Understanding and Preventing Layer 2 Attacks in IPv4 Networks (2012 San Diego)

Agenda  Layer 2 Attack Landscape ‒ MAC Attacks  Attacks and Countermeasures ‒ VLAN Hopping ‒ DHCP Attacks ‒ ARP Attacks ‒ Spoofing Attacks ‒ Attacks on other LAN protocols  Summary BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3

Agenda  Layer 2 Attack Landscape ‒ VLAN Hopping  Attacks and Countermeasures ‒ MAC Attacks ‒ DHCP Attacks ‒ ARP Attacks ‒ Spoofing Attacks ‒ General Attacks  Summary BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 4

Why Worry About Layer 2 Security? OSI Was Built to Allow Different Layers to Work Without the Knowledge of Each Other Host A Host B Application Application Stream Application Presentation Presentation Session Session Transport Protocols/Ports Transport Network IP Addresses Network Data Link MAC Addresses Data Link Physical Physical Links Physical BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

Lower Levels Affect Higher Levels  Unfortunately this means if one layer is hacked, communications are compromised without the other layers being aware of the problem  Security is only as strong as the weakest link  When it comes to networking, Layer 2 can be a very weak link Application Application Stream Application POP3, IMAP, IM, Presentation Presentation Compromised SSL, SSH Session Session Transport Protocols/Ports Transport Network IP Addresses Network Initial Compromise Data Link Data Link Physical Physical Links Physical BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

Agenda  Layer 2 Attack Landscape ‒ MAC Attacks  Attacks and Countermeasures ‒ VLAN Hopping ‒ DHCP Attacks ‒ ARP Attacks ‒ Spoofing Attacks ‒ General Attacks  Summary BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

MAC Address/CAM Table Review 48-Bit Hexadecimal Number Creates Unique Layer Two Address 1234.5678.9ABC First 24-Bits = Manufacture Code Second 24-Bits = Specific Interface, Assigned by IEEE Assigned by Manufacture 0000.0cXX.XXXX 0000.0cXX.XXXX All Fs = Broadcast FFFF.FFFF.FFFF  CAM table stands for Content Addressable Memory  The CAM table stores information such as MAC addresses available on physical ports with their associated VLAN parameters  All CAM tables have a fixed size BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

Normal CAM Behavior (1/3) MAC Port A 1 C 3 Port 2 MAC B ARP for B Port 1MAC A Port 3 B Is Unknown— Flood the Frame MAC C BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

Normal CAM Behavior (2/3) MAC Port A 1 B 2 C 3 Port 2 MAC B I Am MAC B Port 1MAC A Port 3 A Is on Port 1 Learn: B Is on Port 2 MAC C BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

Normal CAM Behavior (3/3) MAC Port A 1 B 2 C 3 Port 2 MAC B Traffic A  B Port 1MAC A Port 3 B Is on Port 2 Does Not See Traffic MAC C to B BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

CAM Overflow—Tools (1/2) ‒ About 100 lines of perl  macof tool since 1999 ‒ Included in “dsniff”  Attack successful by exploiting the size limit on CAM tables  Yersinia: Swiss-army knife of L2 attacks BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

CAM Overflow (2/2)MAC PortYA 3 1 Assume CAM Table Now FullZB 3 2C 3 Port 2 Y is on Port 3 MAC B Traffic A  B Port 1MAC A Port 3 Z is on Port 3 MAC C I See Traffic to B BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

Mac Flooding Switches with macofmacof –i eth136:a1:48:63:81:70 15:26:8d:4d:28:f8 0.0.0.0.26413 > 0.0.0.0.49492: S 1094191437:1094191437(0) win 51216:e8:8:0:4d:9c da:4d:bc:7c:ef:be 0.0.0.0.61376 > 0.0.0.0.47523: S 446486755:446486755(0) win 51218:2a:de:56:38:71 33:af:9b:5:a6:97 0.0.0.0.20086 > 0.0.0.0.6728: S 105051945:105051945(0) win 512e7:5c:97:42:ec:1 83:73:1a:32:20:93 0.0.0.0.45282 > 0.0.0.0.24898: S 1838062028:1838062028(0) win 51262:69:d3:1c:79:ef 80:13:35:4:cb:d0 0.0.0.0.11587 > 0.0.0.0.7723: S 1792413296:1792413296(0) win 512c5:a:b7:3e:3c:7a 3a:ee:c0:23:4a:fe 0.0.0.0.19784 > 0.0.0.0.57433: S 1018924173:1018924173(0) win 51288:43:ee:51:c7:68 b4:8d:ec:3e:14:bb 0.0.0.0.283 > 0.0.0.0.11466: S 727776406:727776406(0) win 512b8:7a:7a:2d:2c:ae c2:fa:2d:7d:e7:bf 0.0.0.0.32650 > 0.0.0.0.11324: S 605528173:605528173(0) win 512e0:d8:1e:74:1:e 57:98:b6:5a:fa:de 0.0.0.0.36346 > 0.0.0.0.55700: S 2128143986:2128143986(0) win 512  Macof sends random source MAC and IP addresses ‒“macof -i eth1 2> /dev/null”  Much more aggressive if you run the command ‒macof (part of dsniff): http://monkey.org/~dugsong/dsniff/ BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

CAM Table Full  Once the CAM table on the switch is full, traffic without a CAM entry is flooded out every port on that VLAN  This will turn a VLAN on a switch basically into a hub  This attack will also fill the CAM tables of adjacent switches10.1.1.22 -> (broadcast) ARP C Who is 10.1.1.1, 10.1.1.1 ?10.1.1.22 -> (broadcast) ARP C Who is 10.1.1.19, 10.1.1.19 ?10.1.1.26 -> 10.1.1.25 ICMP Echo request (ID: 256 Sequence number: 7424)  OOPS10.1.1.25 -> 10.1.1.26 ICMP Echo reply (ID: 256 Sequence number: 7424)  OOPS BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

Countermeasures for MAC Attacks Port Security Limits the Amount of MACs on an Interface 00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb Only One MAC Addresses Allowed on the Port: Shutdown132,000Bogus MACs Solution  Port security limits MAC flooding attack and locks down port and sends an SNMP trap BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

Countermeasures for MAC Attacks with IP Phones Phones can use two or three Could Use Two or depending on the switch hardware Three MAC Addresses ‒ Some switches look at the CDP traffic and Allowed on the Port: and software Shutdown some don’t, if they don’t, they need two, if they do ‒ Some hardware (3550) will they need three always need three Default config is disable port, might want to restrict for VoIP This feature is to protect that switch, you can make the number anything you like as long as you don’t overrun the CAM table BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

Port Security: Example Config Will Enable Voice Cisco Catalyst OS set port security 5/1 enable to Work Under Attack set port security 5/1 port max 3 set port security 5/1 violation restrict set port security 5/1 age 2 set port security 5/1 timer-type inactivity Cisco IOS switchport port-security switchport port-security maximum 3 switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity  Number is not to control access, it is to protect the switch from attack  Depending on security policy, disabling the port might be preferred, even with VoIP  Aging time of two and aging type inactivity to allow for phone CDP of 1 minute If violation error-disable, the following log message will be produced: 4w6d: %PM-4-ERR_ DISABLE: Psecure-Violation Error Detected on Gi3/2, Putting Gi3/2 in Err-Disable State BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

New Features for Port Security New Commands Cisco IOS switchport port-security switchport port-security maximum 1 vlan voice switchport port-security maximum 1 vlan access switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity snmp-server enable traps port-security trap-rate 5  Per port per VLAN max MAC addresses  Restrict now will let you know something has happened—you will ‒ Everyone asked so Cisco did it get an SNMP trap BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

Port Security Not All Port Security Created Equal  In the past you would have to type in the only MAC you were going to allow on that port  You can now put a limit to how many MAC address a port will learn  You can also put timers in to state how long the MAC address will be bound to that switch port  You might still want to do static MAC entries on ports that there should be no movement of devices, as in server farms  “Sticky Port Security”; settings survive reboot (not on all switches) BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

Port Security and LLDP-MED ‒ A standard that works like CDP for media endpoints  Link Layer Discovery Protocol-Media Endpoint Discovery (LLDP) ‒ Could affect port security deployments ‒ You will need to set the port to three; the device (phone) can be in both VLAN—voice  If the switch does not understand LLDP-MED ‒ Or the setting can be two for the data VLAN (one phone and one PC) and data—and the PC will be in the data VLAN and one in the voice VLAN for the phone ‒ The LLDP-MED should be treated as CDP and will not be counted  If the switch supports LLDP-MED ‒ Early versions of switch Cisco IOS did count the LLDP-MED, on the port so the setting could be two or higher so please be careful with the settings Good link for this is: http://en.wikipedia.org/wiki/LLDP-MED BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

Port Security: What to Expect Notice: When Using the Restrict Feature of Port Security, if the Switch Is Under Attack, You Will See a Performance Hit on the CPU  The performance hit seen with multiple attacks happening at one time is up to 99% CPU utilization  Because the process is a low priority, on all switches packets were not dropped  Telnet and management were still available  Would want to limit the SNMP message, don’t want 1000s  Voice MOS scores under attack were very good, as long as QoS was configured  Designed to protect the switch and limit MAC addresses, has no authentication; look at 802.1X for that  Minimum settings for phones are two usually, higher numbers should be considered MOS: Mean Opinion Score; http://en.wikipedia.org/wiki/Mean_Opinion_Score BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

Agenda  Layer 2 Attack Landscape ‒ MAC Attacks  Attacks and Countermeasures ‒ VLAN Hopping ‒ DHCP Attacks ‒ ARP Attacks ‒ Spoofing Attacks ‒ General Attacks  Summary BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

Basic Trunk Port Defined Trunk with: Native VLAN VLAN 10 VLAN 10 VLAN 20 VLAN 20 VLAN 20 VLAN 10  Trunk ports have access to all VLANs by default  Used to route traffic for multiple VLANs across the same physical link (generally between switches or phones)  Encapsulation can be 802.1Q BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

Dynamic Trunk Protocol (DTP) ‒ Automates 802.1Q What is DTP? ‒ Operates between switches trunk configuration ‒ Does not operate on routers (Cisco IP phone is a switch) Dynamic ‒ Support varies, Trunk Protocol check your device DTP synchronizes the trunking mode on end links DTP state on 802.1Q trunking port can be set to “Auto,” “On,” “Off,” “Desirable,” or “Non-Negotiate” BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

Basic VLAN Hopping Attack Trunk with: Native VLAN VLAN 10 VLAN 10 VLAN 20 VLAN 20 Trunk with: VLAN 10 Native VLAN VLAN 10 VLAN 20  An end station can spoof as a switch with 802.1Q  The station is then a member of all VLANs  Requires a trunking configuration of the native VLAN to be VLAN 1 BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

Double 802.1Q EncapsulationVLAN Hopping Attack src mac dst mac 8100 5 8100 96 0800 data 1st tag 2nd tag 802.1q Frame Strip Off First, and Send Back Out  Send 802.1Q double encapsulated frames  Switch performs only one level of decapsulation  Unidirectional traffic only  Works even if trunk ports are set to off Note: Only works if trunk has the same VLAN as the attacker BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

IP Phones VLAN Security Configurable Options Block voice VLAN from PC port Ignore Gratuitous ARPs (GARPs) These Features Were All Introduced in CCM 3.3(3), Except Signed Config Files and Disable Web Access Which Were Introduced in CCM 4.0 BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 29

Voice VLAN Access VLAN 10 VLAN 20 VLAN 20 ‒ VLAN 20 is native to the PC and is not tagged  Normal VLAN operation ‒ VLAN 10 is the voice VLAN, and is tagged with 10 BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

Voice VLAN Access: Attack VLAN 10 Attacker Sends VLAN 10 Frames Has PC Traffic VLAN 20 VLAN 10 ‒ Attacker sends 802.1Q tagged frames from the PC to the phone  Attacking voice VLAN ‒ Traffic from the PC is now in the voice VLAN BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

IP PhonePC Voice VLAN Access Setting Attacker Sends VLAN 10 VLAN 10 Frames VLAN 20 ‒ Enable settings for PC voice VLAN access  Preventing voice VLAN attacks ‒ Tagged traffic will be stopped at the PC port on the phone ‒ Newer phones only block voice VLAN, allowing PC to run 802.1Q on any other VLAN  Differences between phone model implementations ‒ All phones that run JAVA block all packets containing an 802.1Q header ‒ Low end phones doesn’t block anything BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

Security Best Practices forVLANs and Trunking  Always use a dedicated VLAN ID for all trunk ports  Disable unused ports and put them in an unused VLAN  Be paranoid: do not use VLAN 1 for anything  Disable auto-trunking on user facing ports (DTP off)  Explicitly configure trunking on infrastructure ports  Use all tagged mode for the native VLAN on trunks  Use PC voice VLAN access on phones that support it  Use 802.1Q tag all on the trunk port BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

DHCP Function: High Level DHCP Server Client Send My Configuration Information IP Address: 10.10.10.101 Subnet Mask: 255.255.255.0 Default Routers: 10.10.10.1 DNS Servers: 192.168.10.4, 192.168.10.5 Lease Time: 10 days Here Is Your Configuration  Server dynamically assigns IP address on demand  Administrator creates pools of addresses available for assignment  Address is assigned with lease time  DHCP delivers other configuration information in options  Similar functionality in Ipv6 for DHCP BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

DHCP Function: Lower Level DHCP Server Client DHCP Discover (Broadcast) DHCP Offer (Unicast) DHCP Request (Broadcast) DHCP Ack (Unicast)  DHCP defined by RFC 2131 BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

DHCP Function: Lower Level DHCP Request/Reply Types Message Use DHCPDISCOVER Client Broadcast to Locate Available Servers Server to Client in Response to DHCPDISCOVER with Offer of DHCPOFFER Configuration Parameters Client Message to Servers Either (a) Requesting Offered Parameters from One Server and Implicitly Declining Offers from All Others, DHCPREQUEST (b) Confirming Correctness of Previously Allocated Address After, e.g., System Reboot, or (c) Extending the Lease on a Particular Network Address Server to Client with Configuration Parameters, Including Committed DHCPACK Network Address Server to Client Indicating Client’s Notion of Network Address Is Incorrect (e.g., Client Has Moved DHCPNAK to New Subnet) or Client’s Lease as Expired DHCPDECLINE Client to Server Indicating Network Address Is Already in Use Client to Server Relinquishing Network Address and Canceling DHCPRELEASE Remaining Lease Client to Server, Asking Only for Local Configuration Parameters; DHCPINFORM Client Already Has Externally Configured Network Address. BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 37

DHCP Attack Types DHCP Starvation Attack ClientGobbler DHCP Server DHCP Discovery (Broadcast) x (Size of Scope) DHCP Offer (Unicast) x (Size of DHCPScope) DHCP Request (Broadcast) x (Size of Scope) DHCP Ack (Unicast) x (Size of Scope)  Gobbler/DHCPx looks at the entire DHCP scope and tries to lease all of the DHCP addresses available in the DHCP scope  This is a Denial of Service DoS attack using DHCP leases BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

Countermeasures for DHCP Attacks DHCP Starvation Attack = Port Security ClientGobbler DHCP Cisco Catalyst OS Server Gobbler uses a new MAC set port security 5/1 enable address to request a new DHCP lease set port security 5/1 port max 1 set port security 5/1 violation restrict Restrict the number of MAC addresses on set port security 5/1 age 2 a port set port security 5/1 timer-type inactivity Will not be able to lease Cisco IOS more IP address then switchport port-security MAC addresses allowed switchport port-security maximum 1 on the port switchport port-security violation restrict In the example the attacker would switchport port-security aging time 2 get one IP address from the DHCP server switchport port-security aging type inactivity BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

DHCP Attack TypesRogue DHCP Server Attack Client DHCP Rogue Server or Server Unapproved DHCP Discovery (Broadcast) DHCP Offer (Unicast) from Rogue Server DHCP Request (Broadcast) DHCP Ack (Unicast) from Rogue Server BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

DHCP Attack TypesRogue DHCP Server Attack  What can the attacker do if he is the DHCP server? IP Address: 10.10.10.101 Subnet Mask: 255.255.255.0 Default Routers: 10.10.10.1 DNS Servers: 192.168.10.4, 192.168.10.5 Lease Time: 10 days Here Is Your Configuration  What do you see as a potential problem with incorrect information? Wrong default gateway—Attacker is the gateway Wrong DNS server—Attacker is DNS server Wrong IP address—Attacker does DOS with incorrect IP BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 41

Countermeasures for DHCP AttacksRogue DHCP Server = DHCP Snooping Client DHCP Snooping-Enabled Untrusted Trusted Untrusted OK DHCP Responses: DHCP Rogue Server offer, ack, nak Server Cisco IOS BAD DHCP Responses: Global Commands offer, ack, nak ip dhcp snooping vlan 4,104 no ip dhcp snooping information option ip dhcp snooping DHCP Snooping Untrusted Client DHCP Snooping Trusted Server Interface Commands or Uplink no ip dhcp snooping trust (Default) Interface Commands ip dhcp snooping limit rate 10 (pps) ip dhcp snooping trust  By default all ports in the VLAN are untrusted BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 42

Countermeasures for DHCP Attacks Rogue DHCP Server = DHCP Snooping Client DHCP Snooping-Enabled Untrusted Trusted Untrusted DHCP OK DHCP Responses: Server Rogue Server offer, ack, nak BAD DHCP Responses: offer, ack, nakDHCP Snooping Binding Tablesh ip dhcp snooping bindingMacAddress IpAddress Lease(sec) Type VLAN Interface------------------ --------------- ---------- ------------- ---- --------------------00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18  Table is built by “snooping” the DHCP reply to the client  Entries stay in table until DHCP lease time expires BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

Advanced Configuration DHCP Snooping  Not all operating system (Linux) re DHCP on link down  In the event of switch failure, the DHCP snooping binding table can be written to bootflash, ftp, rcp, slot0, and tftp  This will be critical in the next section ip dhcp snooping database tftp://172.26.168.10/tftpboot/tulledge/ngcs-4500-1-dhcpdb ip dhcp snooping database write-delay 60 BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

Advanced Configuration DHCP Snooping Gobbler uses a unique MAC Hardware Hardware for each DHCP request and OP Code Type Length HOPS port security prevents Gobbler What if the attack used the Transaction ID (XID) same interface MAC address, Seconds Flags but changed the client hardware address in the Client IP Address (CIADDR) request? Port security would not work Your IP Address (YIADDR) for that attack The switches check the Server IP Address (SIADDR) CHADDR field of the request to make sure it matches the Gateway IP Address (GIADDR) hardware MAC in the DHCP snooping binding table Client Hardware Address (CHADDR)—16 Bytes If there is not a match, the request is dropped at the Server Name (SNAME)—64 Bytes interface Filename—128 Bytes DHCP Options Note: Some switches have this on by default, and other’s don’t; please check the documentation for settings BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 45

DHCP Rogue Server If there are switches in the network that will not support DHCP snooping, you can configure VLAN ACLs to block UDP port 68 set security acl ip ROGUE-DHCP permit udp host 192.0.2.1 any eq 68 set security acl ip ROGUE-DHCP deny udp any any eq 68 set security acl ip ROGUE-DHCP permit ip any any set security acl ip ROGUE-DHCP permit udp host 10.1.1.99 any eq 68  Will not prevent the CHADDR DHCP starvation attack Router DHCP 192.0.2.1 Server 10.1.1.99 BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

Summary of DHCP Attacks DHCP starvation attacks can be mitigated by port security Rogue DHCP servers can be mitigated by DHCP snooping features When configured with DHCP snooping, all ports in the VLAN will be “untrusted” for DHCP replies Check default settings to see if the CHADDR field is being checked during the DHCP request Unsupported switches can run ACLs for partial attack mitigation (can not check the CHADDR field) BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 47

DHCP Snooping Capacity  All DHCP snooping binding tables have limits  All entries stay in the binding table until the lease runs out  If you have a mobile work environment, reduce the lease time to make sure the binding entries will be removedsh ip dhcp snooping bindingMacAddress IpAddress Lease(sec) Type VLAN Interface------------------ --------------- ---------- ------------- ---- --------------------00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18 BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

Building the Layers Port security prevents CAM attacks and DHCP starvation attacks DHCP snooping prevents rogue DHCP server attacks DHCP Snooping Port Security BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

ARP Function Review Before a station can talk to another station it must do an ARP request to ‒ This ARP request is broadcast using protocol 0806 map the IP address to the MAC address All computers on the subnet will receive and process the ARP request; the station that matches the IP address in the request will send an ARP reply I Am 10.1.1.4 MAC A Who Is 10.1.1.4? BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

ARP Function Review According to the ARP RFC, a client is allowed to send an unsolicited ARP reply; this is called a gratuitous ARP; other hosts on the same subnet can store this information in their ARP tables Anyone can claim to be the owner of any IP/MAC address they like ARP attacks use this to redirect traffic You Are You Are You Are I Am 10.1.1.1 10.1.1.1 10.1.1.1 10.1.1.1 MAC A MAC A MAC A MAC A BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

ARP Attack Tools ‒Dsniff, Cain & Abel, ettercap, Yersinia, etc. Many tools on the net for ARP man-in-the-middle attacks ‒ Some are second or third generation of ARP attack tools ettercap: http://ettercap.sourceforge.net/index.php ‒ Most have a very nice GUI, and is almost point and click ‒ Packet insertion, many to many ARP attack ‒ FTP, Telnet, SMTP, HTTP, POP, NNTP, IMAP, SNMP, LDAP, All of them capture the traffic/passwords of applications RIP, OSPF, PPTP, MS-CHAP, SOCKS, X11, IRC, ICQ, AIM, SMB, Microsoft SQL, etc. BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 53

ARP Attack Tools Ettercap in action As you can see runs in Window, Linux, Mac Decodes passwords on the fly This example, telnet username/ password is captured BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

ARP Spoofing Video

ARP Attack Tools: SSH/SSL Using these tools SSL/SSH sessions can be intercepted and bogus certificate credentials can be presented Once you have excepted the certificate, all SSL/SSH traffic for all SSL/SSH sites can flow through the attacker BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 56

ARP Attack in Action  Attacker “poisons” the ARP tables 10.1.1.2 Is Now 10.1.1. MAC C 1 MAC AARP 10.1.1.1 Saying 10.1.1.2 Is MAC C ARP 10.1.1.2 Saying 10.1.1.1 Is MAC C 10.1.1.3 MAC C 10.1.1.2 MAC B 10.1.1.1 Is Now MAC C BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 57

ARP Attack in Action All traffic flows through the attacker 10.1.1.2 Is Now 10.1.1. MAC C 1Transmit/Receive MAC A Traffic to Transmit/Receive 10.1.1.2 MAC C Traffic to 10.1.1.1 MAC C 10.1.1.3 MAC C 10.1.1.2 MAC B 10.1.1.1 Is Now MAC C BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 58

ARP Attack Clean Up  Attacker corrects ARP tables entries 10.1.1.2 Is Now  Traffic flows return to normal 10.1.1. MAC B 1 MAC AARP 10.1.1.1 Saying 10.1.1.2 Is MAC B ARP 10.1.1.2 Saying 10.1.1.1 Is MAC A 10.1.1.3 MAC C 10.1.1.2 MAC B 10.1.1.1 Is Now MAC A BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 59

Countermeasures to ARP Attacks: Dynamic ARP Inspection  Uses the DHCP snooping binding 10.1.1. table information 1 MAC A  Dynamic ARP NoneIs This Is My Matching NO ‒ All ARP packets mustARP 10.1.1.1 Saying Binding Table? ARPs in the Bit inspection DHCP Snooping- 10.1.1.2 Is MAC C Bucket Enabled Dynamic ARP Inspection- Enabled match the IP/MAC ‒ If the entries do not binding table entries match, throw them in the bit bucket 10.1.1.3 MAC C 10.1.1.2 ARP 10.1.1.2 Saying MAC B 10.1.1.1 Is MAC C BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 60

Countermeasures to ARP Attacks:Dynamic ARP Inspection Uses the information from the DHCP snooping binding tablesh ip dhcp snooping bindingMacAddress IpAddress Lease(sec) Type VLAN Interface------------------ --------------- ---------- ------------- ---- --------------------00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18 Looks at the MacAddress and IpAddress fields to see if the ARP from the interface is in the binding; if not, traffic is blocked BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 61

Countermeasures to ARP Attacks:Dynamic ARP Inspection Configuration of Dynamic ARP Inspection (DAI) DHCP snooping had to be configured so the binding table it built DAI is configured by VLAN You can trust an interface like DHCP snooping Be careful with rate limiting—varies between platforms Suggested for voice is to set the rate limit above the default if you feel dial tone is important BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 62

Countermeasures to ARP Attacks:Dynamic ARP InspectionDynamic ARP Inspection Commands Cisco IOS Global Commands ip dhcp snooping vlan 4,104 no ip dhcp snooping information option ip dhcp snooping ip arp inspection vlan 4,104 ip arp inspection log-buffer entries 1024 ip arp inspection log-buffer logs 1024 interval 10 Interface Commands ip dhcp snooping trust ip arp inspection trust Cisco IOS Interface Commands no ip arp inspection trust (default) ip arp inspection limit rate 15 (pps) BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 63

Additional Checks Can check for both destination or source MAC and ‒ Destination MAC: Checks the destination MAC address in the Ethernet header IP addresses ‒ Source MAC: Checks the source MAC address in the Ethernet header against the against the target MAC address in ARP body ‒ IP address: Checks the ARP body for invalid and unexpected IP addresses; sender MAC address in the ARP body addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 64

Cisco IOS Commands Cisco IOS Global Commands ip arp inspection validate dst-mac ip arp inspection validate src-mac ip arp inspection validate ip Enable all commands ip arp inspection validate src-mac dst-mac ip ‒ Each by themselves, or any combination of the three  Each check can be enabled independently ‒ If you have dst-mac enabled and then enable src-mac, dst-mac is no longer  The last command overwrites the earlier command active BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 65

Countermeasures to ARP Attacks: Dynamic ARP Inspection Error Messages in Show Logsh log:4w6d: %SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 296 milliseconds on Gi3/2.4w6d: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi3/2, putting Gi3/2 in err-disablestate4w6d: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi3/2, vlan183.([0003.472d.8b0f/10.10.10.62/0000.0000.0000/10.10.10.2/12:19:27 UTC Wed Apr 19 2000])4w6d: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi3/2, vlan183.([0003.472d.8b0f/10.10.10.62/0000.0000.0000/10.10.10.3/12:19:27 UTC Wed Apr 19 2000]) BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 66

Phone ARP Features Configurable Options Block voice VLAN from PC port Ignore Gratuitous ARPs (GARPs) These Features Were All Introduced in CCM 3.3(3), Except Signed Config Files and Disable Web Access Which Were Introduced in CCM 4.0 BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 67

Phone ARP Features  Attacker “poisons” the 10.1.1.2 Is Now ARP table on the router 10.1.1. MAC C 1 MAC AARP 10.1.1.1 Saying 10.1.1.2 Is MAC C ARP 10.1.1.2 Saying 10.1.1.1 Is MAC C 10.1.1.3 MAC C 10.1.1.2 MAC B 10.1.1.1 Is STILL MAC A—Ignore BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 68

Phone ARP Features  Traffic from the phone Traffic from the router to is protected, but the the attacker—from the 10.1.1. router is still 1 vulnerable without phone to the router MAC A dynamic ARP inspection 10.1.1.3 MAC C 10.1.1.2 MAC B BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 69

Non-DHCP Devices  Can use static bindings in the DHCP snooping binding table Cisco IOS Global Commands ip source binding 0000.0000.0001 vlan 4 10.0.10.200 interface fastethernet 3/1  Show static and dynamic entries in the DHCP snooping binding table is different Cisco IOS Show Commands show ip source binding BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 70

Binding Table Info No entry in the binding table—no traffic Wait until all devices have new leases before turning on dynamic ARP Inspection Entrees stay in table until the lease runs out ‒ 3000 switches—2500 entrees All switches have a binding size limit ‒ 4000 switches—4000 entrees (6000 for the SupV-10GE) ‒ 6000 switches—16,000 entrees BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 71

Summary of ARP Attacks Dynamic ARP inspection prevents ARP attacks by intercepting all ARP requests and responses DHCP snooping must be configured first, otherwise there is no binding table for dynamic ARP Inspection to use The DHCP snooping table is built from the DHCP request, but ‒ If you have a device that does not DHCP, but you would like you can put in static entries to turn on dynamic ARP Inspection, you would need a static entry in the table BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 72

More ARP Attack Information Some IDS systems will watch for an unusually high amount of ARP traffic ‒ Caution—you will need an ARPWatch server on every VLAN ARPWatch is freely available tool to track IP/MAC address pairings ‒ Hard to manage and scale ‒ You can still do static ARP for critical routers and hosts (administrative pain) BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 73

Building the Layers Port security prevents CAM attacks and DHCP starvation attacks DAI DHCP snooping prevents DHCP rogue DHCP server attacks Snooping Dynamic ARP inspection Port Security prevents current ARP attacks BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 74

Spoofing Attacks ‒ If MACs are used for network access an attacker can gain access to the MAC spoofing ‒ Also can be used to take over someone’s identity already network on the network ‒ Ping of death IP spoofing ‒ ICMP unreachable storm ‒ SYN flood ‒ Trusted IP addresses can be spoofed BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 76

Spoofing Attack: MAC  Attacker sends packets with the incorrect source Received Traffic Source Address MAC address 10.1.1.3 Mac B 10.1.1.  If network control is by 1 MAC address, the MAC A attacker now looks likeTraffic Sent with MAC B Source 10.1.1.2 10.1.1.3 MAC C 10.1.1.2 MAC B BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 77

Spoofing Attack: IP  Attacker sends packets with the incorrect source IP address Received Traffic Source IP  Whatever device the 10.1.1.2 Mac C 10.1.1. packet is sent to will never 1 reply to the attacker MAC ATraffic Sent with IP 10.1.1.2 Source 10.1.1.3 MAC C 10.1.1.2 MAC B BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 78

Spoofing Attack: IP/MAC  Attacker sends packets with the incorrect source IP and Received Traffic MAC address Source IP 10.1.1.2  Now looks like a device that Mac B 10.1.1.1 is already on the network MAC ATraffic Sent with IP 10.1.1.2 MAC B Source 10.1.1.3 MAC C 10.1.1.2 MAC B BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 79

Countermeasures to Spoofing Attacks:  Uses the DHCPIP Source Guard snooping binding table information 10.1.1.1 ‒Operates just like MAC A  IP Source GuardTraffic Sent with Nonmatching Is This Is My IP 10.1.1.3 NO Traffic Dropped Binding Table? DHCP Snooping- Enabled Dynamic ARP dynamic ARP Mac B inspection, but looks at Inspection- Enabled IP Source Guard-Enabled every packet, not just ARP packet 10.1.1.3 MAC C 10.1.1.2 Traffic Sent with IP 10.1.1.2 MAC B Mac C Received Traffic Source IP 10.1.1.2 Mac B BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 80

Countermeasures to Spoofing Attacks:IP Source Guard  Uses the information from the DHCP snooping binding tablesh ip dhcp snooping bindingMacAddress IpAddress Lease(sec) Type VLAN Interface------------------ --------------- ---------- ------------- ---- --------------------00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18  Looks at the MacAddress and IpAddress fields to see if the traffic from the interface is in the binding table, it not, traffic is blocked BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 81

Countermeasures to Spoofing Attacks:IP Source Guard Configuration of IP Source Guard DHCP snooping had to be configured so the binding table it built IP Source Guard is configured by port IP Source Guard with MAC does not learn the MAC from the device connected to the switch, it learns it from the DHCP offer There are very few DHCP servers that support Option 82 for DHCP If you do not have an Option 82-enabled DHCP you most likely will not get an IP address on the client Note: There are at least two DHCP servers that support Option 82 Field Cisco Network Registrar® and Avaya BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 82

Clearing Up Source Guard MAC and IP checking can be turned on separately ‒ For IP or together ‒ For MAC Will work with the information in the binding table Must have an Option 82-enabled DHCP server (Microsoft does not support Option 82) Have to change all router configuration to support Option 82 All Layer 3 devices between the DHCP request and the DHCP server will need to be configured to trust the Option 82 DHCP request: ip dhcp relay information trust ‒ There are no known, good attacks that can use this information in Most enterprises do not need to check the MAC address with IPSG an enterprise network BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 83

Countermeasures to Spoofing Attacks:IP Source Guard IP Source Guard IP Source Guard Configuration IP Checking Only (No Opt 82) IP Source Guard Configuration What most Enterprises Will Run IP/MAC Checking Only (Opt 82) Cisco IOSCisco IOS Global CommandsGlobal Commands ip dhcp snooping vlan 4,104ip dhcp snooping vlan 4,104 ip dhcp snooping information optionno ip dhcp snooping information option ip dhcp snoopingip dhcp snooping Interface CommandsInterface Commands ip verify source vlan dhcp-snoopingip verify source vlan dhcp-snooping port-security Static IP addresses can be learned, but only used for IP Source Guard BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 84

Building the Layers Port security prevents CAM attacks and DHCP starvation attacks IPSG DHCP snooping prevents rogue DHCP server attacks DAI Dynamic ARP inspection prevents current DHCP ARP attacks Snooping IP Source Guard prevents IP/MAC Port Security spoofing BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 85

Agenda Layer 2 Attack Landscape ‒ VLAN Hopping Attacks and Countermeasures ‒ MAC Attacks ‒ DHCP Attacks ‒ ARP Attacks ‒ Spoofing Attacks ‒ Attacks on other protocols Summary BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 86

Spanning Tree Basics  STP purpose: to maintain loop-free topologies in a redundant Layer 2 infrastructure A Switch Is Elected as Root Root Selection Is Based on Root the Lowest Configured Priority A ‘Tree-Like’, of Any Switch 0–65535 Loop-Free Topology Is Established from the Perspective of the Root Bridge X  STP is very simple; messages are sent using Bridge Protocol Data Units (BPDUs); basic messages include: configuration, topology change notification/acknowledgment (TCN/TCA); most have no “payload”  Avoiding loops ensures broadcast traffic does not become storms BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 88

Spanning Tree Attack Example Send BPDU messages to become root ‒The attacker then sees frames he shouldn’t bridge Access Switches Root Root Blocked X MITM, DoS, etc. all possible Any attack is very sensitive to the original topology, trunking, PVST, etc. Although STP takes link speed into consideration, it is always done from the perspective of the root bridge; taking a Gb backbone to half-duplex 10 Mb was verified Requires attacker is dual homed to two different switches (with a hub, it can be done with just one interface on the attacking host) Root BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 90

STP Attack Mitigation Try to design loop-free topologies where ever possible, so you do not need STP Don’t disable STP, introducing a loop would become another attack BPDU guard Should be run on all user facing ports and infrastructure ‒ Disables ports using portfast upon detection of a BPDU message on the port facing ports ‒ Globally enabled on all ports running portfast ‒ Available in Cisco Catalyst OS 5.4.1 for Cisco Catalyst 2000 Series, Cisco Catalyst 4000 Series, Cisco Catalyst 5000 Series, and Cisco Catalyst 6000 Series; 12.0XE for native Cisco IOS 6000 Series; 12.1(8a)EW for Cisco 4000 Series IOS; 12.1(4)EA1 for 3550; 12.1(6)EA2 for 2950CatOS> (enable)set spantree portfast bpdu-guard enableIOS(config)#spanning-tree portfast bpduguard BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 91

STP Attack Mitigation ‒ Disables ports who would become the root bridge due to their BPDU Root Guard ‒ Configured on a per port basis advertisement ‒ Available in Cisco Catalyst OS 6.1.1 for Cisco Catalyst 29XX, Cisco Catalyst 4000 Series, Cisco Catalyst 5000 Series, Cisco Catalyst 6000 Series; 12.0(7) XE for native Cisco IOS 6000 Series, 12.1(8a)EW for 4K Cisco IOS; 29/3500XL in 12.0(5)XU; 3550 in 12.1(4)EA1; 2950 in 12.1(6)EA2CatOS> (enable) set spantree guard root 1/1IOS(config)#spanning-tree guard root (or rootguard) BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 92

Switch Management ‒ All the great mitigation techniques we talked about aren’t worth much if the attacker telnets into your switch Management can be your weakest link and disables them Most of the network management protocols we know and love are insecure (syslog, SNMP, TFTP, telnet, FTP, etc.) Consider secure variants of these protocols as they become available (SSH, SCP, SSL, ‒ Put the management VLAN into a dedicated nonstandard VLAN where nothing but management traffic OTP etc.), where impossible, consider out of band (OOB) management ‒ Consider physically backhauling this interface to your management network resides When OOB management is not possible, at least limit access to the management protocols using the “set ip permit” lists on the management protocols SSH is available on Cisco Catalyst 6000 Series with Cisco Catalyst OS 6.1 and Cisco Catalyst 4000 Series/29XXG with Cisco Catalyst OS 6.3; 3550 in 12.1(11)EA1; 2950 in 12.1(12c)EA1; Cisco IOS 6000 Series 12.1(5c)E12; Cisco IOS 4000 Series in 12.1(13)EW BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 93

Agenda Layer 2 Attack Landscape ‒ VLAN Hopping Attacks and Countermeasures ‒ MAC Attacks ‒ DHCP Attacks ‒ ARP Attacks ‒ Spoofing Attacks ‒ General Attacks Summary BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 94

The One Thing to Remember If you do not have a binding table entry, you will not allow traffic from that ‒ Dynamic ARP inspection port with these features enabled ‒ IP Source Guard Users get grumpy when this happens Would be wise to test and understand before deployment BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 95

Matrix for Security Features (1/3) 6500/ Feature/Platform 6500/Cisco IOS Nexus 4500/Cisco IOS Cisco Catalyst OS Dynamic Port 7.6(1) 12.1(13)E 4.1 12.1(13)EW Security Per VLAN Dynamic 12.2(31)SGA 8.3(1) 12.2(33)SXH 4.1 Port Security *** 12.1(12c)EW DHCP Snooping 8.3(1) 12.2(18)SXE* 4.1 *** 12.1(19)EW DAI 8.3(1) 12.2(18)SXE* 4.1 *** 12.1(19)EW IP Source Guard 8.3(1)** 12.2(18)SXD2 4.1 *** *Works on trunks today, roadmapped for access ports **Requires Sup720—support for Sup32 DHCP snooping and DAI ***For the Cisco Catalyst 4500-Cisco IOS-based platforms, this requires Sup2+ or above These Sups are supported on the Cisco Catalyst 4006, 4503, 4506, and 4507R chassis running BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 96

Matrix for Security Features (2/3) Feature/Platform 3750/3560 EMI 3550 EMI 2960 EI 2950 EI 2950 SI Dynamic Port 12.1(25)SE 12.2(25)SEA 12.1(11)AX 12.0(5.2)WC1 12.0(5.2)WC1 Security Per VLAN Dynamic 12.2(37)SE NA 12.2(37)SE NA NA Port Security DHCP Snooping 12.1(25)SE 12.2(25)SEA 12.1(19)EA1 12.1(19)EA1 N/A DAI 12.2(25)SE 12.2(25)SEA N/A N/A N/A IP Source Guard 12.2(25)SE 12.2(25)SEA N/A N/A N/A Note: Old names of the Cisco IOS for the 3000 Series switches Cisco IOS feature finder: http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 97

Matrix for Security Features (3/3) 3750/3560 3550 3750/3560 3550 Feature/Platform Advanced IP Advanced IP IP Base IP Base Dynamic Port 12.1(25)SE 12.2(25)SEA 12.1(25)SEA 12.2(25)SEA Security Per VLAN Dynamic 12.2(37)SE N/A 12.2(37)SEA N/A Port Security DHCP Snooping 12.1(25)SE 12.1(25)SEA 12.1(25)SEA 12.1(25)SEA DAI 12.2(25)SE 12.2(25)SEA 12.2(25)SEA 12.2(25)SEA IP Source Guard 12.2 (25)SE 12.2(25)SEA 12.1(25)SEA 12.2(25)SEA Note: Name change of the Cisco IOS on the 3000 Series switches Cisco IOS feature finder: http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 98

Layer 2 Security Best Practices (1/2) Manage switches in as secure a manner as possible (SSH, OOB, permit lists, etc.) Always use a dedicated VLAN ID for all trunk ports Be paranoid: do not use VLAN 1 for anything Set all user ports to nontrunking (unless you are Cisco VoIP) Deploy port-security where possible for user ports Selectively use SNMP and treat community strings like root passwords Have a plan for the ARP security issues in your network (ARP inspection, IDS, etc.) BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 99

Layer 2 Security Best Practices (2/2) Enable STP attack mitigation (BPDU Guard, Root Guard) Decide what to do about DHCP attacks (DHCP snooping, VACLs) Use MD5 authentication for VTP Use CDP only where necessary—with phones it is useful Disable all unused ports and put them in an unused VLAN All of the Preceding Features Are Dependent on Your Own Security Policy BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 100

Reference Materials ‒ http://www.cisco.com/go/safe/ SAFE Blueprints ‒ http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/index.htm Cisco Catalyst® 3750 ‒ http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/index.htm Cisco Catalyst 4000 ‒ Cisco Catalyst OS and Cisco IOS® Cisco Catalyst 6500 ‒ http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/ ‒ http://www.cisco.com/univercd/cc/td/doc/product/voice/c_ipphon/index.htm IP Phones ‒ http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor3 Data Center ‒ http://www.cisco.com/go/srnd/ All SRNDs (System Network Reference Designs) BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 101

Complete Your OnlineSession Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our Don’t forget to activate your portal) or visit one of the Internet Cisco Live Virtual account for access to stations throughout the Convention all session material, communities, and on-demand and live activities throughout Center. the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.BRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 102

Final Thoughts Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042 Come see demos of many key solutions and products in the main Cisco booth 2924 Visit www.ciscoLive365.com after the event for updated PDFs, on- demand session videos, networking, and more! ‒ Facebook: https://www.facebook.com/ciscoliveus Follow Cisco Live! using social media: ‒ Twitter: https://twitter.com/#!/CiscoLive ‒ LinkedIn Group: http://linkd.in/CiscoLIBRKSEC-2202 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 103

Understanding and Preventing Layer 2 Attacks in IPv4 Networks (2012 San Diego)

by Cisco Security on Jun 19, 2012

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Understanding and Preventing Layer 2 Attacks in IPv4 Networks (2012 San Diego) Presentation Transcript