Layer 2 Security - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Layer 2 Security

Description:

59% Insider attacks by employees. ... configuration (not scalable but most secure) ... http://www.sanog.org/resources/sanog7/yusuf-L2-attack-mitigation.pdf ... – PowerPoint PPT presentation

Number of Views:371
Avg rating:3.0/5.0
Slides: 16
Provided by: honeynet
Category:

less

Transcript and Presenter's Notes

Title: Layer 2 Security


1
Layer 2 Security
  • Honeynet Project
  • Canadian Chapter
  • Sami Guirguis
  • Sami.kamel_at_gmail.com
  • February 2008

2
The Threat
  • The OSI model was built to allow different layers
    to work without knowledge of each other, and that
    means that if a layer is compromised the other
    layers will not be aware Domino effect.
  • i.e layer 3 will not be aware if layer 2 is
    attacked.
  • Facts
  • A layer2 attack is hard to achieve from the
    outside world, but never underestimate the local
    attacker. the attacker may not be so local after
    allbackdoors and wireless hacking allow remote
    crackers.
  • 99 of enterprise network ports are
    open(according to FBI report).
  • 59 Insider attacks by employees.
  • Being in the LAN layer 2 is considered trusted
    by Security Ops and firewall/IDS/IPS technologies
    offer limited capabilities at layer 2.
  • More Broadband providers deploy access networks
    based exclusively on L2 for many reasons, worth
    mentioning the convergence time of RSTP is faster
    compared to OSPF and EIGRP, Ethernet interfaces
    are cheaper (Ex Wireless, Metro Ethernet), ease
    of connection to customer network.
  • The effect of a DOS attack on on L2 takes
    another dimension than in WAN as the BW is
    considerably higher.

3
Data link layer technologiesBackground about
technologies affected by the following attacks
  • Switch operation (Unicast, Broadcast/Multicast)?
  • Content-Addressable Memory (CAM) (ARP)table
    address-learning process.
  • VLAN,Cisco Inter switch Link (ISL), IEEE 802.1q.
  • Spanning tree Protocol(STP).
  • Rapid STP (RSTP).
  • Bridge Protocol Data Unit (BPDU).

4
Attack Types
  • CAM table overflow.
  • VLAN hopping.
  • Spanning Tree Protocol (STP) manipulation.
  • MAC Spoofing(ARP poisoning).
  • Private VLAN.
  • DHCP attacks.
  • Attacks techniques achieve Access, DOS, MITM.

5
MAC Flood
  • Dsniff (macof) can generate 155,000 mac/min.
  • CAM tables size (cisco switches 16kb to
    128kb),(100 to over 100,000 entries) hence
    even if the CAM table refresh time is short it
    will not be short enough. (default in
    cisco is 5min).?
  • After the CAM table is flooded the switch enters
    a fail-open mode acting as a hub, forwarding
    traffic to all ports making sniffing easier, or
    achieving a DOS attack consuming switch
    processing power.
  • This attack can flood adjacent switches as well.
  • It is limited to the attacker VLAN.
  • MAC flood mitigation
  • Limit amount of MAC addresses to be learned /
    port.
  • Static mac addresses configuration (not scalable
    but most secure).

6
VLAN Hopping
  • A malicious user on a VLAN trying to send packets
    to a system on a different VLAN.
  • Two main techniques are
  • Switch Spoofing.
  • 802.1q Double Tagging.

7
Switch Spoofing
  • Trunk ports have access to all VLANs traffic
  • When the malicious user can spoof as a switch
    with ISL or 802.1q he will have access to all
    traffic, as trunk ports have access to all VLANs.
  • Port must be set to Trunk or to Auto (basically
    negotiates trunking),Or has DTP Dynamic trunking
    protocol on.
  • Tools
  • Yersinia can spoof many protocols
    STP,ISL,802.1q,CDP,DTP,DHCP,HSRP,VTP.
  • Some Unix operating systems come with brctl a
    bridging utility STP capable.
  • Mitigation
  • Disable unused Ports, set them to access mode.
    Disable unused Ports, set them to access mode,
    disable Dynamic trunking protocol on access
    ports(DTP allows the port to negotiate the
    trunking protocol with the other device )?

8
Double tagging 802.1q
  • Attacker send a double encapsulated frame 802.1q.
    The first tag will get stripped off by the switch
    to which we are connected, and the packet will
    get forwarded to the next switch. However, a
    remaining tag contains a different VLAN to which
    the packet will be sent.
  • Works even if trunk port is set to off.
  • Limitations
  • Unidirectional. (Not really as it can be DOS /
    turned Bidirectional using WEPWedgie )
  • There must be multi-switches and obviously
    trunking.
  • Attacker and Trunk must have same native VLAN.
  • Does not work on ISL that does not have the
    concept of native VLAN.
  • Attacker cannot push data to a target on the same
    switch.

9
STP Manipulation
  • Spanning Tree Protocol (STP) exists to prevent
    Layer 2 loops from being formed when switches or
    bridges are interconnected via multiple paths for
    redundancy reasons.
  • Switches exchange BPDU messages to
  • Elect a root bridge for all LANs, and calculate
    the shortest path to it.
  • Elect a per LAN designated bridge.
  • Designated bridge sends a BPDU in case of
    topology change up the tree to the root bridge
    that forwards it to other LANs.

10
STP/RSTP Pitfalls
  • Lack of authentication in BPDU messages
  • If a malicious user impersonates a switch and
    participates in the STP process, can create a DOS
    by consequently sending topology change BPDU
    messages all the switches will continuously
    recompute the algorithm. The user can also
    participate in the STP process by impersonating
    the root bridge and redirect traffic/sniff it.
  • Mitigation
  • Enable root guard on cisco equipment that
    enforces the placement of the root bridge in the
    network, or BPDU guard on users ports to disable
    the use of priority zero and hence becoming a
    root bridge.

11
MAC Spoof
  • ARP works by sending broadcasts to find the MAC
    address corresponding to an IP.
  • The attacker overrides the CAM table entry so the
    switch forwards the packets destined for the host
    to the attacker. This allows the hacker to play
    MITM between two hosts or between the gateway and
    all hosts.
  • The attacker takes advantage of the GARP
    Gratuitous ARPs (unsolicited ARP replies).
  • Tools Ettercap and Arpspoof, they send less than
    an ARP per second so they are not detected by
    switch security features.
  • This attack is limited to the VLAN, cannot Hop
    vlans.
  • Mitigation
  • The DHCP messages are used to build an IP to MAC
    binding table containing (MAC, IP, lease time,
    binding type, VLAN number). The DHCP snooping
    feature builds the binding table and the Dynamic
    ARP inspection verifies the messages based on the
    binding table.
  • Use Arpwatch an open source that generates a log
    of IP-MAC pairings with timestamps.
  • Hard code static arp entries on OS arp -s ltipgt
    ltmacgt

12
Private VLAN
  • PVLAN restricts communication between ports in
    the same VLAN by assigning ports roles (Isolated,
    Promiscuous and Community).
  • The Proxy attack sends a packet with his IP/MAC
    and destination IP of target system and MAC of
    the router. (since switches are only MAC aware
    and routers only IP aware).
  • This attack is unidirectional as the PVLAN will
    block the victim response.
  • Mitigation
  • Configure access list on the router

13
DHCP Starvation
  • Broadcasts of DHCP requests with spoofed MAC
    addresses to exhaust the DHCP server IP pool.
  • According to RFC 2131 a hacker can introduce a
    rogue DHCP server assigning clients IP addresses
    and acting as MITM while a DHCP server is already
    running.
  • Mitigation
  • DHCP authentication - RFC 3118
  • No known usage by any commercial or private
    implementation since its adoption in 2001, most
    probably due to non scalable key distribution.

14
Configuration best practice
  • Use dedicated VPAN for all trunk ports.
  • Avoid using VLAN 1.
  • Deploy port security.
  • Set users ports to non trunking.
  • Use ARP security options.
  • Use BPDU guard, Root guard.
  • Use PVLANs.
  • Disable CDP.
  • Disable unused ports and put them in an unused
    vlan.
  • Ensure DHCP attack prevention.

15
References Links
  • http//www.cisco.com/warp/public/cc/so/cuso/epso/s
    qfr/sfblu_wp.pdf
  • http//www.terena.org/events/archive/tnc2003/progr
    amme/slides/s1c3.ppt
  • http//www.sanog.org/resources/sanog7/yusuf-L2-att
    ack-mitigation.pdf
  • http//www.cisco.at/endkunden/pdf/Tkrewedl_abrauma
    _CISF_SW_L2_Sec_TK.pdf
  • http//www.seanconvery.com/SEC-2002.pdf
  • http//www.cisco.com/warp/public/cc/pd/si/casi/ca6
    000/prodlit/vlnwp_wp.pdf
  • http//seclab.cs.ucdavis.edu/papers/Marro_masters_
    thesis.pdf
  • http//www.blackhat.com/presentations/bh-usa-01/Mi
    keBeekey/bh-usa-01-Mike-Beekey.ppt
  • http//i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2004
    .pdf
  • http//monkey.org/dugsong/dsniff
  • http//www.yersinia.net/
Write a Comment
User Comments (0)
About PowerShow.com