NS 13-14
VLAN hopping and VLAN double-tagging attacks can be prevented by implementing the following trunk security guidelines
Disable trunking on all access ports. Disable auto trunking on trunk links so that trunks must be manually enabled. Be sure that the native VLAN is only used for trunk links.
Loop Guard is enabled on all non-Root Guard ports using the spanning-tree guard loop interface configuration command
Note: Loop Guard can also be enabled globally using the spanning-tree loopguard default global configuration command. This enables Loop Guard on all point-to-point links
blocklisting
Prevent endpoints from connecting to websites with bad reputations by immediately blocking connections based on the latest reputation intelligence.
data loss prevention (DLP)
Prevent sensitive information from being lost or stolen.
there are two possible levels of IP traffic security filtering:
Source IP address filter - IP traffic is filtered based on its source IP address and only IP traffic with a source IP address that matches the IP source binding entry is permitted. When a new IP source entry binding is created or deleted on the port, the PVACL automatically adjusts itself to reflect the IP source binding change. Source IP and MAC address filter - IP traffic is filtered based on its source IP address in addition to its MAC address. Only IP traffic with source IP and MAC addresses that match the IP source binding entry are permitted.
The ip arp inspection validate {src-mac [dst-mac] [ip]} global configuration command is used to configure DAI to drop ARP packets when the IP addresses are invalid.
Spoofing attacks occur when one host poses as another to receive otherwise inaccessible data, or to circumvent security configurations.
Use the following steps to enable DHCP snooping:
Step 1. Enable DHCP snooping by using the ip dhcp snooping global configuration command. Step 2. On trusted ports, use the ip dhcp snooping trust interface configuration command. Step 3. Limit the number of DHCP discovery messages that can be received per second on untrusted ports by using the ip dhcp snooping limit rate interface configuration command. Step 4. Enable DHCP snooping by VLAN, or by a range of VLANs, by using the ip dhcp snooping vlan global configuration command.
Use the following steps to mitigate VLAN hopping attacks:
Step 1: Disable DTP (auto trunking) negotiations on non-trunking ports by using the switchport mode access interface configuration command. Step 2: Disable unused ports and put them in an unused VLAN. In the example it is VLAN 1000. Step 3: Manually enable the trunk link on a trunking port by using the switchport mode trunk command. Step 4: Disable DTP (auto trunking) negotiations on trunking ports by using the switchport nonegotiate command. Step 5: Set the native VLAN to a VLAN other than VLAN 1 by using the switchport trunk native vlan vlan_number command.
NAC systems should extend NAC to all network access methods, including access through LANs, remote-access gateways, and wireless access points.
The Cisco Identity Services Engine (ISE) combines AAA and network device profiling into a single system.
Supplicant (Client)
The device (workstation) that requests access to LAN and switch services and then responds to requests from the switch. The workstation must be running 802.1X-compliant client software. (The port that the client is attached to is the supplicant [client] in the IEEE 802.1X specification.)
A simple method that many administrators use to help secure the network from unauthorized access is to disable all unused ports on a switch.
The simplest and most effective method to prevent MAC address table overflow attacks is to enable port security.
Extensible Authentication Protocol over LAN (EAPOL) Cisco Discovery Protocol (CDP) Spanning Tree Protocol (STP)
The switch port state determines whether the client is granted access to the network.
Authentication server
This server performs the actual authentication of the client. The authentication server validates the identity of the client and notifies the switch whether the client is authorized to access the LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the client. The RADIUS security system with EAP extensions is the only supported authentication server.
If an alternate root bridge is desired, use the spanning-tree vlan vlan-id root secondary global configuration mode command. This command sets the priority for the switch to the predefined value of 28,672. This ensures that the alternate switch becomes the root bridge if the primary root bridge fails. This assumes that the rest of the switches in the network have the default 32,768 priority value defined.
To conduct an STP manipulation attack, the attacking host broadcasts STP bridge protocol data units (BPDUs) containing configuration and topology changes that will force spanning-tree recalculations. The BPDUs that are sent by the attacking host announce a lower bridge priority in an attempt to be elected as the root bridge.
To configure the port cost of an interface enter the spanning-tree cost value command in interface configuration mode. The value can be between 1 and 200,000,000.
To ensure that the switch has the lowest bridge priority value, use the spanning-tree vlan vlan-id root primary command in global configuration mode. The priority for the switch is set to the predefined value of 24,576 or to the highest multiple of 4,096, less than the lowest bridge priority detected on the network.
What makes tools such as macof so dangerous is that an attacker can create a MAC table overflow attack very quickly.
To mitigate MAC address table overflow attacks, network administrators must implement port security. Port security will only allow a specified number of source MAC addresses to be learned on the port.
IP address spoofing is when a rogue PC hijacks a valid IP address of a neighbor, or a uses a random IP address. IP address spoofing is difficult to mitigate, especially when it is used inside a subnet in which the IP belongs.
To protect against MAC and IP address spoofing, configure the IP Source Guard (IPSG) security feature. IPSG operates just like DAI, but it looks at every packet, not just the ARP packets. Like DAI, IPSG also requires that DHCP snooping be enabled.
Two types of VLAN attacks are
VLAN hopping attacks and VLAN double-tagging attacks. A VLAN hopping attack enables traffic from one VLAN to be seen by another VLAN without the aid of a router. In a basic VLAN hopping attack, the threat actor configures a host to act like a switch to take advantage of the automatic trunking port feature enabled by default on most switch ports.
The auto keyword must be entered to enable 802.1X authentication. Therefore, to enable 802.1X on the port, use the authentication port-control auto interface configuration command.
When a client logs off, it sends an EAPOL-logoff message, causing the switch port to change to the unauthorized state. If the link state of a port changes from up to down, or if an EAPOL-logoff frame is received, the port returns to the unauthorized state.
IEEE 802.1X standard
a port-based access control and authentication protocol that restricts unauthorized workstations from connecting to a LAN through publicly accessible switch ports. The authentication server authenticates each workstation that is connected to a switch port before making available any services offered by the switch or the LAN.
It may be necessary to configure a switch port to override the 802.1X authentication process.
authentication port-control interface configuration command to control the port authorization state. By default, a port is in the force-authorized state meaning it can send and receive traffic without 802.1x authentication.
The purpose of network access control (NAC)
is to allow only authorized and compliant systems, whether managed or unmanaged, to access the network. It unifies endpoint security technologies with user or device authentication and network security policy enforcement. A NAC system can deny network access to noncompliant devices, place them in a quarantined area, or give them only restricted access to computing resources, thus keeping insecure nodes from infecting the network.
The goal of NAC systems
is to ensure that only hosts that are authenticated and have had their security posture examined and approved are permitted onto the network.
By limiting the number of permitted MAC addresses on a port to one, port security can be used to control unauthorized access to the network,
port security can only be configured on manually configured access ports or manually configured trunk ports.
Protected Ports.
the use of the PVLAN Edge feature ensures that there is no exchange of unicast, broadcast, or multicast traffic between PVLAN edge ports on the switch, as shown in the figure.
The focus of this module is on common Layer 2 attacks.
MAC Table Attacks - Includes MAC table overflow (also called MAC Address Flooding) Attacks. VLAN Attacks - Includes VLAN hopping and VLAN double-tagging attacks. It also includes attacks between devices on a common VLAN. DHCP Attacks - Includes DHCP starvation and DHCP spoofing attacks. ARP Attacks - Includes ARP spoofing and ARP poisoning attacks. Address Spoofing Attacks Includes MAC Address and IP address spoofing attacks. STP Attacks - Includes Spanning Tree Protocol manipulation attacks.
Dynamic ARP inspection (DAI) requires DHCP snooping and helps prevent ARP attacks by:
Not relaying invalid or gratuitous ARP Requests out to other ports in the same VLAN Intercepting all ARP Requests and Replies on untrusted ports Verifying each intercepted packet for a valid IP-to-MAC binding Dropping and logging ARP Requests coming from invalid sources to prevent ARP poisoning Error-disabling the interface if the configured DAI number of ARP packets is exceeded
The STP port roles are: Alternate - Alternate or backup ports are configured to be in a blocking state to prevent loops. Alternate ports are selected only on trunk links where neither end is a root port. Root - Root ports are switch ports that are closest to the root bridge. Designated - Designated ports are all non-root ports that STP permits to forward traffic on the network. Designated ports are selected on a per-trunk basis. If one end of a trunk is a root port, then the other end is a designated port. All ports on the root bridge are designated ports
Note: A port that is administratively shut down is referred to as a disabled port.
To mitigate the chances of ARP spoofing and ARP poisoning, follow these DAI implementation guidelines: Enable DHCP snooping globally. Enable DHCP snooping on selected VLANs. Enable DAI on selected VLANs. Configure trusted interfaces for DHCP snooping and ARP inspection.
Note: It is generally advisable to configure all access switch ports as untrusted and to configure all uplink ports that are connected to other switches as trusted.
Root guard is best deployed on ports that connect to switches that should not be the root bridge. If a root-guard-enabled port receives BPDUs that are superior to those that the current root bridge is sending, that port is moved to a root-inconsistent state. This is effectively equal to an STP listening state, and no data traffic is forwarded across that port. Recovery occurs as soon as the offending device ceases to send superior BPDUs.
Note: Root guard may seem unnecessary because an administrator can manually set the bridge priority of a switch to zero. However, this does not guarantee that this switch will be elected as the root bridge. Another switch may still become the root if it also has a priority of zero and a lower MAC address.
Wrong DNS server
The rogue server provides an incorrect DNS server address that points the user to a nefarious website.
DHCP Spoofing Attack
A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients. A rogue server can provide a variety of misleading information:
The PVLAN Edge feature has the following characteristics:
A protected port does not forward any traffic, such as unicast, multicast, or broadcast, to any other port that is also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control traffic is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device. Forwarding behavior between a protected port and a non-protected port proceeds as usual. The default is to have no protected ports defined.
The threat actor configures the host to spoof 802.1Q signaling and Cisco-proprietary Dynamic Trunking Protocol (DTP) signaling to trunk with the connecting switch. If successful, the switch establishes a trunk link with the host, as shown in the figure. Now the threat actor can access all the VLANs on the switch. The threat actor can send and receive traffic on any VLAN, effectively hopping between VLANs.
A threat actor in specific situations could embed a hidden 802.1Q tag inside the frame that already has an 802.1Q tag. This tag allows the frame to go to a VLAN that the original 802.1Q tag did not specify.
Port security aging can be used to set the aging time for static and dynamic secure addresses on a port. Two types of aging are supported per port:
Absolute - The secure addresses on the port are deleted after the specified aging time. Inactivity - The secure addresses on the port are deleted only if they are inactive for the specified aging time.
STP Speed cost 10 Gb/s 2 1 Gb/s 4 100 MB/s 19 10 MB/s 100
Although switch ports have a default port cost associated with them, the port cost is configurable. The ability to configure individual port costs gives the administrator the flexibility to manually control the spanning tree paths to the root bridge.
complete message exchange between the supplicant, authenticator, and the authentication server. The encapsulation occurs as follows:
Between the supplicant and the authenticator - EAP data is encapsulated in EAPOL frames. Between the authenticator and the authentication server - EAP data is encapsulated using RADIUS.
It is easy to mitigate DHCP starvation attacks by using port security. However, mitigating DHCP spoofing attacks requires more protection.
DHCP spoofing attacks can be mitigated using DHCP snooping on trusted ports. DHCP snooping also helps mitigate against DHCP starvation attacks by rate limiting the number of DHCP discovery messages that an untrusted port can receive. DHCP snooping builds and maintains a DHCP snooping binding database that the switch can use to filter DHCP messages from untrusted sources. The DHCP snooping binding table includes the client MAC address, IP address, DHCP lease time, binding type, VLAN number, and interface information on each untrusted switchport or interface.
Specifically, there are two internal LAN elements to secure: Endpoints
Hosts commonly consist of laptops, desktops, servers, and IP phones which are susceptible to malware-related attacks. Endpoints also include video cameras, point-of-sale devices, and devices on the Internet of Things.
When configured for 802.1X port-based authentication, the port starts in the unauthorized state. While in this state, the port disallows all ingress and egress traffic except for 802.1X protocol, STP, and CDP packets.
In contrast, when an 802.1X-enabled client connects to a port and the client initiates the authentication process (supplicant initiation) by sending the EAPOL-start frame to a switch that is not running the 802.1X protocol, no response is received, and the client begins sending frames as if the port is in the authorized state.
Network infrastructure
LAN infrastructure devices interconnect endpoints and typically include switches, wireless devices, and IP telephony devices. Most of these devices are susceptible to LAN-related attacks including MAC address table overflow attacks, spoofing attacks, DHCP related attacks, LAN storm attacks, STP manipulation attacks, and VLAN attacks.
Note: To counter Gobbler using the same MAC address, DHCP snooping also makes the switch check the Client Hardware Address (CHADDR) field in the DHCP request. This ensures that it matches the hardware MAC address in the DHCP snooping binding table and the MAC address in the MAC table. If there is no match, the request is dropped.
Note: Similar mitigation techniques are available for DHCPv6 and IPv6 clients. Because IPv6 devices can also receive their addressing information from the router's Router Advertisement (RA) message, there are also mitigation solutions to prevent any rogue RA messages.
The switch makes its forwarding decisions based solely on the Layer 2 Ethernet MAC addresses.
Note: The MAC address table is sometimes referred to as a content addressable memory (CAM) table. While the term CAM table is fairly common, for the purposes of this course, we will refer to it as a MAC address table.
These are the STP stability mechanisms: PortFast - PortFast immediately brings an interface that is configured as an access or trunk port to the forwarding state from a blocking state. This bypasses the listening and learning states. It should be applied to all end-user ports. PortFast should only be configured when there is a host attached to the port, and not another switch. BPDU Guard - BPDU guard immediately error disables a port that receives a BPDU. It is typically used on PortFast enabled ports. Apply to all end-user ports. Root Guard - Root guard prevents an inappropriate switch from becoming the root bridge. Root guard limits the switch ports out of which the root bridge may be negotiated. Apply to all ports which should not become root ports. Loop Guard - Loop guard prevents alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link. Apply to all ports that are or can become non-designated.
PortFast bypasses the STP listening and learning states to minimize the time that access ports must wait for STP to converge. If PortFast is enabled on a port connecting to another switch, there is a risk of creating a spanning-tree loop.
spam filtering
Prevent spam emails from reaching endpoints.
There are three types of PVLAN ports:
Promiscuous - A promiscuous port can talk to everyone. It can communicate with all interfaces, including the isolated and community ports within a PVLAN. Isolated - An isolated port can only talk to promiscuous ports. An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from an isolated port is forwarded only to promiscuous ports. Community - Community ports can talk to other community and promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.
antimalware software
Protect endpoints from malware.
Security is only as strong as the weakest link in the system, and Layer 2 is considered to be that weakest link.
Pyramid: IPSG DAI DHCP Snooping Port Security
If the MAC address of a device that is attached to the port differs from the list of secure addresses, then a port violation occurs. By default, the port enters the error-disabled state.
The MAC address notification feature sends SNMP traps to the network management station (NMS) whenever a new MAC address is added to, or an old address is deleted from, the forwarding tables. MAC address notifications are generated only for dynamic and secure MAC addresses.
Configuring 802.1X requires a few basic steps: Step 1. Enable AAA using the aaa new-model command. Step 2. Designate the RADIUS server and configure its address and ports. Step 3. Create an 802.1X port-based authentication method list using the aaa authentication dot1x command. Step 4. Globally enable 802.1X port-based authentication using the dot1x system-auth-control command. Step 5. Enable port-based authentication on the interface using the authentication port-control auto command. Step 6. Enable 802.1X authentication on the interface using the dot1x pae command. The authenticator options sets the Port Access Entity (PAE) type so the interface acts only as an authenticator and will not respond to any messages meant for a supplicant.
The authenticator options sets the Port Access Entity (PAE) type so the interface acts only as an authenticator and will not respond to any messages meant for a supplicant.
DHCP Starvation Attack
The goal of the DHCP starvation attack is DoS for connecting clients. DHCP starvation attacks require an attack tool such as Gobbler. Gobbler has the ability to look at the entire scope of leasable IP addresses and tries to lease them all. Specifically, it creates DHCP discovery messages with bogus MAC addresses.
MAC address spoofing
The method used by switches to populate the MAC address table leads to a vulnerability. MAC address spoofing attacks occur when attackers alter the MAC address of their host to match another known MAC address of a target host
Wrong IP address
The rogue server provides an invalid IP address which effectively creates a DoS attack on the DHCP client.
Wrong default gateway
The rogue server provides an invalid gateway, or its own IP address, to create a man-in-the-middle attack. This may go entirely undetected as the intruder intercepts the data flow through the network and then forwards it on to the real default gateway.
Spanning Tree Protocol (STP) is a loop-prevention network protocol that allows for redundancy while creating a loop-free Layer 2 topology. IEEE 802.1D is the original IEEE MAC Bridging standard for STP.
The spanning tree algorithm designates a single switch as the root bridge and uses it as the reference point for all path calculations. In the figure, the root bridge (switch S1) is chosen through an election process. All switches that participate in STP exchange BPDU frames to determine which switch has the lowest bridge ID (BID) on the network. The switch with the lowest BID automatically becomes the root bridge for the spanning tree algorithm calculations.
A BPDU is a messaging frame that is exchanged by switches for STP. Each BPDU contains a BID that identifies the switch that sent the BPDU. The BID contains a priority value, the MAC address of the sending switch, and an optional extended system ID. The lowest BID value is determined by the combination of these three fields.
The sum of the port cost values determines the overall path cost to the root bridge. If there is more than one path to choose from, spanning tree algorithm chooses the path with the lowest path cost.
Note: In a large network, the DHCP binding table may take time to build after it is enabled. For example, it could take 2 days for DHCP snooping to complete the table if DHCP lease time is 4 days.
The switch will deny packets containing specific information: Unauthorized DHCP server messages from an untrusted port Unauthorized DHCP client messages not adhering to the snooping binding table or rate limits DHCP relay-agent packets that include option-82 information on an untrusted port
Use the show ip dhcp snooping privileged EXEC command to verify DHCP snooping and show ip dhcp snooping binding to view the clients that have received DHCP information
There are many tools available on the internet to create ARP man-in-the-middle attacks including dsniff, Cain & Abel, ettercap, Yersinia, and others. IPv6 uses ICMPv6 Neighbor Discovery Protocol for Layer 2 address resolution. IPv6 includes strategies to mitigate Neighbor Advertisement spoofing, similar to the way IPv6 prevents a spoofed ARP Reply.
Note: Always enable BPDU Guard on all PortFast-enabled ports.
There are some switches in a network that should never, under any circumstances, become the STP root bridge. Root Guard provides a way to enforce the placement of root bridges in the network by limiting which switch can become the root bridge.
All switches in the broadcast domain participate in the election process. After a switch boots, it begins to send out BPDU frames every two seconds. These BPDU frames contain the switch BID and the root ID.
There is a root bridge elected for each spanning tree instance. It is possible to have multiple distinct root bridges. If all ports on all switches are members of VLAN 1, then there is only one spanning tree instance. The extended system ID plays a role in how spanning tree instances are determined.
Port security prevents many types of attacks including MAC table overflow attacks and DHCP starvation attacks. DHCP Snooping prevents DHCP starvation and DHCP spoofing attacks by rogue DHCP servers. Dynamic ARP Inspection (DAI) prevents ARP spoofing and ARP poisoning attacks. IP Source Guard prevents MAC and IP address spoofing attacks.
Therefore, the following strategies are recommended: Always use secure variants of these protocols such as SSH, SCP, and SSL. Consider using out-of-band (OOB) management. Use a dedicated management VLAN where nothing but management traffic resides. Use ACLs to filter unwanted access.
Authenticator (Switch)
This device controls physical access to the network based on the authentication status of the client. The switch acts as an intermediary (proxy) between the client (supplicant) and the authentication server, requesting identifying information from the client, verifying that information with the authentication server, and relaying a response to the client. The switch uses a RADIUS software agent, which is responsible for encapsulating and de-encapsulating the EAP (Extensible Authentication Protocol) frames and interacting with the authentication server.
Security posture checking
This evaluates security-policy compliance by user type, device type, and operating system.
Antivirus/Antimalware Software
This is software installed on a host to detect and mitigate viruses and malware. Companies that provide anti-virus software include Norton, TotalAV, McAfee, MalwareBytes and many others.
Host-based firewall
This is software that is installed on a host that restricts incoming and outgoing connections to those initiated by that host only. Some firewall software can also prevent a host from becoming infected and stop infected hosts from spreading malware to other hosts. Included in some operating systems such as Windows, or produced by companies such as NetDefender, Zonealarm, Comodo Firewall, and many others.
Host-based IPS
This is software that is installed on the local host to monitor and report on the system configuration and application activity, provide log analysis, event correlation, integrity checking, policy enforcement, rootkit detection, and alerting. Examples include Snort IPS, OSSEC, and Malware Defender, among others.
Guest network access
This manages guests through a customizable, self-service portal that includes guest registration, guest authentication, guest sponsoring, and a guest management portal
Incident response
This mitigates network threats by enforcing security policies that block, isolate, and repair noncompliant machines without administrator attention.
Network Admission Control (NAC)
This permits only authorized and compliant systems to connect to the network.
Advanced Malware Protection (AMP)
This provides endpoint protection from viruses and malware.
Web Security Appliance (WSA)
This provides filtering and blocking of websites to prevent hosts from reaching dangerous locations on the web. The Cisco WSA provides control over how users access the internet and can enforce acceptable use policies, control access to specific sites and services, and scan for malware.
Email Security Appliance (ESA)
This provides filtering of SPAM and potentially malicious emails before they reach the endpoint. An example is the Cisco ESA.
Profiling and visibility
This recognizes and profiles users and their devices before malicious code can cause damage.