it we need to disable trunking:

Cat3550(config-if)# switchport mode access

And prevent use of DTP:
Cat3550(config-if)# switchport trunk encapsulation dot1q
Cat3550(config-if)# switchport mode trunk
Cat3550(config-if)# switch port no negotiate


To avoid double tagging do not use native VLAN for connecting users.

STP attacks
Root guard - if a port starts receiving a superior BPDU, all user data is stopped, after BPDUs stop, the port begins to forward packets again
SW1(config)# interface gigabitethernet 0/1
SW1(config-if)# spanning-tree guard root

BPDU guard - if a port received BPDU it is Disabled. Works with PortFast feature.
SW1(config)# interface gigabitethernet 0/2 
SW1(config-if)# spanning-tree bpduguard enable 
or in Global mode 
SW1(config)# spanning-tree port fast bpduguard

DHCP Starvation attack
Hacker sends a lot of DHCP requests from bogus MAC addresses and occupies all possible DHCP addresses. And then he will introduce his own DHCP server.

 DHCP spoofing
DHCP snooping feature on Cisco Catalyst switches will help. There are two port states: trusted and untrusted.  If this feature is enabled all ports by default are untrusted. Trusted ports are allowed to receive DHCP responses, untrusted are not and they become Disabled if receive such responses.

SW1(config)# ip dhcp snooping
SW1(config)# interface gigabitethernet 0/4
SW1(config-if)# ip dhcp snooping trust 
SW1(config-if)# show ip dhcp snooping
SW1(config-if)# show ip dhcp snooping binding

DHCP DoS attack
Somebody may send tons of DHCP requests from different MAC addresses. It possible to use limits of requests per second, for instance 3:
 SW1(config)# interface gigabitethernet 0/5 
SW1(config-if)# ip dhcp snooping limit rate 3 

ARP spoofing
We can protect from this using DAI(Dynamic ARP inspection) feature.
SW1(config)# ip arp inspection vlan 10
SW1(config)# interface gigabitethernet 0/6
SW1(config-if)# ip arp inspection trust
SW1#show ip arp inspection vlan 123
Static ARP access list
arp access-list ACL_NAME
permit ip host 1.1.1.1 mac 1111.1111.1111
ip arp inspection filter ACL_NAME vlan 123
show arp access-list ACL_NAME 

Auto recovery of port
errdisable recovery cause arp-inspection
errdisable recovery interval 30 

Validate IP, source MAC and destination MAC in payload
ip arp inspection validate ip/dst-mac/src-mac
CAM table overflow attack, MAC address spoofing
You send thousands of frames to switch with bogus MAC addresses, this leads to refilling of CAM table. Then when switch gets a new frame it just sends it to all ports, because it is uknown to it. Consequently, attacker can now listen all traffic it this VLAN.
Port-security command can be used to mitigate, define maximum MAC addresses per port.
For using port security we have to explicitly configure access or trunk port.
When we configure port security for trunk port we can use details for specific vlans.
We can also use aging for port security dynamic mode.

Port security can be static, dynamic and sticky.
Sticky - dynamicly learns MAC addresses on a port and put them into static. Then we just have to save running config to startup.

Vialation actions can be
Protect - stop everything after 5 MAC addresses - no alerts, syslog messages, no SNMP - not very good variant
Restrict - the same as Protect, but with alerts
Shutdown - default action - just turns port off + alerts
Shutdown vlan

SW1(config-if)# switchport port-security maximum 5
SW1(config-if)# switchport port-security aging type inactivity
SW1(config-if)# switchport port-security aging time 5
SW1(config-if)# switchport port-security violation restrict
SW1(config-if)# switchport port-security mac-address 0000.0000.0000
SW1(config-if)# switchport port-security
SW1(config-if)# switchport port-security mac-address sticky

Source guard
Protects from IP spoofing and MAC spoofing
int gig o/2
ip verify source port-security

ip source binding b827.eb51.1af6 vlan 123 10.123.0.50 interface gig 0/2
show ip verify source
show ip source binding

Storm control
Configured in interface context, we can monitor broadcast, unicast, multicast. BAsed on pps, bps, interface utilization.
storm-control broadcast level pps 500 100
strorm-control action shutdown
errdisable recovery cause storm-control
errdisable recovery interval 60
show strom-control broadcast

-
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Ping does not work

Today I would like to discuss a banal situation: host A is directly connected to host B, ping from host A to host B does not work. What are...