About the Technical Reviewers

Earl Carter is a security research engineer and a member of the Security Technologies Assessment Team (STAT) for Cisco. He has performed security evaluations on several Cisco products, including everything from the PIX Firewall and VPN solutions to Cisco CallManager and other VoIP products. Earl has authored several Cisco Press books, including CCSP SNPA Official Exam Certification Guide, Third Edition Intrusion Prevention Fundamentals CCSP IPS Exam Certification Guide and CCSP Self-Study Cisco...

Access Control and Identity Management

In networks, the typical control is access control. When subjects (the active entity, such as a user, workstation, program, IP address, and so on) want to access an object (the passive entity, such as an Ethernet VLAN, file, server, Internet, and so on), a security policy is checked and enforced. Access control can be as simple as a Cisco IOS access control list (ACL), or it can be more complex and based on the user's identity. (For more information on access control, see Chapter 17,...

ACLs or Firewalls

If switches are able to check millions of incoming packets per second against ACLs, what good are firewalls Put another way, the question is, What is the difference between an ACL and a firewall , or, Where can I apply ACLs The answer depends on the protection level you want to provide and the type of attacks you are likely to face. ACLs control which protocols and or ports a host can use to reach a target, and that is pretty much it. They are often referred to as Layer 3 or Layer 4 ACLs for...

Analyzing Risk for ND and Stateless Configuration

From the preceding descriptions, it appears that ND and stateless configuration authenticate neither the originator nor the responder exactly like ARP does in IPv4. Hence, the same attacks can be mounted against IPv6 as they were in IPv4 ND spoofing. Even if there is no such thing as gratuitous ND, an attacker host can reply instead of the real host. So, the victim sends its packets to the attacker instead of the spoofed host. Things also become worse when the spoofed host is the router because...

Anatomy of a Switch

A simplified view of a switch is that it has a central CPU and special forwarding ASICs. The CPU is responsible for building up the forwarding tables and allowing ASICs to perform forwarding in hardware, which makes switching an efficient process. Figure 12-2 shows the architecture of a typical LAN switch. Figure 12-2 shows the architecture of a typical LAN switch. Some high-end switches use distributed forwarding architecture, using numerous dedicated CPUs to control the forwarding logic on...

Asymmetric Cryptosystems

Asymmetric cryptosystems are relatively new in cryptography (from around 1970), and they have many interesting properties, especially around authentication and key distribution. Figure 1-8 represents asymmetric encryption, which is where two different keys are used one for encryption and one for decryption. Figure 1-8 Asymmetric Encryption with Two Different Keys The only logical difference of asymmetric encryption (compared to symmetric encryption) is that two different keys are used. Those...

Attacking the Switch

By looking at how the three planes map to a switch's physical architecture (see Figures 12-3 and 12-4), the following becomes clear Most data plane traffic affects only the switch fabric and the Ethernet controllers. Control plane traffic comes through one of the Ethernet controllers and goes through a switch channel to the central CPU. Management traffic goes through the same path as control plane traffic (unless the switch is managed through the serial interface, where it then goes directly...

Best Practices for Control Plane

Example 14-9 shows the Cisco IOS configuration recommended as a best practice for an access port FastEthernet 0 0. The switch ignores STP packets (thanks to bpduguard) as well as DTP, VTP and link aggregation packets (thanks to switchport mode access). Example 14-9 Cisco IOS Recommended Best Practice for an Access Port IOS(config) interface FastEthernet 0 0 IOS(config-if) spanning-tree bpduguard enable IOS(config-if) no channel-group IOS(config-if) switchport mode access A more robust approach...

CDP Risk Mitigation

Because CDP is mainly interesting to use between network devices and not toward end-user hosts, the best way to prevent both the DoS attacks and information leaks is to only enable CDP on ports to other network devices and uplinks while disabling it to access ports. Because Cisco IP phones rely on CDP to detect the auxiliary VLAN and to signal their exact power consumption, CDP must remain enabled on ports to IP phones. (For more information on how to mitigate attacks to the power over Ethernet...

Combining IPsec with L2TPv3 for Secure Pseudowire

As described in Chapter 18, IEEE 802.1AE, IEEE 802.1AE protects all Layer 2 traffic with encryption and authentication. Not all existing switches support IEEE 802.1AE therefore, in the short term, an alternative solution might be attractive. This solution relies on IPsec for the security features. Although IPsec is convenient and suitable to protect IP traffic, it sometimes requires you to also protect all Layer 2 communication between two sites, such as spanning a LAN over a confidential...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command). Italics indicate arguments for which you supply actual values. Vertical bars...

Configuring Switches Without Control Plane Protocols

As shown in Chapter 12, Introduction to Denial of Service Attacks, a control plane in an Ethernet switch consists mainly of the following protocols L2 processing. A switch must process and respond to Spanning Tree Protocol (STP), Link Aggregation Control Protocol (LACP), Port Aggression Protocol (PAgP), IEEE 802.1X, Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and keepalive packets. Internet Control Message Protocol (ICMP). ICMP packets must be...

Consequences of Excessive Flooding

Although it's a common and usually benign operation in a switched LAN environment, unknown unicast flooding comes with a side effect Host C now sees a frame sent from 0000.CAFE.0000 to B. If the user behind workstation C runs a network traffic analyzer, he can eavesdrop on B and access information he should not see. Fortunately, C is only likely to receive an extremely small amount of information typically, one or two frames. Why Because the frame sent from 0000.CAFE.0000 to B will now probably...

Contents at a Glance

Introduction xix Part I Vulnerabilities and Mitigation Techniques 3 Chapter 1 Introduction to Security 5 Chapter 2 Defeating a Learning Bridge's Forwarding Process 23 Chapter 3 Attacking the Spanning Tree Protocol 43 Chapter 5 Leveraging DHCP Weaknesses 85 Chapter 7 Exploiting IPv6 Neighbor Discovery and Router Advertisement 121 Chapter 8 What About Power over Ethernet 135 Chapter 10 Can We Bring VRRP Down 157 Chapter 11 Information Leaks with Cisco Ancillary Protocols 165 Part II How Can a...

Control Plane Policing

As explained in Chapter 12, Introduction to Denial of Service Attacks, the control plane is the most critical plane on a switch a successful attack against it can potentially cause the most damage. To mitigate attacks against the control plane, control plane policing (CoPP) was introduced. The idea is to inspect traffic destined to the control plane, to control what should be allowed, and to control how much of that traffic to accept. CoPP gives added benefit over traditional access control...

Control Plane Traffic

Many protocols that carry network configuration, statistics, network-topology updates, and so on, are not protected, in many cases. Having access to control plane traffic can result in a malicious user creating additional vulnerabilities by injecting gratuitous control plane data or performing a DoS attack. Having the visibility to control plane traffic through snooping or sniffing the wire might result in a miscreant having information that can be used in a nondisruptive reconnaissance manner...

Countermeasures to DHCP Exhaustion Attacks

The solution to the first type of DHCP attack (DoS by grabbing the entire available scope of addresses) depends on the hacker's knowledge of the protocol. By default, DHCP starvation tools use a random source MAC address every time they request a new IP address from the DHCP server (one new MAC per DHCPDISCOVER). Identifying this type of attack is straightforward A sudden increase in the number of dynamically learned MAC addresses from a given LAN port is a clear indication. Under normal...

Debugging Information

In most enterprise networks, L2TPv3 and xconnect are unusual. That being said, here is some debugging information for a working configuration. The information is limited to L2TP because all other debugging information is available for IPsec and IKE. Example A-1 displays some debugging information for L2TP's tunnels. The first command, show l2tun session circuit, displays all active tunnels with the peer. The second command, show l2tun session packets, prints some counters about the packets sent...

Defending Against Burning Attacks

There is no way to protect a non-PES from a burning attack, even if the static configuration of the wattage can help limit the damage to the attached device. The burning attack requires physical access to inject the signaling to force 42 V into the CAT5 cable. If an attacker has access to the cable, he can also inject 110-220 V into it, which causes more damage in the PES. Therefore, the risk of this attack does not increase by enabling PoE on the port. NOTE A related issue is when a powered...

Detection Mechanism

The Cisco prestandard implementation of the detection mechanism differs from the IEEE 802.3af Cisco prestandard. Injects an alternating current (AC) signal on one pair of the CAT5 cable and checks whether the PES returned this current on another pair IEEE 802.3af. Applies a direct current (DC) voltage between two pairs of the CAT5 cable and checks whether some current flows Figure 8-2 shows the Cisco prestandard detection mechanism. A fast link pulse (FLP), such as a low-frequency,...

DHCP Overview

RFC 2131 and RFC 2132 originally defined DHCP, with several RFC extensions augmenting its capabilities. (See http www.dhcp.org rfcs.html for an exhaustive list.) The primary purpose of DHCP is to dynamically assign IP addresses to requesters for a specified duration (called the lease time). DHCP clients request addresses from DHCP servers. In most cases, clients and servers are several hops apart and are separated by routers and other network devices. When that is the case, the first hop router...

DHCP Snooping with Option

DHCP Option 82 provides the DHCP server with information about which switch and which port on that switch a DHCP request is coming from. This information is supplied via Agent-ID and Circuit-ID subfields of the Relay-Information DHCP Option, as defined in RFC 3046. DHCP snooping is Option-82 friendly in the sense that it can insert or remove DHCP relay information (Option-82 field) in forwarded DHCP request messages from untrusted ports to the DHCP server. With Option 82 enabled, the DHCP...

Discovering Extensible Authentication Protocol

Port-based network access control uses the physical access characteristics of IEEE 802 LAN infrastructures. These infrastructures leverage the Extensible Authentication Protocol (EAP) to carry arbitrary authentication information, not the authentication method itself. EAP is an encapsulation protocol with no dependency on IP, and it can run over any link layer, including IEEE 802 media. EAP transports authentication information in the form of EAP payloads. EAP also establishes and manages the...

Discovering VRRP

Even if you are familiar with how VRRP works, feel free to read on to refresh your knowledge or to gather new information, because this section focuses on specific points linked to the security aspects of VRRP. In VRRP, each physical router has its own MAC and IP addresses, but it also shares one MAC address and one IP address for the virtual router. Figure 10-1 depicts such a topology when the VRRP group consists of two routers. There is a change in the terminology compared to HSRP Master...

Diving Deep into CDP

CDP does not run over IP, but it runs directly over the data link layer. When Ethernet is used, the IEEE 802.3 and IEEE 802.1 encapsulation are used rather than the usual Ethernet II direct encapsulation (which IPv4 uses). The Subnetwork Access Protocol (SNAP) is used. SNAP consists of 3 bytes of Logical Link Layer header (typically AA-AA-03), followed by the Cisco Organizational Unique Identifier (OUI) 00-00-0C, and the CDP identifier 20-00. Figure 11-1 displays the CDP packet format. The...

DoS Attack

What if an attacker can send a fake HSRP packet where the priority is set to the maximum value of 255 and the correct value for Authentication Data, Group, and virtual IP address Figure 9-4 shows what happens. Active Virtual Router IP 192.168.0.8 MAC 0000.0C07.AC01 Normal Hosts with a Default Route to 192.168.0.8 Active Virtual Router IP 192.168.0.8 MAC 0000.0C07.AC01

Enabling Net Flow on a Catalyst 6500

The Catalyst 6500 separates the data collection configuration from the NetFlow data export (NDE) to collectors. Example 15-1 shows a basic configuration of NetFlow on Cisco IOS. NOTE The NetFlow configuration contains more options, such as allowing the supervisor the ability to build a flow cache entry for switched frames (that is, not only for routed ones). Example 15-1 Configuring NetFlow on Catalyst 6500 and Cisco IOS IOS(config) mls flow ip interface-full IOS(config) mls flow ipv6...

Endto End Versus Hopby Hop LANBased Cryptographic Protection

There are several key reasons for the strong objection end-to-end (E2E) (such as, client to server) based cryptographic protections in LANs. First is the matter of security. Although this type of tunneled encryption might appear to be more secure, it can actually conceal malicious exploits and provide for an undetectable distribution of worms, Trojans, and viruses. As such, obscuring the key header information and or packet payload E2E from the end-user host to servers actually prevents the...

Enterprise Trends and Challenges

Many of you might wonder why wire-rate encryption for Layer 2 Ethernet LAN networks Aren't the physical security practices and Layer 7 application security measures enough to address the vulnerability of unauthorized access to sensitive information The reality No. Throughout this book, you've read that there are numerous ways in which a would-be malicious user can compromise or circumvent existing vulnerabilities in network protocols, operating systems (OS), and applications. It is true with...

Ethernet Frame Formats

For mostly historical reasons, Ethernet frames come in various shapes and forms, but they all convey the same information where the frame originated, where it is destined to, what payload it carries, and a checksum to verify data integrity. Today, essentially two slightly different frame formats exist EthernetV2 and IEEE 802.3. It is difficult to authoritatively assess the proportion of EthernetV2 versus 802.3 in today's network a rough estimate would probably call for 80 percent EthernetV2 for...

Exploring IEEE 8021X

The IEEE 802.1 working group developed the 802.1X standard. It is a framework that addresses and provides port-based access control using authentication. Primarily, 802.1X is an encapsulation definition for EAP over IEEE 802 media. The Layer 2 protocol transports EAP authentication messages between a client device and a network device. 802.1X typically assumes a secure connection, and the enforcement of sessions are imposed through MAC-based filtering and port-start monitoring. To provide...

Exploring TCAM

A TCAM is a content-addressable memory where each bit is allowed to store a 0, 1, or a don't-care value the ternary qualification comes from the fact that three different types of values can be stored. You can think of a CAM as a reverse random-access memory Data is provided and an address is returned. Don't care bits play an important role in ACL lookups because ACLs frequently ignore portions of an IP address. For example, if an ACL is interested in matching traffic from 192.168.2.0 24, it...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at...

Frame Classification

Virtually every LAN switch provides the capability to configure a physical port as an access port or trunk port. An access port belongs to one and only one VLAN, while a trunk port can multiplex several VLANs (up to 4096) on one physical link. Not all vendors agree on a common port-naming convention. As a matter of fact, the 802.1Q specification itself doesn't refer to access or trunk ports. It is, therefore, possible that your particular switch doesn't use the access and trunk terminology....

Frame Format

Look at the frames on the wire to see how LinkSec secures traffic, as Figure 18-5 shows. The figure also shows a regular Layer 2 packet on a link carrying IP traffic. NOTE 802.3 cyclic redundancy check (CRC) detects bit corruption on the wire. It does not provide any security against malicious tampering because no cryptographic key is associated. Any malicious entity can tamper with the packet and then generate a new valid CRC. The receiver won't be able to detect the tampering because it...

Go Native

Readers somewhat familiar with IEEE specifications probably know that it is often a concern of the institute's specifications to remain backward-compatible with previous iterations of various IEEE texts. The 802.1Q specification is no different. As such, it includes a provision for trunk ports to carry both tagged and untagged frames. Frames riding on a trunk port without any 802.1Q tags are said to be part of the native VLAN. A protocol that uses the native VLAN is 802.1D. This ensures...

Here Comes Secure ND

The IETF has standardized a secure version of ND, which is also applicable to RA Secure Neighbor Discovery (SEND), specified in RFC 39714, relies on the use of cryptographically generated IPv6 addresses (RFC 39725). SEND works by having a pair of public and private keys for all hosts and routers in a network. With SEND, hosts cannot decide on their own about their interface ID (the lower 64 bits of their IPv6 address). It's cryptographically generated based on the current IPv6 network prefix...

Hijacking Traffic Using DHCP Rogue Servers

Another DHCP exploit with devastating results consists in installing a covert DHCP server on a LAN segment, as Figure 5-4 shows. IP Address 10.10.10.101 Subnet Mask 255.255.255.0 Default Routers 10.10.10.1 DNS Servers 192.168.10.4, 192.168.10.5 Lease Time 10 Days If a rogue DHCP server is installed on the LAN, by default, it receives DHCPDISCOVER messages from clients seeking to acquire an IP address. IP Address 10.10.10.101 Subnet Mask 255.255.255.0 Default Routers 10.10.10.1 DNS Servers...

How Does a DoS Attack Differ from a DDoS Attack

A distributed denial of service attack (DDoS) is defined as follows A distributed denial of service attack (DDoS) occurs when a device or service is being attacked by multiple attackers. The attacks usually consists of bandwidth-flooding attacks or resource-starvation attacks. Simply said, the goal of a DDoS attack is to make the targeted system's services unavailable to legitimate users by using flooding (where users are unable to reach the service) or resource starvation (where the service...

How PoE Works

Both Cisco prestandard and IEEE 802.3af PoE work in the same way Detection mechanism. Checks whether the connected device requires electrical power Powering mechanism. Transmits the electrical power to the connected device Figure 8-1 represents the typical configuration of PoE. Within the Ethernet switch, the power supplying equipment (PSE), supplies power to a powered device (PD) that's located within the powered end station (PES). Figure 8-1 represents the typical configuration of PoE. Within...

How This Book Is Organized

This book is organized into four distinct parts Part I, Vulnerabilities and Mitigation Techniques. Detailed explanation of several vulnerabilities in Layer 2 protocols and how to prevent all attacks against those vulnerabilities. Within Part I, each chapter's structure is similar. It always starts with a description of the protocol and then gives a detailed explanation of this protocol's vulnerabilities. It concludes with prevention or mitigation techniques. Chapter 1, Introduction to Security,...

HSRP Mechanics

HSRP's role is to make a group of Layer 2 adjacent routers appear as a single virtual router. One physical router, known as the active router, actually works and forwards IP packets. The other physical routers, known as standby routers, basically do nothing but keep the HSRP states. When the active router fails, a standby router automatically takes over the active role that is, it starts forwarding the hosts' packets. NOTE HSRP is not a routing protocol. Its main application is for hosts who...

IEEE Link Layer Discovery Protocol

IEEE has specified IEEE 802.1AB, also known as Link Layer Discovery Protocol (LLDP3), which is similar in goal and design to CDP. Some differences include the following Multicast MAC address. Address is 0180.C200.000E. Ethernet type. LLDP does not use SNAP encapsulation instead, it uses Ethernet II framing with 88-CC as the Ethernet type. Packet format. As Figure 11-3 shows, the packet format consists of several fields encoded as < Tag, Length, Value> (TLV) with the first three and the last...

Implementing Software Based CoPP

Software-based CoPP is based on the concept of a control plane interface. All traffic processed by the central CPU traverses this interface, which makes it possible to control and limit the total amount of traffic destined to the central CPU. Figure 13-5 shows a simplified view of how the control plane interface is implemented on a distributed platform. As Figure 13-5 shows, the control plane interface is implemented as a logical interface. All traffic destined for the control plane traverses...

Increasing Security with Net Flow Applications

Using a security-monitoring application, such as Cisco Security Monitoring, Analysis, and Response System3 (CS-MARS), makes using NetFlow easier and more readable. Indeed, CS-MARS can receive NetFlow export datagrams from multiple switches, and it can build graphs like the one shown in Figure 15-2. It can even have a rule that triggers an alert when predefined thresholds are crossed. Figure 15-2 shows baseline traffic, where the peak is simply the normal traffic increase during work hours....

Information Leaks with Cisco Ancillary Protocols

In a Cisco switched environment, there are many ancillary protocols some proprietary, such as Cisco Discovery Protocol (CDP) and VLAN Trunking Protocol (VTP) some standard, such as Institute of Electrical and Electronic Engineers (IEEE) Link Layer Discovery Protocol (LLDP) and Link Aggregation Control Protocol (LACP). This chapter describes these protocols, sometimes not well known, and the associated risks, which are mainly information leaks, such as giving out information to a potential...

Introducing DHCP Snooping

DHCP snooping is a control plane feature that closely monitors and restricts DHCP operations on a VLAN. Control plane means the feature runs on the central management processor where it is possible to perform deep-packet inspection operations. DHCP snooping introduces the concept of trusted and untrusted ports inside a given VLAN. NOTE For a quick review of the steps involved in a typical DHCP operation, review the beginning of this chapter DORA (Discover Offer Request Ack). Hosts have no...

Introducing Spanning Tree Protocol

Chapter 2, Defeating a Learning Bridge's Forwarding Process, explained how Ethernet switches build their forwarding tables by learning source MAC addresses from data traffic. When an Ethernet frame arrives on a switch port in VLAN X with a destination MAC address for which there is no entry in the forwarding table, the switch floods the frame. That is, it sends a copy of the frame to every single port in VLAN X (except the port that originally received the frame). Although this is perfectly...

Introduction to PoE

Before the IEEE standard, Cisco provided a way1 to power a device through the RJ-45 connector and its associated Category 5 (CAT5) cable. Since 2003, the IEEE 802.3af2 standard specifies the same feature but in a different way. The main motivation behind PoE is to simplify the cabling of Ethernet devices. If the device's power consumption is less than 15.4 Watts (W), the Ethernet switch can provide the electrical power there's no need for the device to have an additional power-supply cord and...

Keeping Insiders Honest

It is important to understand the intersection of port-based access-control solutions and related policy-enforcement mechanisms. It is too easy for an unsecured individual to gain physical and logical access to a network. A solution to this problem is 802.1X, which keeps the outsiders out and can serve as a way to extend the level of trust in a networked system by proving someone's identity. As a potential benefit, the network now becomes aware of authorized sessions, and it can enforce...

Learning Bridge

Regardless of the frame format, every single device equipped with an Ethernet adapter possesses a globally unique MAC address. It is a 6-byte identifier made up of two parts the three far-left bytes represent a specific vendor, and the three far-right bytes represent a serial number assigned by that vendor. Combined, these two fields, representing 48 bits, result in a theoretical number of 281,474,976,710,656 possible addresses Every single Ethernet frame always contains one source and one...

Link Aggregation Protocols

For performance reasons, it is sometimes required to bind several parallel links into a single aggregated bundle. The intent is to have a link with more bandwidth. Figure 11-5 shows such a bundling where two links are used between switch A and switch B. If the links were 1 Gbps links, the aggregated bandwidth would be 2 Gbps. In Cisco switches, this mechanism is called EtherChannel. Figure 11-5 Aggregating Multiple Links Figure 11-5 Aggregating Multiple Links The EtherChannel (aggregated link)...

M

MAB (MAC Authentication Bypass), 293-294, of VRRP virtual routers, 158 security on 802.11 addresses, 308 spoof attacks, 34-36 spoofing, 34, 36 MAC authentication, 293 MAC spoofing attacks, 100 macof, 28-33 macros, applying Smartports macro to interface, 234 MACSec (Media Access Control Security), 309 Management Domains, 171 management plane, 190 vulnerabilities, 193, 307 management protocols, disabling, 229 master routers, 157 VRRP, 159 Max age timer (STP), 48 McGrew, Dr. David, 309 MD5 key...

MAC Authentication Primer

MAC address authentication itself is not a new idea. One classic flavor of this is port security. Another flavor is the Cisco VLAN Management Policy Server (VMPS) architecture. With VMPS, you can have a text file of MAC addresses and the VLANs to which they belong. That file gets loaded into the VMPS server switch through TFTP. All other switches then check with the VMPS server switch to see which VLAN those MAC addresses belong to after being learned by an access switch. Also, you can define...

MAC Flooding Alternative MAC Spoofing Attacks

All MAC flooding tools force a switch to fail open to later perform selective MAC spoofing attacks. A MAC spoofing attack consists of generating a frame from a malicious host borrowing a legitimate source MAC address already in use on the VLAN. This causes the switch to forward frames out the incorrect port, as Figure 2-6 shows. Although they're extremely easy to carry out (most Ethernet adapters permit their MAC address to be modified), MAC spoofing attacks come with a significant drawback...

Management Plane

The management plane is where control configuration of the forwarding happens. Management plane packets contain sensitive information and are usually processed directly by the CPU. Examples of this are Secure Shell (SSH), Telnet, and Simple Network Management Protocol (SNMP). All management plane packets are processed by the central CPU. In a perfect environment, traffic on these three different planes would never mix. Access to the control plane and the management plane must be carefully...

Matters of Trust

Who can you trust Traditionally, there has been an unwritten and, in some cases, written rule that employees are trusted entities. However, in the past decade, numerous cases and statistics prove that this assumption is false. In a survey, 50 North American Chief Information Security Officers (CISO)1 were asked what they consider their biggest threats to overall security. Insider attacks rated 18 percent, as Figure 18-1 shows. Additional research done by the IDC (www.idc.com) shows a constant...

Mitigating an ARP Spoofing Attack

An ARP spoofing attack is severe because it breaks the wrong but widespread assumption that sniffing is not possible in a switched environment. To mitigate an ARP spoofing attack, use the following three options Layer 3 switch. Can leverage the official < IP, MAC> mapping learned from DHCP and can later drop all spoofed ARP replies based on the official mapping. Host. Can ignore the gratuitous ARP packets. Intrusion detection systems (IDS). Can keep states about all < IP, MAC> mappings...

Mitigating Attacks on Services

The most difficult attacks to mitigate are those that simulate real service requests. For example, differentiating between actual users visiting a website and a zombie simulating web traffic by HTTP GETs can be difficult. If enough zombies continuously generate real service requests, the server becomes bogged down servicing those requests, and legitimate users get poor responses. Also, resource starvation can be a factor for some services (such as IP voice servers and DHCP servers). An example...

Mitigating Attacks on the Catalyst 6500 Switch

The 6500 Series switch is a modular platform, which makes it possible to upgrade line cards and supervisors as necessary. Using the Sup720 or the Sup32 supervisors, it is possible to implement hardware-based CoPP features to protect the central CPU. Also, if the line cards support distributed forwarding, hardware-based CoPP is automatically implemented on the line cards, mitigating attacks as close to the edge as possible. By default, however, almost all the CoPP features are disabled and must...

Motivation for IPv6

In 1994, the Internet Engineering Task Force (IETF) began work on a new version of IP. The motivation was to ensure that the Internet could still grow at a fast pace while keeping it running, scalable, and stable. One of the means to keep the Internet, as we know it, was to specify a brand-new network layer protocol to replace IP. In 1995, this new protocol received the name IPv6. NOTE Wonder why IP jumped from the current version, IPv4, to the next one, IPv6, and apparently skipped the...

Mounting an ARP Spoofing Attack

Multiple hacking tools exist to mount an ARP spoofing attack, including the following dsniff. The first tool made available, arpspoof, was part of the dsniff package. It has no GUI and is available on most Linux and Windows platforms. ettercap.3 A generic sniffer that has an ARP spoofing module. It has a GUI and is available on Linux and Windows platforms. cain.4 A sniffer designed by and for hackers. (It contains a utility to detect passwords in IP packet flows.) It runs only in Microsoft...

Normal ARP Behavior

Figure 6-1 ARP Request in a Broadcast Frame CAFE -> FFFF.FFFF.FFFF Who is 10.0.0.2 CAFE -> FFFF.FFFF.FFFF Who is 10.0.0.2 Host C IP 10.0.0.3 MAC 0000.0666.0000 Host C IP 10.0.0.3 MAC 0000.0666.0000 All hosts on the same Ethernet LAN or VLAN receive the ARP request and process it. Only host B reacts on the ARP request because its IP address, 10.0.0.2, matches the IP address inside the ARP request. As Figure 6-2 shows, host B sends a solicited ARP reply to host A. This frame contains the...

Other Techniques That Detect Active Worms

Internet service providers (ISP) use other techniques to detect an active worm that propagates in their networks. Actually, ISP can detect network scanning to random IP addresses. The trick is to forward all packets to nonexisting addresses, such as nonallocated IP addresses, to a single host that can be monitored for traffic surge. If this host receives too much traffic, this means that many packets are sent to nonexisting hosts. This is most probably the result of a worm randomly scanning the...

Port Security

To stop an attacker in his tracks, a mechanism called port security comes to the rescue. In its most basic form, port security ties a given MAC address to a port by not allowing any other MAC address than the preconfigured one to show up on a secured port. When port security initially shipped, users had to manually configure a permitted MAC address a cumbersome and error-prone task. Today, port security is more flexible and can listen for one or more MAC addresses before locking down access to...

Powering Mechanism

Because the purpose of PoE is to actually deliver electrical power to the PES, there are mechanisms for this purpose. The IEEE 802.3af has two alternatives for power delivery to the PES Phantom circuit (top of Figure 8-4). Where the DC power is applied between the transmit and receive pairs. Powering mechanism (bottom of Figure 8-4). Where the DC power is simply applied between the two unused pairs. In both mechanisms of power delivery, the actual voltage is 42 V. The Cisco prestandard...

Protecting the Hosts

The host themselves can sometimes be protected by either ignoring gratuitous ARP or by relying on static ARP entries in the ARP table and completely ignoring the gratuitous ARP messages. Cisco IP phones implement the ignore gratuitous ARP technique. Cisco CallManager (CCM) configures this. The static ARP entries technique is seldom used because it is an administrative nightmare to enter all the < IP, MAC> mapping for all adjacent nodes on all nodes, and because many TCP IP stacks...

References

1 International standard ISO IEC 7498-1 1994 http www.iso.ch. 3 http www.ettercap.sourceforge.net . 4http yersinia.sourceforge.net . 6 IEEE Std 802.3-2002, Section One. Cisco Catalyst 6500 switch documentation. http www.cisco.com en US products hw switches ps708 . Cisco Catalyst 4500 switch documentation. http www.cisco.com en US products hw switches ps4324 index.html. Cisco Catalyst 3750 switch documentation. http www.cisco.com en US products hw switches ps5023 index.html. IEEE 802.3 standard....

Relying on Network Infrastructure

If the strong authentication mitigation technique cannot be used or when it is deemed not secure enough, the remaining technique is to prevent hosts from sending HSRP packets. This can be implemented with an inbound access control list (ACL) on all routers and switches. Even if it looks less advanced compared to the cryptographic technique, it is actually more secure because an attacker cannot bypass it. An operational cost exists for this technique because the ACL is linked to IP addresses....

Relying on the Network Infrastructure

If the strong authentication mitigation technique cannot be used, or when it is deemed not secure enough, the only remaining technique is to prevent hosts from transmitting VRRP packets. You can implement this with inbound ACL on all routers and switches. Because the ACL relies on IP addresses, you must use an antispoofing mechanism, such as IP source guard. Also, an operational cost exists because the ACL is linked to IP addresses of the VRRP routers therefore, if one router changes its IP...

Risk Analysis for VRRP

The VRRP risk analysis is almost identical to that for HSRP. The attacker can send forged VRRP packets to run a DoS or MITM attack. The clear-text authentication does not help because it is easily sniffed. In Example 10-1, the tcpdump sniffer detected the authentication data SeCrET. Example 10-1 Using tcpdump to Get the VRRP SeCrET 13 34 02 0 0 5e 0 1 1 1 0 5e 0 0 12 ip 60 192.168.0.7 > 224.0.0.18 VRRPv2-advertisement 20 vrid 1 prio 100 authtype simple intvl 1 addrs 192.168.0.8 auth SeCrET...

Road to Encryption Brief History of WANs and WLANs

Before we detail the IEEE 802.1AE MACSec, let's look at the brief history of other network-access methods and their road to encryption. In the 1960s, the U.S. Department of Defense (DoD), in pursuit of enhancing communications between scientists and academic researchers, envisioned a network that would continue to function even during a disaster. This spanned the birth of Advanced Research Projects Agency Network (ARPANET). Don't worry we aren't going to go into detail about the Advanced...

Safely Disabling Control Plane Activities

Some protocols can be completely disabled on access ports without having any impact on the network. Depending on the switch architecture and software, disabling a protocol will either completely prevent DoS attacks against this protocol or have no mitigation effect because the supervisor would have processed the packet anyway before it was dropped. A switch where protocols can be attacked even when they are disabled is a Catalyst 4006 with Supervisor 3 and CatOs 8.3, for example. When protocols...

Securing the Control Plane on a Switch

Traditionally, the control plane has been secured by implementing ACLs on each port, controlling who can send packets to the control plane. For some services, such as SNMP and Telnet, it is possible to define ACLs' specification of who is allowed to access those services. Unfortunately, ACLs only permit or deny access. A malicious attacker can pass the ACLs and denial of service (DoS) the switch with packet floods, which takes the service (or, in the worst case, the switch) out of action. Some...

Security Landscape Link Secs Coexistence with Other Security Technologies

802.1AE af for wire-line networks is analogous to WPA-2 for wireless. An important goal of LinkSec is to protect network infrastructure. It does so by operating at Layer 2 on a link-by-link basis. This allows LinkSec to protect infrastructure control plane protocols, regardless of which layer they operate on (for example, STP, ARP, and so on). Clearly, every aspect of the control plane is essential for any enterprise network. Figure 18-7 shows LinkSec coexisting with other technologies. A lot...

Security Triad

CIA is a well-known acronym for most people It means Central Intelligence Agency. But, as Figure 1-1 shows, for security people, CIA means the following Confidentiality. Provides data secrecy. Integrity. Only authorized people can change data. Availability. Data must always be accessible and ready. Figure 1-1 Security Triad Principles Confidentiality - Ability to Ensure Secrecy Confidentiality - Ability to Ensure Secrecy - Ability to Ensure Asset Data Is not Modified This security triad has...

Single Auth Mode

Single-auth mode works the same way when hubs are used and the same rules apply as when a supplicant is connected directly to the authenticator. For example, with the default mode in place, after a MAC address is authenticated and added to the Layer 2 table, any other host seen on the port causes a security violation. As a result, the network is not compromised if a hub is attached to a switch port. If hubs are a necessity in an 802.1X network, you must understand the difference between a hub...

State or No State

Imagine your network is under attack from a massive amount of spoofed HTTP traffic. This might, for example, be traffic trying to reach your main Internet web server using random source IP addresses, with small packets coming in at a high rate. Another common attack scenario consists of sending a large number of Internet Control Message Protocol (ICMP) packets. The last thing you want in these attack cases is to fill the connection table of the perimeter firewall. Both scenarios highlight a...

STP Operation More Details

To understand the attacks that a hacker is likely to carry out against STP, network administrators must gain a solid understanding of STP's inner workings. The protocol builds a loop-free topology that looks like a tree. At the base of the tree is a root bridge an election process takes place to determine which bridge becomes the root. The switch with the lowest bridge ID (a concatenation of a 16-bit user-assigned priority and the switch's MAC address) wins. The root-bridge election process...

Summary

Partial understanding of VLAN tagging and common LAN protocols such as Cisco DTP and VTP, coupled with outdated articles still easily accessible on the Internet,4 frequently contributes to the quick dismissal of VLANs as a viable companion to a secure network design. Are VLANs unsafe VLANs must be taken for what they are On a properly configured switch, they provide Layer 2 traffic isolation. Layer 2 isolation guarantees that traffic entering a switch port in VLAN X remains confined to VLAN X,...

Symmetric Cryptosystems

Symmetric cryptosystems use the same key material for all operations (that is, the same key to encrypt and decrypt). Symmetric cryptosystems include symmetric encryption and message authentication with the help of hashes. Symmetric encryption occurs when the same key is used for both encryption and decryption, as Figure 1-5 shows. This key is called the shared key or session key. Networks use multiple symmetric encryption algorithms the more recent Advanced Encryption Standard (AES), the older...

Technology Behind Fast ACL Lookups

How do modern LAN switches perform ACL lookups millions of times per second An ACL lookup is, in and out of itself, a rather simple operation IPv4 packets adhere to a well-defined binary packet format, with fixed-size addresses always found at the same offset. Because IPv4 addresses are specified using just 4 bytes, searching for a specific address requires just a few operations when the proper data structure is used. Most algorithm-based software solutions for address lookups employ data...

Telnet Flooding Without CoPP

To demonstrate what can happen when a Catalyst 6500 is attacked without CoPP enabled, a flooding attack against TCP port 23 (Telnet) was started using the hping31 utility. Running on an average PC platform using SuSe Linux, the hping3 utility generated about 110,000 pps, which would not be a problem for the 6500 in normal situations. However, because Telnet packets are destined to the management plane, they are forwarded directly to the central CPU where they are processed. In this case, the...

Tips for Switches That Do Not Support DHCP Snooping

If your switch does not support DHCP snooping but does support port or VLAN-based access lists, it is still possible to prevent certain DHCP attacks, such as the rogue server example. Recall the explanation at the beginning of this chapter DHCP clients broadcast DHCPDISCOVER messages from UDP port 68 to UDP port 67. If you know that a given range of ports has no business running DHCP server services, configure an access list that blocks all UDP traffic from port 67. This prevents rogue DHCP...

Types of Attacks

To defend against attacks, you first must know what you are up against. Potential attacks include the following Power gobbling (or stealing). Unauthorized devices connect to the switch (could be a gizmo, like a fan) and request so much electrical power that no more power is available for the authorized PES. Power changing. Because CDP can signal the exact power consumption of a PES and, if the PC attached behind an IP phone is compromised (by a physical attack or Trojan horse), the PC could...

Understanding 8021w Rapid STP

Incorporated in the 2004 revision of the 802.1D standard, the 802.1w (Rapid Reconfiguration of Spanning Tree) introduced significant changes, primarily in terms of convergence speeds. According to the IEEE, motivations behind 802.1w include the following The desire to develop an improved mode of bridge operation that, while retaining the plug-and-play benefits of spanning tree, discards some of the less desirable aspects of the existing STP (in particular, the significant time it takes to...

Using Switches to Augment the Network Security

Chapter 16 Wire Speed Access Control Lists Chapter 17 Identity-Based Networking Services with 802.1X This book's part focuses on how to use Ethernet switches to enhance a network's overall security. Access control lists (ACL) provide a simple way to enforce a security policy at the core of a network where the bandwidth can easily reach tens of gigabits per second (Gbps). This chapter explains why enforcing ACLs in the network's core are important and the different flavors of ACL featured in...

VLAN Trunking Protocol

VLAN Trunking Protocol (VTP) is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition, deletion, and renaming of a VLAN on a network-wide basis. VTP minimizes misconfigurations and configuration inconsistencies that can result in several problems, such as duplicate VLAN names and incorrect VLAN-type specifications. A VTP domain (also known as a VLAN management domain) is made up of one or more interconnected switches that share the same VTP domain...

VTP Risk Analysis

Having a protocol that is able to add or remove VLAN from a network is incredibly powerful, yet dangerous. Indeed, if this protocol is not secure, an attacker might run a DoS attack by disabling a VLAN. A less obvious DoS attack might be run by enabling a VLAN on all the switches, therefore increasing the amount of forwarded multicast and broadcast traffic across all switches. NOTE Spanning a VLAN across multiple switches is usually considered bad design because there will be too many forwarded...

VTP Vulnerabilities

Over the past few years, both vulnerabilities6,7 and specific VTP attacks that can force a switch into accepting VLAN database updates have surfaced. Those problems are discussed in Chapter 11, Information Leaks with Cisco Ancillary Protocols. NOTE A detailed overview of VTP, including packet-level traces, is available in reference 5 in the section, References. Users interested in configuration details are strongly encouraged to visit this URL.

Vulnerabilities and Mitigation Techniques

Chapter 1 Introduction to Security Chapter 2 Defeating a Learning Bridge's Forwarding Process Chapter 3 Attacking the Spanning Tree Protocol Chapter 5 Leveraging DHCP Weaknesses Chapter 7 Exploiting IPv6 Neighbor Discovery and Router Advertisement Chapter 8 What About Power over Ethernet Chapter 10 Can We Bring VRRP Down Chapter 11 Information Leaks with Cisco Ancillary Protocols

Warning and Disclaimer

This book provides information about vulnerabilities linked to Ethernet switches and how to prevent or mitigate attacks against a switch-based network. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an as is basis. The authors, Cisco Press, and Cisco Systems, Inc., shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the...

What Does IPv6 Change

Actually, from the users' and routers' perspectives, little things change between IPv4 and IPv6. As Figure 7-1 shows, IPv4 and IPv6 can coexist in the same host or router. Both can run on Ethernet (different packet types multiplex them on the same data link), and both support the usual Layer 4 protocols, such as TCP or User Datagram Protocol (UDP). It is also easy for applications to support both protocols at the same time, such as Firefox or Microsoft Internet Explorer. Both browsers can...

What Is Next in LAN Security

IEEE 802.1AE is a standards-based Layer 2 encryption specification, enabling wire-rate encryption at gigabit (Gb) speeds. It provides for cryptographic confidentiality and integrity of all communications (that is, control, data, and management frames) between two adjacent 802.1AE-capable Layer 2 Ethernet ports. This chapter discusses the trends, challenges, and reasons you need to consider this technology.

Why Not Layer

You're probably asking, Why are networks still void of encryption and integrity verification at Layer 2 The answer is simple The existence of cryptographic algorithms and hardware capable of efficient standards-based encryption and integrity verification at Gb speeds have not been previously attainable or available. Fortunately, this is no longer the case. (Thanks to the extensive research and analysis performed by Dr. David McGrew, Cisco Fellow, who manages the Advanced Crypto Development...

Working with Devices Incapable of 8021X

Today, 802.1X is the recommended port-based authentication method at the access layer in enterprise networks. However, not all devices have an 802.1X-supplicant capability embedded into their operating system (OS). For example, most printers, IP phones, fax machines, and so on do not have this capability, but they still need to be allowed into the network even without 802.1X authentication. A supplemental authentication technique should be employed as the basis of the nonresponsive host issue...

Working with RACL

RACLs apply to traffic routed by the switch. Although this might sound like an oxymoron, today, most switches cannot only bridge traffic, but they can also route it oftentimes doing so at wire speed. The ACL provided in Example 16-1 is a RACL. You can apply RACLs on switch virtual interfaces (SVI), which is an interface inside a VLAN configured with an IP address and used by hosts in the VLAN to exit the VLAN or on physical Layer 3 interfaces. Figure 16-1 represents a RACL implemented between...

Working with VACL

VLAN-based ACLs made their introduction on LAN switches some time after RACLs. VACLs provide the capability to filter traffic between hosts located in the same VLAN. They apply to IP and non-IP traffic alike. For example, using VACLs, it is possible to permit or deny traffic based on its source or destination MAC address. Naturally, IP addresses, User Datagram Protocol (UDP), and TCP ports can also be used as a selection criteria. Contrary to a VACL, a RACL cannot match intra-VLAN traffic...

Security

802.1X provides security by creating virtual APs at each port of attachment to a network LAN, including the controlled port and the uncontrolled port Controlled port provides a path for data plane access only after a device authenticates. The data plane represents typical network traffic. Uncontrolled port provides a path for the actual authentication traffic. Ultimately, if a supplicant is appropriately authenticated, an authenticator typically sets access to its controlled port to a state of...

Understanding Cisco VTP

The preceding section briefly alluded to another LAN protocol called VTP. VTP reduces administration overhead in a switched network. With VTP, when you configure a new VLAN on a switch designated as a VTP server, information regarding that VLAN is distributed to all switches in the VTP domain, thereby removing the need to manually configure each switch one by one. You can configure a switch to operate in one of four different VTP modes Server. Here, you can create, modify, and delete VLANs and...