1© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet security
Ethernet: Layer 2 Security
Eric Vyncke
Cisco Systems
Distinguished Engineer
222© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
The Domino Effect• Unfortunately this means if one layer is hacked, communications are
compromised without the other layers being aware of the problem• Security is only as strong as your weakest link• When it comes to networking, layer 2 can be a VERY weak link
Physical LinksPhysical Links
MAC AddressesMAC Addresses
IP AddressesIP Addresses
Protocols/PortsProtocols/Ports
Application StreamApplication StreamApplicationApplication
PresentationPresentation
SessionSession
TransportTransport
NetworkNetwork
Data LinkData Link
PhysicalPhysical
ApplicationApplication
PresentationPresentation
SessionSession
TransportTransport
NetworkNetwork
Data LinkData Link
PhysicalPhysical
Initial CompromiseInitial Compromise
Co
mp
rom
ise
dC
om
pro
mis
ed
444© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
MACMAC portport
AA 11
BB 22
CC 33
X->?
X is on port 3
MACMAC portport
XX 33
BB 22
CC 33
MACMAC portport
XX 33
YY 33
CC 33
Y is on port 3
MAC A
MAC B
MAC C
Port 1Port 2
Port 3
Y->?
CAM Overflow 1/2
555© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
MACMAC portport
XX 33
YY 33
CC 33
A->B
B unknown…flood the frame
I see trafficto B !MAC A
MAC B
MAC C
Port 1Port 2
Port 3 A->BA->
B
CAM Overflow 2/2
666© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
MAC Flooding Attack Mitigation
• Port SecurityPort Security
Allows you to specify MAC addresses for each port, or to learn a certain number of MAC addresses per port
Upon detection of an invalid MAC block only the offending MAC or just shut down the port
• Smart CAM tableSmart CAM table
Never overwrite existing entries
Only time-out inactive entries
Active hosts will never be overwritten
• Speak firstSpeak first
Deviation from learning bridge: never flood
Requires a hosts to send traffic first before receiving
888© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
ARP Spoofing
IP aMAC A
IP bMAC B
IP cMAC C
• C is sending faked gratuitous ARP reply to A
• C sees traffic from IP a to IP b
C->A, ARP, b=C
C->A, ARP, b=CA->C, IP, a->b
A->C, IP, a->b
C->B, IP, a->b
C->B, IP, a->b
999© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
Mitigating ARP Spoofing
• ARP spoofing works only within one VLAN
• static ARP tablestatic ARP table on critical stations (but dynamic ARP override static ARP on most hosts!)
• ARP ACLARP ACL: checking ARP packets within a VLAN
Either by static definition
Or by snooping DHCP for dynamic leases
• No direct communicationNo direct communication among a VLAN: private VLAN
Spoofed ARP packet cannot reach other hosts
101010© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
PromiscuousPort
PromiscuousPort
IsolatedPorts
Primary VLAN
Isolated VLAN
xx xx
ARP Spoof Mitigation: Private VLANs
121212© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
Trunk Port Refresher
• Trunk ports have access to all VLANs by default
• Used to route traffic for multiple VLANs across the same physical link (generally used between switches)
Trunk Port
131313© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
Basic VLAN Hopping Attack
• A station can spoof as a switch with 802.1Q signaling • The station is then member of all VLANs• Requires a trunking favorable setting on the port (the SANS
paper is three years old)http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
Trunk Port
Trunk Port
141414© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
Double Encapsulated 802.1Q VLAN Hopping Attack
• Send double encapsulated 802.1Q frames
• Switch performs only one level of decapsulation
• Unidirectional traffic only
• Works even if trunk ports are set to off
Attacker
Note: Only Works if Trunk Has the Same Native VLAN as the AttackerNote: Only Works if Trunk Has the Same Native VLAN as the Attacker
Victim
802.1q, 802.1q
802.1q, Frame
Strip off First, and Send Back out
Frame
151515© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
Mitigation
• Use recent switches
• Disable auto-trunking
• Never put host in the trunk native VLAN
• Put unused ports in an unused VLAN
171717© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
Spanning Tree Basics
Loop-Free Connectivity
XX
A Switch Is Elected as Root
FFFFF
FFBB
F
FF
A ‘Tree-Like’ Loop-Free Topology
Is Established
FF
ARootRoot
B
181818© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
Spanning Tree Attack Example 1/2
• Send BPDU messages from attacker to force spanning tree recalculations
Impact likely to be DoS
• Send BPDU messages to become root bridge
Attacker
Access Switches
RootRoot
FF
FF
FF
FF
XXBB
FF
S
TP
S
TP
191919© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
BB
FF
Spanning Tree Attack Example 2/2
• Send BPDU messages from attacker to force spanning tree recalculations
Impact likely to be DoS
• Send BPDU messages to become root bridge
The hacker then sees frames he shouldn’t
MITM, DoS, etc. all possible
Any attack is very sensitive to the original topology, trunking, PVST, etc.
Requires attacker to be dual homed to two different switches
Attacker
Access SwitchesRootRoot
FF
FF
FF
FF
FF
RootRoot
BBXX
202020© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
STP Attack Mitigation
• Disable STPDisable STP (It is not needed in loop free topologies)
• BPDU GuardBPDU GuardDisables ports upon detection of a BPDU message on the port
• Root GuardRoot GuardDisables ports who would become the root bridge due to their BPDU advertisement
222222© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
DHCP Rogue Server Attack
• Simply the installation of an unknown DHCP Server in the local subnet
• Other attack: exhaustion of DHCP pools
• RFC 3118 “Authentication for DHCP Messages” will help, but has yet to be implemented
• Mitigation:
Consider using multiple DHCP servers for the different security zones of your network
Use intra VLAN ACL to block DHCP traffic from unknown server
242424© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
Wire-Speed Access Control Lists
• Many current switches offer wire-speed ACLs to control traffic flows (with or without a router port)
• Allows implementation of edge filtering that might otherwise not be deployed due to performance concerns
• VLAN ACLs and Router ACLs are typically the two implementation methods
252525© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
Network Intrusion Detection System
• Network IDS are now able to
Understand trunking protocols
Fast enough to handle 1 Gbps
Including management of alerts !
Understand layer 2 attacks
262626© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
802.1x
• 802.1x is an IEEE Standard for Port Based Network Access Control
EAP based
Improved user authentication: username and password
Can work on plain 802.3 or 802.11
272727© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
IEEE 802.1X Terminology
AuthenticatorAuthenticator(e.g. Switch, (e.g. Switch,
Access Point)Access Point)
SupplicantSupplicant
Enterprise NetworkEnterprise NetworkSemi-Public Network /Semi-Public Network /Enterprise EdgeEnterprise Edge
AuthenticationAuthenticationServerServer
RADIUS
EAP Over Wireless (EAPOW)
EAP Over Wireless (EAPOW)
Encrypted RADIUS
Encrypted RADIUS
EAP Over LAN (EAPOL)
EAP Over LAN (EAPOL)
282828© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
What Does it Do?
• Transport authentication information in the form of Extensible Authentication Protocol (EAP) payloads.
• The authenticator (switch) becomes the middleman for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry the EAP information.
• Three forms of EAP are specified in the standard
EAP-MD5 – MD5 Hashed Username/Password
EAP-OTP – One-Time Passwords
EAP-TLS – Strong PKI Authenticated Transport Layer Security (SSL) - Preferred Method Of Authentication
802.1x Header EAP Payload
292929© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
Example Solution “A”—Access Control and User Policy Enforcement
Login Request
Credentials
Check with Policy DBLogin Good!Apply Policies
This Is John Doe!He Goes into VLAN 5
User Has Access to Network, with
Applicable VLAN
• Set port VLAN to 5Switch Applies Policies and Enables Port
303030© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
Example Solution “B” – Access For Guest Users
Login Request
User has access to DMZ or “Quarantine” network.
Switch applies policies and enables port.
Login Request
Login Request
Authentication timeout.Retries expired.
Client is not 802.1x capable.Put them in the quarantine zone!
•Set port VLAN to 100 - DMZ•Set port QoS Tagging to 7•Set QoS rate limit for 2Mbps
323232© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
Layer 2 Security Best Practices 1/2
• Manage switches in as secure a manner as possible (SSH, OOB, permit lists, etc.)
• Always use a dedicated VLAN ID for all trunk ports
• Be paranoid: do not use VLAN 1 for anything
• Set all user ports to non trunking
• Deploy port-security where possible for user ports
• Selectively use SNMP and treat community strings like root passwords
• Have a plan for the ARP security issues in your network
333333© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security
Layer 2 Security Best Practices 2/2
• Enable STP attack mitigation (BPDU Guard, Root Guard)
• Use private VLANs where appropriate to further divide L2 networks
• Disable all unused ports and put them in an unused VLAN
• Consider 802.1X for middle term
All of the Preceding Features Are Dependant on Your Own Security Policy
All of the Preceding Features Are Dependant on Your Own Security Policy