Cisco Ethernet switch User Manual

1© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptHacking Layer 2: Fun withEthernet SwitchesSean Convery, Cisco [email protected]

101010© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptNormal CAM Behaviour 1/3MAC AMAC BMAC CPort 1Port 2Port 3A->BA->BB Unkno

111111© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptNormal CAM Behaviour 2/3B->AA Is on Port 1Learn: B Is on Port 2B->AMAC A

121212© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptNormal CAM Behaviour 3/3A->BA->BB Is on Port 2I Do Not SeeTraffic to B !

131313© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptCAM Overflow 1/3¥ Theoretical attack until May 1999¥ macof tool since May 1999

141414© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptCAM Overflow 2/3X->?X Is on Port 3Y Is on Port 3Y->?MAC AMAC BMAC CPort

151515© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptCAM Overflow 3/3MAC AMAC BMAC CPort 1Port 2Port 3A->BA->BB UnknownÉFlood

161616© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptCatalyst CAM Tables¥ Catalyst switches use hash to place MAC in CAM table123..

171717© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptMAC Flooding Switches with Macof¥ [root@attack-lnx dsniff-2.3]# ./macof¥ b5:cf

181818© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptCAM Table Full!¥ Dsniff (macof) can generate 155,000 MAC entries on aswitch pe

191919© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptMAC Flooding Attack Mitigation¥ Port SecurityCapabilities are dependant on the

222© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptAgenda¥ Layer 2 Attack Landscape¥ Specific Attacks and Countermeasures (Ciscoand

202020© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.ppt¥ Beware management burden and performance hit¥ Lots of platform specific opti

21© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptVLAN ÒHoppingÓ Attacks

222222© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptTrunk Port Refresher¥ Trunk ports have access to all VLANs by default¥ Used to

232323© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptCisco Switching Control Protocols¥ Used to negotiate trunk status, exchange VL

242424© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptFor the Detail Oriented: 802.3 w/802.2 SNAPIf you like this sort of thing: htt

252525© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptDynamic Trunk Protocol (DTP)¥ What is DTP?Automates ISL/802.1Q trunkconfigurat

262626© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptBasic VLAN Hopping Attack¥ A station can spoof as a switch with ISL or 802.1Q

272727© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptDouble Encapsulated 802.1q VLANHopping Attack¥ Send double encapsulated 802.1Q

282828© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptDouble Encap 802.1Q Ethereal CaptureOuter Tag, Attacker VLANInner Tag, Victim

292929© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptDisabling Auto-Trunking¥ Defaults change depending on switch;always check:From

333© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptCaveats¥ All attacks and mitigation techniques assumea switched Ethernet network

303030© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptSecurity Best Practicesfor VLANs and Trunking¥ Always use a dedicated VLAN ID

31© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptARP Attacks

323232© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptARP Refresher¥ An ARP request messageshould be placed in a frameand broadcast

333333© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptGratuitous ARP¥ Gratuitous ARP is used by hosts to ÒannounceÓ theirIP address

343434© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptMisuse of Gratuitous ARP¥ ARP has no security or ownership of IP or MACaddress

353535© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptA Test in the Lab¥ Host X and Y will likely ignore the message unless theycurr

363636© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptDug Song, Author of dsniffDsniffÑA Collection of Tools to Do:¥ ARP spoofing¥ M

373737© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptC:\>testC:\>arp -d 10.1.1.1C:\>ping -n 1 10.1.1.1Pinging 10.1.1.1 wit

383838© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptMore on Arpspoof¥ All traffic now flows through machine runningdsniff in a hal

393939© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptSelective Sniffing¥ Once the dsniff box has started the arpspoofprocess, the m

444© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptHost BWhy Worry about Layer 2 Security?Host APhysical LinksPhysical LinksMAC Addr

404040© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptSSL/SSH Interception¥ Using dnsspoof all web sites can resolveto the dsniff ho

414141© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptSSL/SSH Interception¥ Using dsniff (webmitm) most SSL sessions canbe intercept

424242© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptSSL/SSH Interception¥ Upon inspectionthey will lookinvalid but theywould likel

434343© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptDsniff evolves: Ettercap¥ Similar to dsniff though not as many protocolssuppor

444444© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptCan It Get Much Easier?

454545© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptPromiscuousPortPromiscuousPortCommunityÔAÕCommunityÔBÕIsolatedPortsPrimary VLA

464646© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptAll PVLANs Are Not Created Equal¥ On CAT 4K, 6K they are called Private VLANs¥

474747© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptPrivate VLAN Configuration¥ Available on: Cat 6K with CatOS 5.4(1); Cat 4K wit

484848© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptCatOS PVLAN Configuration Examplebh-2002 (enable) set vlan 41 pvlan primaryVTP

494949© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptMore ARP Spoof Mitigation¥ Some IDS systems will watch for an unusuallyhigh am

555© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptThe Domino Effect¥ Unfortunately this means if one layer is hacked, communication

50© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptSpanning Tree Attacks

515151© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptSpanning Tree BasicsSTP is very simple. Messages are sent using Bridge Protoco

525252© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptSpanning Tree Attacks and Methods¥ Standard 802.1d STP takes 30-45seconds to d

535353© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptSpanning Tree Attack Example 1/2¥ Send BPDU messages to becomeroot bridgeAttac

545454© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptBBFFSpanning Tree Attack Example 2/2¥ Send BPDU messages to becomeroot bridgeA

555555© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptApplied Knowledge: Summary Attack¥ Goal: see traffic on the backbone butintere

565656© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptSTP Attack Mitigation¥ DonÕt disable STP, introducing a loop would become anot

575757© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptVLAN Trunking Protocol (VTP)¥ Used to distribute VLAN configuration among swit

585858© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptPotential VTP Attacks¥ After becoming a trunkport, an attacker couldsend VTP m

59© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptLayer 2 Port Authentication

666© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptNetOPS/SecOPS, WhoÕs Problem Is It?¥ I handle securityissues at L3 andabove¥ I ha

606060© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptDynamic VLAN Access Ports¥ VLAN assignment based on MAC address or HTTP Auth (

616161© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptVMPS ArchitectureVMPSDatabaseVMPSServerVMPSClientTFTPQueryReplyAll VMPS traffi

626262© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptVMPS/VQP Attacks¥ No public domain tools today (Ethereal doesnÕt even decode)¥

636363© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptVMPS/VQP Attack Mitigation¥ Consider sending VQP messages Out-of-Band (OOB)¥ I

646464© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.ppt802.1x/EAP Switch Authentication¥ 802.1x and EAP (Extensible Authentication Pr

656565© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.ppt802.1X Port AuthenticationRequest IDActual Authentication Conversation Is Betw

66© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptOther Attacks

676767© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptCisco Discovery Protocol (CDP)¥ Runs at Layer 2 and allows Cisco devicesto cha

686868© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptCDP Attacks¥ Besides the information gathering benefit CDP offers anattacker,

696969© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptDHCP Starvation Attacks¥ Anyplace where macof works, you can DoS anetwork by r

777© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptThe Numbers from CSI/FBI

707070© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptDHCP Starvation Attack Mitigation¥ Same techniques that mitigate CAM flooding,

717171© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptPrivate VLAN Attacks 1/2PVLANs WorkDrop PacketAttackerMac:A IP:1S:A1 D:B2Victi

727272© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptAttackerMac:A IP:1VictimMac:B IP:2Promiscuous PortIsolated PortPrivate VLAN At

737373© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptPVLAN Attack Mitigation¥ Setup ACL on ingress router port:IOS(config)#access-l

747474© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptMulticast Brute-Force Failover Analysis¥ Send random Ethernet multicast frames

757575© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptRandom Frame Stress Attack¥ Send random frames to a switch interfaceattempting

767676© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptIP Telephony Considerations¥ Most IP Telephony deployments use a distinct VLAN

777777© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptSwitch Management¥ Management can be your weakest linkAll the great mitigation

78© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptSummary and Case Study

797979© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptLayer 2 Security Best Practices 1/2¥ Manage switches in as secure a manner as

8© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptMAC Attacks

808080© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptLayer 2 Security Best Practices 2/2¥ Enable STP attack mitigation (BPDU Guard,

818181© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptA Relevant Case Study¥ Do you have a part of your network that looks like this

828282© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptA More Secure AlternativeOutsideInsideInternetInternalNew Security PerimeterNe

838383© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptLessons Learned¥ Carefully consider any time you mustcount on VLANs to operate

848484© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptFurther Reading¥ SAFE Blueprintshttp://www.cisco.com/go/safe¥ Improving Securi

999© 2002, Cisco Systems, Inc. All rights reserved.l2-security-bh.pptMAC Address/CAM Table Review1234.5678.9ABC1234.5678.9ABC0000.0cXX.XXXX0000.0cXX.X