A

The frame happens to contain a destination MAC address. In Figure 2-2, the MAC address is B. (For clarity purposes, a single byte is represented, even though 6 bytes are necessary to form a valid MAC address.) The switch needs to send this frame to the recipient in possession of MAC address B. However, the LAN switch has not yet heard any traffic from MAC address B. Therefore, its bridging table does not yet have an entry pointing to the physical port to which B is attached. What, then, is the...

A a

All valid routers immediately become standby routers, the CAM table of switches is updated, and all hosts in the LAN keep sending packets to the HSRP virtual MAC address, which is mapped to the attacker's PC. If the attacker simply drops the packets, it is a DoS attack. Yersinia implements this attack but is not the only tool. The hsrp tool from the IRPAS3 package also implements it hsrp -d 224.0.0.2 -v 192.168.0.8 -a cisco -g 1 -i eth0 -S 192.168.0.66 With the hsrp tool, an attacker sends HSRP...

About the Authors

Eric Vyncke has a master's degree in computer science engineering from the University of Li ge in Belgium. He worked as a research assistant in the same university before joining Network Research Belgium. At Network Research Belgium, he was the head of R& D. He then joined Siemens as a project manager for security projects, including a proxy firewall. Since 1997, he has worked as a distinguished consulting engineer for Cisco as a technical consultant for security covering Europe. For 20...

About the Technical Reviewers

Earl Carter is a security research engineer and a member of the Security Technologies Assessment Team (STAT) for Cisco. He has performed security evaluations on several Cisco products, including everything from the PIX Firewall and VPN solutions to Cisco CallManager and other VoIP products. Earl has authored several Cisco Press books, including CCSP SNPA Official Exam Certification Guide, Third Edition Intrusion Prevention Fundamentals CCSP IPS Exam Certification Guide and CCSP Self-Study Cisco...

Access Control and Identity Management

In networks, the typical control is access control. When subjects (the active entity, such as a user, workstation, program, IP address, and so on) want to access an object (the passive entity, such as an Ethernet VLAN, file, server, Internet, and so on), a security policy is checked and enforced. Access control can be as simple as a Cisco IOS access control list (ACL), or it can be more complex and based on the user's identity. (For more information on access control, see Chapter 17,...

ACLs or Firewalls

If switches are able to check millions of incoming packets per second against ACLs, what good are firewalls Put another way, the question is, What is the difference between an ACL and a firewall , or, Where can I apply ACLs The answer depends on the protection level you want to provide and the type of attacks you are likely to face. ACLs control which protocols and or ports a host can use to reach a target, and that is pretty much it. They are often referred to as Layer 3 or Layer 4 ACLs for...

Analyzing Risk for ND and Stateless Configuration

From the preceding descriptions, it appears that ND and stateless configuration authenticate neither the originator nor the responder exactly like ARP does in IPv4. Hence, the same attacks can be mounted against IPv6 as they were in IPv4 ND spoofing. Even if there is no such thing as gratuitous ND, an attacker host can reply instead of the real host. So, the victim sends its packets to the attacker instead of the spoofed host. Things also become worse when the spoofed host is the router because...

Anatomy of a Switch

A simplified view of a switch is that it has a central CPU and special forwarding ASICs. The CPU is responsible for building up the forwarding tables and allowing ASICs to perform forwarding in hardware, which makes switching an efficient process. Figure 12-2 shows the architecture of a typical LAN switch. Figure 12-2 shows the architecture of a typical LAN switch. Some high-end switches use distributed forwarding architecture, using numerous dedicated CPUs to control the forwarding logic on...

Asymmetric Cryptosystems

Asymmetric cryptosystems are relatively new in cryptography (from around 1970), and they have many interesting properties, especially around authentication and key distribution. Figure 1-8 represents asymmetric encryption, which is where two different keys are used one for encryption and one for decryption. Figure 1-8 Asymmetric Encryption with Two Different Keys The only logical difference of asymmetric encryption (compared to symmetric encryption) is that two different keys are used. Those...

Attacking HSRP

From the preceding section's descriptions, it appears that HSRP is not completely secure. The RFC 2281 authors even wrote the following text in the RFC This protocol does not provide security. The authentication field found within the message is useful for preventing misconfiguration. The protocol is easily subverted by an active intruder on the LAN. This can result in a packet black hole and a denial of service attack. Also, it is easy for an attacker to display those HSRP authentication data....

Attacking LAN Switches Using DoS and DDoS Attacks

What do DoS and DDoS attacks have to do with LAN switches A LAN switch is actually designed to forward data packets at wire speed, which means it simply hums happily along even when all ports are full of data packets. However, for it to be able to do this, a LAN switch must understand its environment and where the different destinations are located. The key is that, if you can influence or disrupt this learning process in some way, the switch comes to a shuddering halt. To understand the risks...

Attacking the Switch

By looking at how the three planes map to a switch's physical architecture (see Figures 12-3 and 12-4), the following becomes clear Most data plane traffic affects only the switch fabric and the Ethernet controllers. Control plane traffic comes through one of the Ethernet controllers and goes through a switch channel to the central CPU. Management traffic goes through the same path as control plane traffic (unless the switch is managed through the serial interface, where it then goes directly...

Attacks Against Cryptosystems

Even with a strong mathematical basis, cryptosystems are vulnerable to the following types of attacks Brute-force attack. When all potential key values are tried until one is successful. This is virtually impossible with today's key size of 128 bits or higher (requiring 2 computations ). Dictionary attack. Instead of trying all possible key values, only a couple of them are tried those values that become English words when coded in ASCII. This attack is the reason why shared keys must be...

Back to Basics Ethernet Switching 101

Before delving into the various exploits that can turn a 50,000 Ethernet switch into a 12 off-the-shelf supermarket hub, a quick review of LAN switching basics is in order. Ethernet switches usually operate at Layer 2 (the data link layer) of the Open Systems Interconnection (OSI) reference model1. Switches make their frame-forwarding decisions differently than routers. Indeed, where routers are concerned with IP addresses, switches need only to look at the first few bytes of Ethernet frames to...

Best Practices for Control Plane

Example 14-9 shows the Cisco IOS configuration recommended as a best practice for an access port FastEthernet 0 0. The switch ignores STP packets (thanks to bpduguard) as well as DTP, VTP and link aggregation packets (thanks to switchport mode access). Example 14-9 Cisco IOS Recommended Best Practice for an Access Port IOS(config) interface FastEthernet 0 0 IOS(config-if) spanning-tree bpduguard enable IOS(config-if) no channel-group IOS(config-if) switchport mode access A more robust approach...

Botnet

A botnet is a collection of zombies controlled by a single individual (often called the bot herder). The controlling mechanism is often done through Internet Relay Chat (IRC), where the zombies look up the Domain Name System (DNS) of a controlling PC, register to an IRC channel, and announce their availability. NOTE Other methods of controlling botnets are also used, but detailing the architecture of botnets is beyond the scope of this book. The bot herder can issue commands to the zombies,...

BPDU Filtering

There is actually another method to discard incoming and outgoing BPDUs on a given port BPDU filtering. This feature silently discards both incoming and outgoing BPDUs. Although extremely efficient against a brute-force DoS attack, BPDU filtering offers an immense potential to shoot yourself in the foot. Enable this feature on the incorrect port, and any loop condition goes undetected forever, which causes instantaneous network downtime. On the other hand, not sending out BPDUs is actually a...

C

CA (certification authority), 18 Caesar Code, 6 cain, 111 CAM table entries, 147 Catalyst 6500 switch attacks, mitigating, 211 hardware-based CoPP, configuring, 200-202 MLS QoS status, displaying, 203 NetFlow, configuring, 244-245 Telnet flooding attacks, mitigating, 211-212, 214-215 TTL expiry attacks, mitigating, 215-218 Catalyst switches, flow mask, 240 CatOS, configuring DAI, 115 CDP (Cisco Discovery Protocol), 165 attacks, mitigating on Cisco ME3400 switches, 218-222 disabling, 169 packet...

Can We Bring VRRP Down

Virtual Router Redundancy Protocol (VRRP) is the standard equivalent of Hot Standby Router Protocol (HSRP). The same vulnerabilities exist in VRRP as in HSRP with minor differences, such as denial of service (DoS), man in the middle (MITM) attack (rerouting traffic through the hacker's PC), and some information leakage. Mitigation techniques, including strong authentication and the use of access control list (ACL), are also described to make VRRP a real high-availability solution instead of a...

CDP Risk Mitigation

Because CDP is mainly interesting to use between network devices and not toward end-user hosts, the best way to prevent both the DoS attacks and information leaks is to only enable CDP on ports to other network devices and uplinks while disabling it to access ports. Because Cisco IP phones rely on CDP to detect the auxiliary VLAN and to signal their exact power consumption, CDP must remain enabled on ports to IP phones. (For more information on how to mitigate attacks to the power over Ethernet...

Cisco Discovery Protocol

Cisco Discovery Protocol (CDP) is a Cisco proprietary protocol, which allows for layer-adjacent devices to discover each other. It requires little to no configuration. It's useful for a network management system (NMS) to discover a complete network hop by hop from a seed device. CDP works over several data link layers, including Ethernet. The protocol itself is simple Each network entity broadcasts a CDP packet once per minute. It is up to the other network entities on the same Layer 2 network...

Combining IPsec with L2TPv3 for Secure Pseudowire

As described in Chapter 18, IEEE 802.1AE, IEEE 802.1AE protects all Layer 2 traffic with encryption and authentication. Not all existing switches support IEEE 802.1AE therefore, in the short term, an alternative solution might be attractive. This solution relies on IPsec for the security features. Although IPsec is convenient and suitable to protect IP traffic, it sometimes requires you to also protect all Layer 2 communication between two sites, such as spanning a LAN over a confidential...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command). Italics indicate arguments for which you supply actual values. Vertical bars...

Common Flooding Attacks

The most common attack, called the TCP SYN attack, floods the service with TCP SYN packets. For each SYN packet received, the server allocates resources for a new incoming session and sends back a TCP ACK packet. An attacker simply ignores this (or the source address was spoofed, so the reply goes to max hop-count oblivion on the Internet). After a while, the server runs out of session resources and stops answering requests. Variants of the TCP SYN attack disrupt other TCP states, such as...

Configuring Switches Without Control Plane Protocols

As shown in Chapter 12, Introduction to Denial of Service Attacks, a control plane in an Ethernet switch consists mainly of the following protocols L2 processing. A switch must process and respond to Spanning Tree Protocol (STP), Link Aggregation Control Protocol (LACP), Port Aggression Protocol (PAgP), IEEE 802.1X, Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and keepalive packets. Internet Control Message Protocol (ICMP). ICMP packets must be...

Consequences of Excessive Flooding

Although it's a common and usually benign operation in a switched LAN environment, unknown unicast flooding comes with a side effect Host C now sees a frame sent from 0000.CAFE.0000 to B. If the user behind workstation C runs a network traffic analyzer, he can eavesdrop on B and access information he should not see. Fortunately, C is only likely to receive an extremely small amount of information typically, one or two frames. Why Because the frame sent from 0000.CAFE.0000 to B will now probably...

Contents at a Glance

Introduction xix Part I Vulnerabilities and Mitigation Techniques 3 Chapter 1 Introduction to Security 5 Chapter 2 Defeating a Learning Bridge's Forwarding Process 23 Chapter 3 Attacking the Spanning Tree Protocol 43 Chapter 5 Leveraging DHCP Weaknesses 85 Chapter 7 Exploiting IPv6 Neighbor Discovery and Router Advertisement 121 Chapter 8 What About Power over Ethernet 135 Chapter 10 Can We Bring VRRP Down 157 Chapter 11 Information Leaks with Cisco Ancillary Protocols 165 Part II How Can a...

Control Plane

The control plane is where decisions on how to forward the data plane traffic are done. Control plane packets are destined to the forwarding device itself they change or influence the decisions made by the device. In a LAN environment, those packets are as follows Address Resolution Protocol (ARP) packets Cisco Discovery Protocol (CDP) packets VLAN Trunk Protocol (VTP) Spanning Tree Protocol (STP) packets Routing protocol information The key is that the forwarding device must process those...

Control Plane Attacks

A switch's main vulnerability is that it knows little of its environment or how it is supposed to forward traffic when it initially starts up. Also, conditions can and will change during normal operations, which requires the switch to respond to control plane traffic at all times. If an attacker can flood the switch with control plane packets, the switch must process those packets in the CPU path. This results in a high CPU load, which can potentially cause the switch to have issues forwarding...

Control Plane Policing

As explained in Chapter 12, Introduction to Denial of Service Attacks, the control plane is the most critical plane on a switch a successful attack against it can potentially cause the most damage. To mitigate attacks against the control plane, control plane policing (CoPP) was introduced. The idea is to inspect traffic destined to the control plane, to control what should be allowed, and to control how much of that traffic to accept. CoPP gives added benefit over traditional access control...

Control Plane Traffic

Many protocols that carry network configuration, statistics, network-topology updates, and so on, are not protected, in many cases. Having access to control plane traffic can result in a malicious user creating additional vulnerabilities by injecting gratuitous control plane data or performing a DoS attack. Having the visibility to control plane traffic through snooping or sniffing the wire might result in a miscreant having information that can be used in a nondisruptive reconnaissance manner...

Corporate and Government Sales

The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact U.S. Corporate and Government Sales 1-800-382-3419 corpsales pearsontechgroup.com. For sales outside the United States, please contact International Sales international pearsoned.com.

Countermeasures to DHCP Exhaustion Attacks

The solution to the first type of DHCP attack (DoS by grabbing the entire available scope of addresses) depends on the hacker's knowledge of the protocol. By default, DHCP starvation tools use a random source MAC address every time they request a new IP address from the DHCP server (one new MAC per DHCPDISCOVER). Identifying this type of attack is straightforward A sudden increase in the number of dynamically learned MAC addresses from a given LAN port is a clear indication. Under normal...

Cryptography

Cryptography3 is about mathematical functions implemented as computer algorithms and applied to data. When the main objective of cryptography is confidentiality, the process is called encryption and decryption, as Figure 1-4 shows. The text to be protected is called plain text or clear text. After encryption is done, the protected text becomes cipher text. Figure 1-4 Use of Encryption for Confidentiality Figure 1-4 Use of Encryption for Confidentiality Because the mathematical functions and...

Data Confidentiality and Integrity

After the peers authenticate and a SA is established, 802.1AE takes over from 802.1af to protect data traffic. Data is protected by encrypting and authenticating it using the negotiated session key. LinkSec mandates Advanced Encryption Standard Galois Counter Mode (AES-GCM) as the authenticated encryption algorithm. This algorithm uses a 128-bit symmetric key for encryption and decryption. AES-GCM can be easily implemented in hardware and renders itself to pipelining and parallelization. Also,...

Data Plane

The data plane is where packet forwarding is done. Data plane packets are destined to some other devices, and the switch takes those packets and sends them out on the correct destination port. This forwarding is usually done in hardware and is usually done at wire speed. The central CPU (usually) never sees those packets and, therefore, does not need to use any resources to process those packets. NOTE This behavior often causes confusion for those individuals who don't understand this process,...

Data Plane Attacks

As previously mentioned, attacking a switch using flooding attacks often does not work because switches are usually able to forward traffic from all ports at wire speed. However, the chance of all switch ports receiving sending traffic at full speed is rather low. Therefore, some switches designed for end users (or older switches) are often designed so that the switching fabric has a lower capacity than the sum of all ports. For example, the rather elderly Cisco 3508G XL switch has a 10 Gigabit...

Data Plane Traffic

The knowledge base required to snoop the wire has dramatically changed since the last decade because of the rise of tools (such as Yersinia and Ettercap) that expose or take advantage of a networking protocol's weaknesses. In many cases, these tools are context sensitive and embody Help menus, which makes eavesdropping, tampering, and replay of information traversing our networks more prevalent. Equally, after a user obtains access, she can exploit vulnerabilities in the OSs and applications to...

Debugging Information

In most enterprise networks, L2TPv3 and xconnect are unusual. That being said, here is some debugging information for a working configuration. The information is limited to L2TP because all other debugging information is available for IPsec and IKE. Example A-1 displays some debugging information for L2TP's tunnels. The first command, show l2tun session circuit, displays all active tunnels with the peer. The second command, show l2tun session packets, prints some counters about the packets sent...

Defending Against Burning Attacks

There is no way to protect a non-PES from a burning attack, even if the static configuration of the wattage can help limit the damage to the attached device. The burning attack requires physical access to inject the signaling to force 42 V into the CAT5 cable. If an attacker has access to the cable, he can also inject 110-220 V into it, which causes more damage in the PES. Therefore, the risk of this attack does not increase by enabling PoE on the port. NOTE A related issue is when a powered...

Defending Against Power Gobbling

All the preceding attacks are linked to the lack of authentication and authorization in the detection protocol (being Cisco prestandard or IEEE 802.3af). The dynamic negotiation is, therefore, an open door to attacks because the attacker can fake the signaling. The most efficient way to counter these types of attacks is to use a static configuration for all ports. For all ports where an authorized PES can connect to, the switch configuration will allow for the exact amount of power to be...

Detecting MAC Activity

To start with, many switches can be configured to warn the administrator about frequent MAC address moves. Example 2-8 shows the Cisco IOS configuration to enable this. Example 2-8 Enabling MAC Address Moves Alarms on Cisco Switches 6K-1-720(config) mac-address-table notification mac-move Enable Mac Move Notification 6K-1-720(config) mac-address-table notification mac-move Although it is not going to stop an attack from occurring, MAC notification provides a pointer to a potentially suspicious...

Detection Mechanism

The Cisco prestandard implementation of the detection mechanism differs from the IEEE 802.3af Cisco prestandard. Injects an alternating current (AC) signal on one pair of the CAT5 cable and checks whether the PES returned this current on another pair IEEE 802.3af. Applies a direct current (DC) voltage between two pairs of the CAT5 cable and checks whether some current flows Figure 8-2 shows the Cisco prestandard detection mechanism. A fast link pulse (FLP), such as a low-frequency,...

DHCP Overview

RFC 2131 and RFC 2132 originally defined DHCP, with several RFC extensions augmenting its capabilities. (See http www.dhcp.org rfcs.html for an exhaustive list.) The primary purpose of DHCP is to dynamically assign IP addresses to requesters for a specified duration (called the lease time). DHCP clients request addresses from DHCP servers. In most cases, clients and servers are several hops apart and are separated by routers and other network devices. When that is the case, the first hop router...

DHCP Scope Exhaustion DoS Attack Against DHCP

What if a malicious client attempts to seize the entire range of available IP addresses It does not look like anything in the protocol itself is likely to prevent this from happening. The client just needs to generate uniquely identifiable packets. It could do so by using random source MAC addresses and then sending a DHCPDISCOVER per forged MAC address. The DHCP server happily hands out the entire set of addresses available to the client's network, because it can't tell the difference between...

DHCP Snooping with Option

DHCP Option 82 provides the DHCP server with information about which switch and which port on that switch a DHCP request is coming from. This information is supplied via Agent-ID and Circuit-ID subfields of the Relay-Information DHCP Option, as defined in RFC 3046. DHCP snooping is Option-82 friendly in the sense that it can insert or remove DHCP relay information (Option-82 field) in forwarded DHCP request messages from untrusted ports to the DHCP server. With Option 82 enabled, the DHCP...

Digging into HSRP

This section provides detailed information on HSRP (as described in RFC 2281 and extensions implemented by Cisco). HSRP is actually simple. Routers participating in HSRP exchange HSRP messages to discover each other, to elect the active router, and to check the active router's health. A standby router becomes active when It receives no more HSRP hello messages from the active router. The active router explicitly wants to become standby. (For example, it just lost its WAN connectivity.) There is...

Discovering Extensible Authentication Protocol

Port-based network access control uses the physical access characteristics of IEEE 802 LAN infrastructures. These infrastructures leverage the Extensible Authentication Protocol (EAP) to carry arbitrary authentication information, not the authentication method itself. EAP is an encapsulation protocol with no dependency on IP, and it can run over any link layer, including IEEE 802 media. EAP transports authentication information in the form of EAP payloads. EAP also establishes and manages the...

Discovering VRRP

Even if you are familiar with how VRRP works, feel free to read on to refresh your knowledge or to gather new information, because this section focuses on specific points linked to the security aspects of VRRP. In VRRP, each physical router has its own MAC and IP addresses, but it also shares one MAC address and one IP address for the virtual router. Figure 10-1 depicts such a topology when the VRRP group consists of two routers. There is a change in the terminology compared to HSRP Master...

Diving Deep into CDP

CDP does not run over IP, but it runs directly over the data link layer. When Ethernet is used, the IEEE 802.3 and IEEE 802.1 encapsulation are used rather than the usual Ethernet II direct encapsulation (which IPv4 uses). The Subnetwork Access Protocol (SNAP) is used. SNAP consists of 3 bytes of Logical Link Layer header (typically AA-AA-03), followed by the Cisco Organizational Unique Identifier (OUI) 00-00-0C, and the CDP identifier 20-00. Figure 11-1 displays the CDP packet format. The...

DoS Attack

What if an attacker can send a fake HSRP packet where the priority is set to the maximum value of 255 and the correct value for Authentication Data, Group, and virtual IP address Figure 9-4 shows what happens. Active Virtual Router IP 192.168.0.8 MAC 0000.0C07.AC01 Normal Hosts with a Default Route to 192.168.0.8 Active Virtual Router IP 192.168.0.8 MAC 0000.0C07.AC01

Enabling Net Flow on a Catalyst 6500

The Catalyst 6500 separates the data collection configuration from the NetFlow data export (NDE) to collectors. Example 15-1 shows a basic configuration of NetFlow on Cisco IOS. NOTE The NetFlow configuration contains more options, such as allowing the supervisor the ability to build a flow cache entry for switched frames (that is, not only for routed ones). Example 15-1 Configuring NetFlow on Catalyst 6500 and Cisco IOS IOS(config) mls flow ip interface-full IOS(config) mls flow ipv6...

Encryption Modes

LinkSec provides various flavors of security modes to meet different use cases. LinkSec is enabled on a link-by-link basis, which allows you to run it in a mode that makes sense for a given link. LinkSec allows for the following encryption modes on a given link GCM. Typical mode where each packet on the wire is encrypted and authenticated. GMAC only. The packet is not encrypted however, it is authenticated. This might be useful in deployments where snooping is not a concern, but source...

Endto End Versus Hopby Hop LANBased Cryptographic Protection

There are several key reasons for the strong objection end-to-end (E2E) (such as, client to server) based cryptographic protections in LANs. First is the matter of security. Although this type of tunneled encryption might appear to be more secure, it can actually conceal malicious exploits and provide for an undetectable distribution of worms, Trojans, and viruses. As such, obscuring the key header information and or packet payload E2E from the end-user host to servers actually prevents the...

Enterprise Trends and Challenges

Many of you might wonder why wire-rate encryption for Layer 2 Ethernet LAN networks Aren't the physical security practices and Layer 7 application security measures enough to address the vulnerability of unauthorized access to sensitive information The reality No. Throughout this book, you've read that there are numerous ways in which a would-be malicious user can compromise or circumvent existing vulnerabilities in network protocols, operating systems (OS), and applications. It is true with...

Ethernet Frame Formats

For mostly historical reasons, Ethernet frames come in various shapes and forms, but they all convey the same information where the frame originated, where it is destined to, what payload it carries, and a checksum to verify data integrity. Today, essentially two slightly different frame formats exist EthernetV2 and IEEE 802.3. It is difficult to authoritatively assess the proportion of EthernetV2 versus 802.3 in today's network a rough estimate would probably call for 80 percent EthernetV2 for...

Exploiting IPv4 ARP

Address Resolution Protocol (ARP) discovers the Layer 2 address of an IP neighbor. This protocol is not authenticated and can be fooled, especially with gratuitous ARP. In this chapter, you learn about ARP and the attack technique ARP spoofing. By adding to the DHCP snooping technique, it is shown that ARP spoofing can be prevented in a switched LAN. When two IP hosts in the same IP subnet want to communicate over an Ethernet network, they must know each other's MAC address to send Ethernet...

Exploring IEEE 8021X

The IEEE 802.1 working group developed the 802.1X standard. It is a framework that addresses and provides port-based access control using authentication. Primarily, 802.1X is an encapsulation definition for EAP over IEEE 802 media. The Layer 2 protocol transports EAP authentication messages between a client device and a network device. 802.1X typically assumes a secure connection, and the enforcement of sessions are imposed through MAC-based filtering and port-start monitoring. To provide...

Exploring TCAM

A TCAM is a content-addressable memory where each bit is allowed to store a 0, 1, or a don't-care value the ternary qualification comes from the fact that three different types of values can be stored. You can think of a CAM as a reverse random-access memory Data is provided and an address is returned. Don't care bits play an important role in ACL lookups because ACLs frequently ignore portions of an IP address. For example, if an ACL is interested in matching traffic from 192.168.2.0 24, it...

F

Of CDP packets, 166-167 of DHCP packets, 88 filtering IP traffic with IP Source Guard, 102-103 fingerprinting flows, 241 Flag field (IEEE 802.1D BPDUs), 50 attacks, preventing, 36-39 config BPDU flooding, 60-61 mitigating with BPDU filtering, 62 mitigating with Layer 2 PDDU rate limiter, 63 consequences of, 26 effect on NetFlow cache, 246-247 forced, 28-33 preventing, 39-40 TCP SYN attacks, 187 unicast flood protection, preventing, 39 flow mask, 240 flows fingerprinting, 241 Netflow cache entry...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at...

Frame Classification

Virtually every LAN switch provides the capability to configure a physical port as an access port or trunk port. An access port belongs to one and only one VLAN, while a trunk port can multiplex several VLANs (up to 4096) on one physical link. Not all vendors agree on a common port-naming convention. As a matter of fact, the 802.1Q specification itself doesn't refer to access or trunk ports. It is, therefore, possible that your particular switch doesn't use the access and trunk terminology....

Frame Format

Look at the frames on the wire to see how LinkSec secures traffic, as Figure 18-5 shows. The figure also shows a regular Layer 2 packet on a link carrying IP traffic. NOTE 802.3 cyclic redundancy check (CRC) detects bit corruption on the wire. It does not provide any security against malicious tampering because no cryptographic key is associated. Any malicious entity can tamper with the packet and then generate a new valid CRC. The receiver won't be able to detect the tampering because it...

Go Native

Readers somewhat familiar with IEEE specifications probably know that it is often a concern of the institute's specifications to remain backward-compatible with previous iterations of various IEEE texts. The 802.1Q specification is no different. As such, it includes a provision for trunk ports to carry both tagged and untagged frames. Frames riding on a trunk port without any 802.1Q tags are said to be part of the native VLAN. A protocol that uses the native VLAN is 802.1D. This ensures...

Gobbler

Gobbler specializes in DHCP-only attacks. From its documentation,2 Gobbler is described as follows A tool designed to audit various aspects of DHCP networks, from detecting if DHCP is running on a network to performing a denial of service attack. The Gobbler also exploits DHCP and Ethernet to allow distributed spoofed port scanning with the added bonus of being able to sniff the reply from a spoofed host. This tool is based on proof of concept code DHCP Gobbler available from...

Gratuitous ARP

When ARP was designed, the Ethernet adapters were not reliable. Then, when a host had a new MAC address because its Ethernet adapter was replaced, it should have sent an unsolicited ARP reply to force an update on all ARP tables in the other hosts. In Figure 6-3, host B changes its MAC address to 0000.BABE.0000 and sends an unsolicited ARP reply to the broadcast address FFFF.FFFF.FFFF to tell hosts on the Ethernet segment to change their < IP, MAC> binding for host B. Host C IP 10.0.0.3 MAC...

Hardware Based CoPP

When a CoPP policy is defined using Modular QoS CLI (MQC) on the 6500, it is, by default, performed only in software mode on the central CPU. However, if multilayer switching (MLS) QoS features are enabled on the switch, hardware-based CoPP is enabled on the central policy feature card (PFC) and on any line cards that support distributed forwarding (DFC capability). The command to globally enable MLS QoS is as follows To view the status of MLS QoS on the switch, look at Example 13-2. Example...

Here Comes Secure ND

The IETF has standardized a secure version of ND, which is also applicable to RA Secure Neighbor Discovery (SEND), specified in RFC 39714, relies on the use of cryptographically generated IPv6 addresses (RFC 39725). SEND works by having a pair of public and private keys for all hosts and routers in a network. With SEND, hosts cannot decide on their own about their interface ID (the lower 64 bits of their IPv6 address). It's cryptographically generated based on the current IPv6 network prefix...

Hijacking Traffic Using DHCP Rogue Servers

Another DHCP exploit with devastating results consists in installing a covert DHCP server on a LAN segment, as Figure 5-4 shows. IP Address 10.10.10.101 Subnet Mask 255.255.255.0 Default Routers 10.10.10.1 DNS Servers 192.168.10.4, 192.168.10.5 Lease Time 10 Days If a rogue DHCP server is installed on the LAN, by default, it receives DHCPDISCOVER messages from clients seeking to acquire an IP address. IP Address 10.10.10.101 Subnet Mask 255.255.255.0 Default Routers 10.10.10.1 DNS Servers...

How Does a DoS Attack Differ from a DDoS Attack

A distributed denial of service attack (DDoS) is defined as follows A distributed denial of service attack (DDoS) occurs when a device or service is being attacked by multiple attackers. The attacks usually consists of bandwidth-flooding attacks or resource-starvation attacks. Simply said, the goal of a DDoS attack is to make the targeted system's services unavailable to legitimate users by using flooding (where users are unable to reach the service) or resource starvation (where the service...

How PoE Works

Both Cisco prestandard and IEEE 802.3af PoE work in the same way Detection mechanism. Checks whether the connected device requires electrical power Powering mechanism. Transmits the electrical power to the connected device Figure 8-1 represents the typical configuration of PoE. Within the Ethernet switch, the power supplying equipment (PSE), supplies power to a powered device (PD) that's located within the powered end station (PES). Figure 8-1 represents the typical configuration of PoE. Within...

How This Book Is Organized

This book is organized into four distinct parts Part I, Vulnerabilities and Mitigation Techniques. Detailed explanation of several vulnerabilities in Layer 2 protocols and how to prevent all attacks against those vulnerabilities. Within Part I, each chapter's structure is similar. It always starts with a description of the protocol and then gives a detailed explanation of this protocol's vulnerabilities. It concludes with prevention or mitigation techniques. Chapter 1, Introduction to Security,...

HSRP Mechanics

HSRP's role is to make a group of Layer 2 adjacent routers appear as a single virtual router. One physical router, known as the active router, actually works and forwards IP packets. The other physical routers, known as standby routers, basically do nothing but keep the HSRP states. When the active router fails, a standby router automatically takes over the active role that is, it starts forwarding the hosts' packets. NOTE HSRP is not a routing protocol. Its main application is for hosts who...

Identification

An client's identity is represented by a digital identifier within the context of a trusted domain. The identifier is typically used as a pointer to a set of rights or permissions and allows for client differentiation. An identifier can physically look like anything and be present at any OSI model layer in a networking environment. A network uses authenticated digital identifiers to provide authorization capability. An identity is useful for accounting and as a pointer to an applicable policy.

Identity Based Networking Services with 8021X

The Cisco Identity-Based Networking Services (IBNS) is a technology solution that can improve the security of physical and logical access to LANs. IBNS incorporates all the capabilities defined in the IEEE 802.1X authentication standard, and it provides enhancements to make 802.1X technology easy to deploy. In addition to 802.1X, IBNS focuses on supplemental authentication techniques and integration with other advanced technologies. Ultimately, IBNS delivers LAN access control. The mechanisms...

IEEE Link Layer Discovery Protocol

IEEE has specified IEEE 802.1AB, also known as Link Layer Discovery Protocol (LLDP3), which is similar in goal and design to CDP. Some differences include the following Multicast MAC address. Address is 0180.C200.000E. Ethernet type. LLDP does not use SNAP encapsulation instead, it uses Ethernet II framing with 88-CC as the Ethernet type. Packet format. As Figure 11-3 shows, the packet format consists of several fields encoded as < Tag, Length, Value> (TLV) with the first three and the last...

Implementing Software Based CoPP

Software-based CoPP is based on the concept of a control plane interface. All traffic processed by the central CPU traverses this interface, which makes it possible to control and limit the total amount of traffic destined to the central CPU. Figure 13-5 shows a simplified view of how the control plane interface is implemented on a distributed platform. As Figure 13-5 shows, the control plane interface is implemented as a logical interface. All traffic destined for the control plane traverses...

In Switches

Currently, no techniques are available in switches to mitigate these types of attacks. Hopefully, these attacks are limited within one single subnet, so there's the possibility of reducing potential damage by sizing the subnet to include only a few hosts or by using different subnets for trusted and nontrusted hosts. This damage-control technique can be deployed more easily than in IPv4 because with IPv6 the enterprises receive many more IPv6 prefixes from their ISP. Expect that techniques...

Increasing Security with Net Flow Applications

Using a security-monitoring application, such as Cisco Security Monitoring, Analysis, and Response System3 (CS-MARS), makes using NetFlow easier and more readable. Indeed, CS-MARS can receive NetFlow export datagrams from multiple switches, and it can build graphs like the one shown in Figure 15-2. It can even have a rule that triggers an alert when predefined thresholds are crossed. Figure 15-2 shows baseline traffic, where the peak is simply the normal traffic increase during work hours....

Information Leaks with Cisco Ancillary Protocols

In a Cisco switched environment, there are many ancillary protocols some proprietary, such as Cisco Discovery Protocol (CDP) and VLAN Trunking Protocol (VTP) some standard, such as Institute of Electrical and Electronic Engineers (IEEE) Link Layer Discovery Protocol (LLDP) and Link Aggregation Control Protocol (LACP). This chapter describes these protocols, sometimes not well known, and the associated risks, which are mainly information leaks, such as giving out information to a potential...

Initiating a DDoS Attack

As previously mentioned, the main goal of a DDoS attack is to overwhelm a service or the infrastructure it resides on with legitimate service requests or junk traffic. Today's server architectures are actually designed to service thousands or millions of legitimate requests at any one time, so launching a DDoS attack is not an easy task using a single computer. Therefore, to DDoS someone, an attacker needs some help. However, because not many people are willing to assist in illegal activities...

Introducing DHCP Snooping

DHCP snooping is a control plane feature that closely monitors and restricts DHCP operations on a VLAN. Control plane means the feature runs on the central management processor where it is possible to perform deep-packet inspection operations. DHCP snooping introduces the concept of trusted and untrusted ports inside a given VLAN. NOTE For a quick review of the steps involved in a typical DHCP operation, review the beginning of this chapter DORA (Discover Offer Request Ack). Hosts have no...

Introducing Spanning Tree Protocol

Chapter 2, Defeating a Learning Bridge's Forwarding Process, explained how Ethernet switches build their forwarding tables by learning source MAC addresses from data traffic. When an Ethernet frame arrives on a switch port in VLAN X with a destination MAC address for which there is no entry in the forwarding table, the switch floods the frame. That is, it sends a copy of the frame to every single port in VLAN X (except the port that originally received the frame). Although this is perfectly...

Introduction

LAN and Ethernet switches are usually considered as plumbing. They are easy to install and configure, but it is easy to forget about security when things appear to be simple. Multiple vulnerabilities exist in Ethernet switches. Attack tools to exploit them started to appear a couple of years ago (for example, the well-known dsniff package). By using those attack tools, a hacker can defeat the security myth of a switch, which incorrectly states that sniffing and packet interception are...

Introduction to Denial of Service Attacks

A denial of service (DoS) attack is characterized as an attacker's explicit attempt to prevent legitimate users of a service from using that service. Here are some examples of these attacks Attempts to flood a network, thereby preventing legitimate network traffic Attempts to disrupt a server by sending more requests than it can handle, thereby preventing access to a service Attempts to crash the device or the service by sending it malformed packets Attempts to prevent a particular individual...

Introduction to PoE

Before the IEEE standard, Cisco provided a way1 to power a device through the RJ-45 connector and its associated Category 5 (CAT5) cable. Since 2003, the IEEE 802.3af2 standard specifies the same feature but in a different way. The main motivation behind PoE is to simplify the cabling of Ethernet devices. If the device's power consumption is less than 15.4 Watts (W), the Ethernet switch can provide the electrical power there's no need for the device to have an additional power-supply cord and...

Intrusion Detection

Because ARP spoofing requires an attacker to send traffic, network IDSs can detect this attack. Cisco network IDS5 has a few signatures related to ARP spoofing based on the ATOMIC.ARP engine. A free tool, ARPwatch6, can detect an ARP spoofing attack. Typically, ARPwatch runs on a Linux host and processes all ARP packets on an attached Ethernet segment. ARPwatch executes multiple checks on the ARP packets Is it a malformed packet Is it a new MAC address (this is a MAC address never seen on the...

Psec Crypto Maps

Define the traffic to be protected with an IPsec selector. (In Cisco IOS, an extended access control list (ACL) protects the L2TPv3 protocol running on IP 115.) Define the IPsec transform (the cryptographic algorithms). Define the remote IPsec peer. Apply all the above on the egress interface. IOS(config) crypto ipsec transform-set 3DES esp-3des IOS(cfg-crypto-tran) mode transport IOS(config) crypto map VPN 10 ipsec-isakmp IOS(config-crypto-m) set peer 192.168.0.36 IOS(config-crypto-m) set...

Keeping Insiders Honest

It is important to understand the intersection of port-based access-control solutions and related policy-enforcement mechanisms. It is too easy for an unsecured individual to gain physical and logical access to a network. A solution to this problem is 802.1X, which keeps the outsiders out and can serve as a way to extend the level of trust in a networked system by proving someone's identity. As a potential benefit, the network now becomes aware of authorized sessions, and it can enforce...

LAN Switch Security

What Hackers Know About Your Switches Copyright 2008 Cisco Systems, Inc. Published by Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of...

Layer 2 PDU Rate Limiter

Available only on certain switches, such as the Supervisor Engineer 720 for the Catalyst 6500, a third option to stop the DoS from causing damage exists. It takes the form of a hardware-based Layer 2 PDU rate limiter. It limits the number of Layer 2 PDUs (BPDUs, DTP, Port Aggregation Protocol PAgP , CDP, VTP frames) destined for the supervisor engine's processor. The feature works only on Catalyst 6500 7600 that are not operating in truncated mode. The switch uses truncated mode for traffic...

Learning Bridge

Regardless of the frame format, every single device equipped with an Ethernet adapter possesses a globally unique MAC address. It is a 6-byte identifier made up of two parts the three far-left bytes represent a specific vendor, and the three far-right bytes represent a serial number assigned by that vendor. Combined, these two fields, representing 48 bits, result in a theoretical number of 281,474,976,710,656 possible addresses Every single Ethernet frame always contains one source and one...

Link Aggregation Protocols

For performance reasons, it is sometimes required to bind several parallel links into a single aggregated bundle. The intent is to have a link with more bandwidth. Figure 11-5 shows such a bundling where two links are used between switch A and switch B. If the links were 1 Gbps links, the aggregated bandwidth would be 2 Gbps. In Cisco switches, this mechanism is called EtherChannel. Figure 11-5 Aggregating Multiple Links Figure 11-5 Aggregating Multiple Links The EtherChannel (aggregated link)...

Link Layer Security IEEE 8021AEaf

To reiterate, securing enterprise network infrastructure from internal threats is becoming increasingly important. Current security solutions concentrate on protecting the network layer (Layer 3) and above. For example, a Secure Sockets Layer (SSL) protects application data, and IPsec protects network layer data. However, not much has been done to protect the enterprise network's core foundation the data link layer (Layer 2). Any compromise at Layer 2 can be detrimental to a network. Previous...

Link Sec Extends 8021X

LinkSec extends the 802.1X model by adding key distribution and data-protection phases. This allows for continuous data protection to counter snooping spoofing tampering attacks on traffic on a LinkSec-enabled link. LinkSec brings to wired networks what WPA-2 has already done for wireless. To build a secure network, LinkSec incorporates the following three operations on each network link Authentication. Entities on a link authenticated similar to 802.1X. Cryptographic key distribution....

M

MAB (MAC Authentication Bypass), 293-294, of VRRP virtual routers, 158 security on 802.11 addresses, 308 spoof attacks, 34-36 spoofing, 34, 36 MAC authentication, 293 MAC spoofing attacks, 100 macof, 28-33 macros, applying Smartports macro to interface, 234 MACSec (Media Access Control Security), 309 Management Domains, 171 management plane, 190 vulnerabilities, 193, 307 management protocols, disabling, 229 master routers, 157 VRRP, 159 Max age timer (STP), 48 McGrew, Dr. David, 309 MD5 key...

MAC Authentication Primer

MAC address authentication itself is not a new idea. One classic flavor of this is port security. Another flavor is the Cisco VLAN Management Policy Server (VMPS) architecture. With VMPS, you can have a text file of MAC addresses and the VLANs to which they belong. That file gets loaded into the VMPS server switch through TFTP. All other switches then check with the VMPS server switch to see which VLAN those MAC addresses belong to after being learned by an access switch. Also, you can define...

MAC Flooding Alternative MAC Spoofing Attacks

All MAC flooding tools force a switch to fail open to later perform selective MAC spoofing attacks. A MAC spoofing attack consists of generating a frame from a malicious host borrowing a legitimate source MAC address already in use on the VLAN. This causes the switch to forward frames out the incorrect port, as Figure 2-6 shows. Although they're extremely easy to carry out (most Ethernet adapters permit their MAC address to be modified), MAC spoofing attacks come with a significant drawback...

Management Plane

The management plane is where control configuration of the forwarding happens. Management plane packets contain sensitive information and are usually processed directly by the CPU. Examples of this are Secure Shell (SSH), Telnet, and Simple Network Management Protocol (SNMP). All management plane packets are processed by the central CPU. In a perfect environment, traffic on these three different planes would never mix. Access to the control plane and the management plane must be carefully...

Matters of Trust

Who can you trust Traditionally, there has been an unwritten and, in some cases, written rule that employees are trusted entities. However, in the past decade, numerous cases and statistics prove that this assumption is false. In a survey, 50 North American Chief Information Security Officers (CISO)1 were asked what they consider their biggest threats to overall security. Insider attacks rated 18 percent, as Figure 18-1 shows. Additional research done by the IDC (www.idc.com) shows a constant...