ACLs or Firewalls

If switches are able to check millions of incoming packets per second against ACLs, what good are firewalls Put another way, the question is, What is the difference between an ACL and a firewall , or, Where can I apply ACLs The answer depends on the protection level you want to provide and the type of attacks you are likely to face. ACLs control which protocols and or ports a host can use to reach a target, and that is pretty much it. They are often referred to as Layer 3 or Layer 4 ACLs for...

Anatomy of a Switch

A simplified view of a switch is that it has a central CPU and special forwarding ASICs. The CPU is responsible for building up the forwarding tables and allowing ASICs to perform forwarding in hardware, which makes switching an efficient process. Figure 12-2 shows the architecture of a typical LAN switch. Figure 12-2 shows the architecture of a typical LAN switch. Some high-end switches use distributed forwarding architecture, using numerous dedicated CPUs to control the forwarding logic on...

Asymmetric Cryptosystems

Asymmetric cryptosystems are relatively new in cryptography (from around 1970), and they have many interesting properties, especially around authentication and key distribution. Figure 1-8 represents asymmetric encryption, which is where two different keys are used one for encryption and one for decryption. Figure 1-8 Asymmetric Encryption with Two Different Keys The only logical difference of asymmetric encryption (compared to symmetric encryption) is that two different keys are used. Those...

Best Practices for Control Plane

Example 14-9 shows the Cisco IOS configuration recommended as a best practice for an access port FastEthernet 0 0. The switch ignores STP packets (thanks to bpduguard) as well as DTP, VTP and link aggregation packets (thanks to switchport mode access). Example 14-9 Cisco IOS Recommended Best Practice for an Access Port IOS(config) interface FastEthernet 0 0 IOS(config-if) spanning-tree bpduguard enable IOS(config-if) no channel-group IOS(config-if) switchport mode access A more robust approach...

BPDU Filtering

There is actually another method to discard incoming and outgoing BPDUs on a given port BPDU filtering. This feature silently discards both incoming and outgoing BPDUs. Although extremely efficient against a brute-force DoS attack, BPDU filtering offers an immense potential to shoot yourself in the foot. Enable this feature on the incorrect port, and any loop condition goes undetected forever, which causes instantaneous network downtime. On the other hand, not sending out BPDUs is actually a...

CDP Risk Mitigation

Because CDP is mainly interesting to use between network devices and not toward end-user hosts, the best way to prevent both the DoS attacks and information leaks is to only enable CDP on ports to other network devices and uplinks while disabling it to access ports. Because Cisco IP phones rely on CDP to detect the auxiliary VLAN and to signal their exact power consumption, CDP must remain enabled on ports to IP phones. (For more information on how to mitigate attacks to the power over Ethernet...

Combining IPsec with L2TPv3 for Secure Pseudowire

As described in Chapter 18, IEEE 802.1AE, IEEE 802.1AE protects all Layer 2 traffic with encryption and authentication. Not all existing switches support IEEE 802.1AE therefore, in the short term, an alternative solution might be attractive. This solution relies on IPsec for the security features. Although IPsec is convenient and suitable to protect IP traffic, it sometimes requires you to also protect all Layer 2 communication between two sites, such as spanning a LAN over a confidential...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command). Italics indicate arguments for which you supply actual values. Vertical bars...

Configuring Switches Without Control Plane Protocols

As shown in Chapter 12, Introduction to Denial of Service Attacks, a control plane in an Ethernet switch consists mainly of the following protocols L2 processing. A switch must process and respond to Spanning Tree Protocol (STP), Link Aggregation Control Protocol (LACP), Port Aggression Protocol (PAgP), IEEE 802.1X, Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and keepalive packets. Internet Control Message Protocol (ICMP). ICMP packets must be...

Consequences of Excessive Flooding

Although it's a common and usually benign operation in a switched LAN environment, unknown unicast flooding comes with a side effect Host C now sees a frame sent from 0000.CAFE.0000 to B. If the user behind workstation C runs a network traffic analyzer, he can eavesdrop on B and access information he should not see. Fortunately, C is only likely to receive an extremely small amount of information typically, one or two frames. Why Because the frame sent from 0000.CAFE.0000 to B will now probably...

Control Plane Policing

As explained in Chapter 12, Introduction to Denial of Service Attacks, the control plane is the most critical plane on a switch a successful attack against it can potentially cause the most damage. To mitigate attacks against the control plane, control plane policing (CoPP) was introduced. The idea is to inspect traffic destined to the control plane, to control what should be allowed, and to control how much of that traffic to accept. CoPP gives added benefit over traditional access control...

Countermeasures to DHCP Exhaustion Attacks

The solution to the first type of DHCP attack (DoS by grabbing the entire available scope of addresses) depends on the hacker's knowledge of the protocol. By default, DHCP starvation tools use a random source MAC address every time they request a new IP address from the DHCP server (one new MAC per DHCPDISCOVER). Identifying this type of attack is straightforward A sudden increase in the number of dynamically learned MAC addresses from a given LAN port is a clear indication. Under normal...

Debugging Information

In most enterprise networks, L2TPv3 and xconnect are unusual. That being said, here is some debugging information for a working configuration. The information is limited to L2TP because all other debugging information is available for IPsec and IKE. Example A-1 displays some debugging information for L2TP's tunnels. The first command, show l2tun session circuit, displays all active tunnels with the peer. The second command, show l2tun session packets, prints some counters about the packets sent...

DHCP Overview

RFC 2131 and RFC 2132 originally defined DHCP, with several RFC extensions augmenting its capabilities. (See http www.dhcp.org rfcs.html for an exhaustive list.) The primary purpose of DHCP is to dynamically assign IP addresses to requesters for a specified duration (called the lease time). DHCP clients request addresses from DHCP servers. In most cases, clients and servers are several hops apart and are separated by routers and other network devices. When that is the case, the first hop router...

DHCP Snooping with Option

DHCP Option 82 provides the DHCP server with information about which switch and which port on that switch a DHCP request is coming from. This information is supplied via Agent-ID and Circuit-ID subfields of the Relay-Information DHCP Option, as defined in RFC 3046. DHCP snooping is Option-82 friendly in the sense that it can insert or remove DHCP relay information (Option-82 field) in forwarded DHCP request messages from untrusted ports to the DHCP server. With Option 82 enabled, the DHCP...

Discovering Extensible Authentication Protocol

Port-based network access control uses the physical access characteristics of IEEE 802 LAN infrastructures. These infrastructures leverage the Extensible Authentication Protocol (EAP) to carry arbitrary authentication information, not the authentication method itself. EAP is an encapsulation protocol with no dependency on IP, and it can run over any link layer, including IEEE 802 media. EAP transports authentication information in the form of EAP payloads. EAP also establishes and manages the...

Enabling Net Flow on a Catalyst 6500

The Catalyst 6500 separates the data collection configuration from the NetFlow data export (NDE) to collectors. Example 15-1 shows a basic configuration of NetFlow on Cisco IOS. NOTE The NetFlow configuration contains more options, such as allowing the supervisor the ability to build a flow cache entry for switched frames (that is, not only for routed ones). Example 15-1 Configuring NetFlow on Catalyst 6500 and Cisco IOS IOS(config) mls flow ip interface-full IOS(config) mls flow ipv6...

Endto End Versus Hopby Hop LANBased Cryptographic Protection

There are several key reasons for the strong objection end-to-end (E2E) (such as, client to server) based cryptographic protections in LANs. First is the matter of security. Although this type of tunneled encryption might appear to be more secure, it can actually conceal malicious exploits and provide for an undetectable distribution of worms, Trojans, and viruses. As such, obscuring the key header information and or packet payload E2E from the end-user host to servers actually prevents the...

Enterprise Trends and Challenges

Many of you might wonder why wire-rate encryption for Layer 2 Ethernet LAN networks Aren't the physical security practices and Layer 7 application security measures enough to address the vulnerability of unauthorized access to sensitive information The reality No. Throughout this book, you've read that there are numerous ways in which a would-be malicious user can compromise or circumvent existing vulnerabilities in network protocols, operating systems (OS), and applications. It is true with...

Ethernet Frame Formats

For mostly historical reasons, Ethernet frames come in various shapes and forms, but they all convey the same information where the frame originated, where it is destined to, what payload it carries, and a checksum to verify data integrity. Today, essentially two slightly different frame formats exist EthernetV2 and IEEE 802.3. It is difficult to authoritatively assess the proportion of EthernetV2 versus 802.3 in today's network a rough estimate would probably call for 80 percent EthernetV2 for...

Exploring IEEE 8021X

The IEEE 802.1 working group developed the 802.1X standard. It is a framework that addresses and provides port-based access control using authentication. Primarily, 802.1X is an encapsulation definition for EAP over IEEE 802 media. The Layer 2 protocol transports EAP authentication messages between a client device and a network device. 802.1X typically assumes a secure connection, and the enforcement of sessions are imposed through MAC-based filtering and port-start monitoring. To provide...

Exploring TCAM

A TCAM is a content-addressable memory where each bit is allowed to store a 0, 1, or a don't-care value the ternary qualification comes from the fact that three different types of values can be stored. You can think of a CAM as a reverse random-access memory Data is provided and an address is returned. Don't care bits play an important role in ACL lookups because ACLs frequently ignore portions of an IP address. For example, if an ACL is interested in matching traffic from 192.168.2.0 24, it...

Hardware Based CoPP

When a CoPP policy is defined using Modular QoS CLI (MQC) on the 6500, it is, by default, performed only in software mode on the central CPU. However, if multilayer switching (MLS) QoS features are enabled on the switch, hardware-based CoPP is enabled on the central policy feature card (PFC) and on any line cards that support distributed forwarding (DFC capability). The command to globally enable MLS QoS is as follows To view the status of MLS QoS on the switch, look at Example 13-2. Example...

How This Book Is Organized

This book is organized into four distinct parts Part I, Vulnerabilities and Mitigation Techniques. Detailed explanation of several vulnerabilities in Layer 2 protocols and how to prevent all attacks against those vulnerabilities. Within Part I, each chapter's structure is similar. It always starts with a description of the protocol and then gives a detailed explanation of this protocol's vulnerabilities. It concludes with prevention or mitigation techniques. Chapter 1, Introduction to Security,...

IEEE Link Layer Discovery Protocol

IEEE has specified IEEE 802.1AB, also known as Link Layer Discovery Protocol (LLDP3), which is similar in goal and design to CDP. Some differences include the following Multicast MAC address. Address is 0180.C200.000E. Ethernet type. LLDP does not use SNAP encapsulation instead, it uses Ethernet II framing with 88-CC as the Ethernet type. Packet format. As Figure 11-3 shows, the packet format consists of several fields encoded as < Tag, Length, Value> (TLV) with the first three and the last...

Increasing Security with Net Flow Applications

Using a security-monitoring application, such as Cisco Security Monitoring, Analysis, and Response System3 (CS-MARS), makes using NetFlow easier and more readable. Indeed, CS-MARS can receive NetFlow export datagrams from multiple switches, and it can build graphs like the one shown in Figure 15-2. It can even have a rule that triggers an alert when predefined thresholds are crossed. Figure 15-2 shows baseline traffic, where the peak is simply the normal traffic increase during work hours....

Introducing DHCP Snooping

DHCP snooping is a control plane feature that closely monitors and restricts DHCP operations on a VLAN. Control plane means the feature runs on the central management processor where it is possible to perform deep-packet inspection operations. DHCP snooping introduces the concept of trusted and untrusted ports inside a given VLAN. NOTE For a quick review of the steps involved in a typical DHCP operation, review the beginning of this chapter DORA (Discover Offer Request Ack). Hosts have no...

Introducing Spanning Tree Protocol

Chapter 2, Defeating a Learning Bridge's Forwarding Process, explained how Ethernet switches build their forwarding tables by learning source MAC addresses from data traffic. When an Ethernet frame arrives on a switch port in VLAN X with a destination MAC address for which there is no entry in the forwarding table, the switch floods the frame. That is, it sends a copy of the frame to every single port in VLAN X (except the port that originally received the frame). Although this is perfectly...

Keeping Insiders Honest

It is important to understand the intersection of port-based access-control solutions and related policy-enforcement mechanisms. It is too easy for an unsecured individual to gain physical and logical access to a network. A solution to this problem is 802.1X, which keeps the outsiders out and can serve as a way to extend the level of trust in a networked system by proving someone's identity. As a potential benefit, the network now becomes aware of authorized sessions, and it can enforce...

Learning Bridge

Regardless of the frame format, every single device equipped with an Ethernet adapter possesses a globally unique MAC address. It is a 6-byte identifier made up of two parts the three far-left bytes represent a specific vendor, and the three far-right bytes represent a serial number assigned by that vendor. Combined, these two fields, representing 48 bits, result in a theoretical number of 281,474,976,710,656 possible addresses Every single Ethernet frame always contains one source and one...

Link Aggregation Protocols

For performance reasons, it is sometimes required to bind several parallel links into a single aggregated bundle. The intent is to have a link with more bandwidth. Figure 11-5 shows such a bundling where two links are used between switch A and switch B. If the links were 1 Gbps links, the aggregated bandwidth would be 2 Gbps. In Cisco switches, this mechanism is called EtherChannel. Figure 11-5 Aggregating Multiple Links Figure 11-5 Aggregating Multiple Links The EtherChannel (aggregated link)...

MAC Authentication Primer

MAC address authentication itself is not a new idea. One classic flavor of this is port security. Another flavor is the Cisco VLAN Management Policy Server (VMPS) architecture. With VMPS, you can have a text file of MAC addresses and the VLANs to which they belong. That file gets loaded into the VMPS server switch through TFTP. All other switches then check with the VMPS server switch to see which VLAN those MAC addresses belong to after being learned by an access switch. Also, you can define...

MAC Flooding Alternative MAC Spoofing Attacks

All MAC flooding tools force a switch to fail open to later perform selective MAC spoofing attacks. A MAC spoofing attack consists of generating a frame from a malicious host borrowing a legitimate source MAC address already in use on the VLAN. This causes the switch to forward frames out the incorrect port, as Figure 2-6 shows. Although they're extremely easy to carry out (most Ethernet adapters permit their MAC address to be modified), MAC spoofing attacks come with a significant drawback...

Matters of Trust

Who can you trust Traditionally, there has been an unwritten and, in some cases, written rule that employees are trusted entities. However, in the past decade, numerous cases and statistics prove that this assumption is false. In a survey, 50 North American Chief Information Security Officers (CISO)1 were asked what they consider their biggest threats to overall security. Insider attacks rated 18 percent, as Figure 18-1 shows. Additional research done by the IDC (www.idc.com) shows a constant...

Mitigating an ARP Spoofing Attack

An ARP spoofing attack is severe because it breaks the wrong but widespread assumption that sniffing is not possible in a switched environment. To mitigate an ARP spoofing attack, use the following three options Layer 3 switch. Can leverage the official < IP, MAC> mapping learned from DHCP and can later drop all spoofed ARP replies based on the official mapping. Host. Can ignore the gratuitous ARP packets. Intrusion detection systems (IDS). Can keep states about all < IP, MAC> mappings...

Mitigating Attacks on Services

The most difficult attacks to mitigate are those that simulate real service requests. For example, differentiating between actual users visiting a website and a zombie simulating web traffic by HTTP GETs can be difficult. If enough zombies continuously generate real service requests, the server becomes bogged down servicing those requests, and legitimate users get poor responses. Also, resource starvation can be a factor for some services (such as IP voice servers and DHCP servers). An example...

Mitigating Attacks on the Catalyst 6500 Switch

The 6500 Series switch is a modular platform, which makes it possible to upgrade line cards and supervisors as necessary. Using the Sup720 or the Sup32 supervisors, it is possible to implement hardware-based CoPP features to protect the central CPU. Also, if the line cards support distributed forwarding, hardware-based CoPP is automatically implemented on the line cards, mitigating attacks as close to the edge as possible. By default, however, almost all the CoPP features are disabled and must...

Mitigating VRRP Attacks

Are the VRRP vulnerabilities critical After all, other Layer 2 attacks can lead to exactly the same results ARP spoofing, Dynamic Host Configuration Protocol (DHCP) spoofing, and so on. However, because the other attacks can be mitigated, as shown in Chapters 2 and 6, VRRP is the only risk exposure. This risk needs to be mitigated. The good news is that the attacks that use VRRP vulnerabilities work only in the local LAN. VRRP is even more secure than HSRP from this perspective because it...

Mounting an ARP Spoofing Attack

Multiple hacking tools exist to mount an ARP spoofing attack, including the following dsniff. The first tool made available, arpspoof, was part of the dsniff package. It has no GUI and is available on most Linux and Windows platforms. ettercap.3 A generic sniffer that has an ARP spoofing module. It has a GUI and is available on Linux and Windows platforms. cain.4 A sniffer designed by and for hackers. (It contains a utility to detect passwords in IP packet flows.) It runs only in Microsoft...

Not Just Theory

A switch (6K-4-S2) has just been MAC attacked. Its bridging table is full. The switch has a routed interface in VLAN 20. Pings to 10.20.20.1 (a remote router) are successful. The Address Resolution Protocol (ARP) table reveals that the MAC address associated to 10.20.20.1 is 0000.0020.0000. However, no entry for that address exists in the bridging table This means that all traffic destined to 0000.0020.0000 is flooded to all ports that are members of VLAN 20. Example 2-6...

Other Techniques That Detect Active Worms

Internet service providers (ISP) use other techniques to detect an active worm that propagates in their networks. Actually, ISP can detect network scanning to random IP addresses. The trick is to forward all packets to nonexisting addresses, such as nonallocated IP addresses, to a single host that can be monitored for traffic surge. If this host receives too much traffic, this means that many packets are sent to nonexisting hosts. This is most probably the result of a worm randomly scanning the...

Port Security

To stop an attacker in his tracks, a mechanism called port security comes to the rescue. In its most basic form, port security ties a given MAC address to a port by not allowing any other MAC address than the preconfigured one to show up on a secured port. When port security initially shipped, users had to manually configure a permitted MAC address a cumbersome and error-prone task. Today, port security is more flexible and can listen for one or more MAC addresses before locking down access to...

State or No State

Imagine your network is under attack from a massive amount of spoofed HTTP traffic. This might, for example, be traffic trying to reach your main Internet web server using random source IP addresses, with small packets coming in at a high rate. Another common attack scenario consists of sending a large number of Internet Control Message Protocol (ICMP) packets. The last thing you want in these attack cases is to fill the connection table of the perimeter firewall. Both scenarios highlight a...

STP Operation More Details

To understand the attacks that a hacker is likely to carry out against STP, network administrators must gain a solid understanding of STP's inner workings. The protocol builds a loop-free topology that looks like a tree. At the base of the tree is a root bridge an election process takes place to determine which bridge becomes the root. The switch with the lowest bridge ID (a concatenation of a 16-bit user-assigned priority and the switch's MAC address) wins. The root-bridge election process...

Summary

MAC flooding and spoofing attacks combine two deadly elements They are extremely simple to carry out and yet so potent. They can help an attacker collect valuable information, such as usernames and passwords, or simply impact the proper operation of the targeted LAN. Although they date back several years, these attacks are still popular, thanks to the widespread availability of simple tools that help perpetrate them. Fortunately, countermeasures are almost as simple as the attacks and are...

Tips for Deploying DHCP Snooping

The second you globally enable DHCP snooping on the switch, be sure that all DHCP requests are dropped until some ports are configured as trusted. By default, ports come up as untrusted hence, all DHCP packets are dropped by default. Cisco recommends that you not configure the untrusted interface rate limit to more than 100 packets per second (pps). The recommended rate limit for each untrusted client is 15 pps. Normally, the rate limit applies to untrusted interfaces. If you want to set up...

Tips for Switches That Do Not Support DHCP Snooping

If your switch does not support DHCP snooping but does support port or VLAN-based access lists, it is still possible to prevent certain DHCP attacks, such as the rogue server example. Recall the explanation at the beginning of this chapter DHCP clients broadcast DHCPDISCOVER messages from UDP port 68 to UDP port 67. If you know that a given range of ports has no business running DHCP server services, configure an access list that blocks all UDP traffic from port 67. This prevents rogue DHCP...

Using Switches to Augment the Network Security

Chapter 16 Wire Speed Access Control Lists Chapter 17 Identity-Based Networking Services with 802.1X This book's part focuses on how to use Ethernet switches to enhance a network's overall security. Access control lists (ACL) provide a simple way to enforce a security policy at the core of a network where the bandwidth can easily reach tens of gigabits per second (Gbps). This chapter explains why enforcing ACLs in the network's core are important and the different flavors of ACL featured in...

VTP Risk Analysis

Having a protocol that is able to add or remove VLAN from a network is incredibly powerful, yet dangerous. Indeed, if this protocol is not secure, an attacker might run a DoS attack by disabling a VLAN. A less obvious DoS attack might be run by enabling a VLAN on all the switches, therefore increasing the amount of forwarded multicast and broadcast traffic across all switches. NOTE Spanning a VLAN across multiple switches is usually considered bad design because there will be too many forwarded...

Vulnerabilities and Mitigation Techniques

Chapter 1 Introduction to Security Chapter 2 Defeating a Learning Bridge's Forwarding Process Chapter 3 Attacking the Spanning Tree Protocol Chapter 5 Leveraging DHCP Weaknesses Chapter 7 Exploiting IPv6 Neighbor Discovery and Router Advertisement Chapter 8 What About Power over Ethernet Chapter 10 Can We Bring VRRP Down Chapter 11 Information Leaks with Cisco Ancillary Protocols

Warning and Disclaimer

This book provides information about vulnerabilities linked to Ethernet switches and how to prevent or mitigate attacks against a switch-based network. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an as is basis. The authors, Cisco Press, and Cisco Systems, Inc., shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the...

What Does IPv6 Change

Actually, from the users' and routers' perspectives, little things change between IPv4 and IPv6. As Figure 7-1 shows, IPv4 and IPv6 can coexist in the same host or router. Both can run on Ethernet (different packet types multiplex them on the same data link), and both support the usual Layer 4 protocols, such as TCP or User Datagram Protocol (UDP). It is also easy for applications to support both protocols at the same time, such as Firefox or Microsoft Internet Explorer. Both browsers can...

Working with Devices Incapable of 8021X

Today, 802.1X is the recommended port-based authentication method at the access layer in enterprise networks. However, not all devices have an 802.1X-supplicant capability embedded into their operating system (OS). For example, most printers, IP phones, fax machines, and so on do not have this capability, but they still need to be allowed into the network even without 802.1X authentication. A supplemental authentication technique should be employed as the basis of the nonresponsive host issue...

Working with VACL

VLAN-based ACLs made their introduction on LAN switches some time after RACLs. VACLs provide the capability to filter traffic between hosts located in the same VLAN. They apply to IP and non-IP traffic alike. For example, using VACLs, it is possible to permit or deny traffic based on its source or destination MAC address. Naturally, IP addresses, User Datagram Protocol (UDP), and TCP ports can also be used as a selection criteria. Contrary to a VACL, a RACL cannot match intra-VLAN traffic...

Understanding Cisco VTP

The preceding section briefly alluded to another LAN protocol called VTP. VTP reduces administration overhead in a switched network. With VTP, when you configure a new VLAN on a switch designated as a VTP server, information regarding that VLAN is distributed to all switches in the VTP domain, thereby removing the need to manually configure each switch one by one. You can configure a switch to operate in one of four different VTP modes Server. Here, you can create, modify, and delete VLANs and...

Contents

Part I Vulnerabilities and Mitigation Techniques 3 Chapter 1 Introduction to Security 5 Security Triad 5 Confidentiality 6 Integrity 7 Availability 8 Reverse Security Triad 8 Risk Management 8 Risk Analysis 9 Risk Control 10 Access Control and Identity Management 10 Symmetric Cryptosystems 13 Symmetric Encryption 13 Hashing Functions 13 Hash Message Authentication Code 14 Asymmetric Cryptosystems 15 Confidentiality with Asymmetric Cryptosystems 16 Integrity and Authentication with Asymmetric...

Exploiting the Bridging Table MAC Flooding Attacks

Virtually all LAN switches on the market come with a finite-size bridging table. Because each entry occupies a certain amount of memory, it is practically impossible to design a switch with infinite capacity. This information is crucial to a LAN hacker. High-end LAN switches can store hundreds of thousands of entries, while entry-level products peak at a few hundred. Table 2-1 recaps the actual table sizes for various Cisco LAN switches. Table 2-1 Cisco Switches' Bridging Table Capacities Up to...

Unknown Unicast Flooding Protection

Some switches ship with a mechanism that can protect an entire VLAN from unicast flooding's negative effects. This mechanism is known as unicast flood protection. As already shown, when no entry corresponds to a frame's destination MAC address in the incoming VLAN, the frame is sent to all forwarding ports within the respective VLAN, which causes flooding. Limited flooding is part of the normal switching process, but continuous flooding causes adverse performance effects on the network. The...

Diving Deep into VRRP

This section provides more detailed information on VRRP, as described in RFC 23381 and RFC 37682. VRRP runs on top of IP using Protocol 112. Packets are sent to multicast address 224.0.0.18 with TTL 255. Routers use their actual IP address as the source address for protocol packets, not the virtual IP address. NOTE A lot of information about VRRP exists on the web and in books, as described in RFC 2338 and RFC 3768. Only the master router sends periodic VRRP messages by using the virtual MAC...

Racl Vacl and PACL Many Types of ACLs

ACLs found on Ethernet switches often come in many shapes and forms, mostly because of the differences in hardware and software architectures on those platforms, but also because the functionality provided by ACLs has evolved over time. You are likely to come across three types of ACLs on an Ethernet switch Router ACL (RACL). An IP-based ACL that is applied to a routed interface. It is the most common type of ACL. The ACL used in Example 16-1 is a RACL. VLAN ACL (VACL). Applies to traffic...

References

800ae96b.shtml. guide_chapter09186a0080160a5e.html. 6a0080094797.shtml. BH_EU_05_Berrueta_Andres.pdf. Perform a Google search on VLAN hopping, and you are presented with about 12,000 hits. This clearly indicates that VLAN security has been, and continues to be, at the center of many discussions and debates in LAN security circles. With the amount of information publicly available on the subject coming in variable quality, it can be difficult to separate truth from myth. This chapter settles...

Management Plane Attacks

Attacking the management plane to gain control of a switch results in an attacker's being able to gain control of the switch. He then can shut down interfaces, change the forwarding of traffic within the network, and cause all kinds of other problems. However, if the switch's management plane is correctly secured, an attacker should never be able to gain access to the device. Use out-of-band management (dedicated hardware interfaces for management plane traffic), if possible. Only allow...

Mitigating Attacks Using CoPP

To demonstrate how CoPP can mitigate attacks, numerous Linux-based security analysis tools simulated attacks against two different switching platforms, a Cisco Catalyst 6500 switch and a Cisco ME3400 Series switch Cisco Catalyst 6500 switch with the Sup720 Supervisor engine. This high-end platform offers hardware and software-based CoPP using a distributed switching architecture. Cisco ME3400 Series switches. This access switch is designed for the Metro Ethernet market and implements control...

Integration Value Add of 8021X

Data traffic originating from an end station is disallowed until 802.1X completes. A LAN segment, as previously shown, is comprised of exactly two ports. An authenticator can monitor an operational state and detect the presence of an active device at the remote end of the link or when an active device becomes inactive. Along with link state, these events trigger changes in the authorization state of the switch port. This process is a default condition, and it is demonstrated through port...

Configuring Hardware Based CoPP on the Catalyst 6500

The Cisco Catalyst 6500 switch with the Sup720 Sup32 supervisor engines offers predefined hardware rate limiters and supports hardware-based CoPP in conjunction with software-based CoPP. Hardware-based CoPP is implemented on the supervisor line card and on line cards that support distributed forwarding. When a packet is destined for the control plane, it is first checked against the hardware rate limiters. If it matches one of those, it is limited to the configured rate, and hardware-based CoPP...

Attack 4 Simulating a Dual Homed Switch

Yersinia can take advantage of computers equipped with two Ethernet cards to masquerade as a dual-homed switch. This capability introduces an interesting traffic-redirection attack, as Figure 3-7 shows. Figure 3-7 Simulating a Dual-Homed Switch Figure 3-7 Simulating a Dual-Homed Switch In Figure 3-7, a hacker connects to switches 1 and 4. It then takes root ownership, creating a new topology that forces all traffic to cross it. The intruder could even force switches 1 and 4 to negotiate the...

Net Flow as a Security Tool

Information is power, and NetFlow is a wonderful telemetry system embedded deep in the network's core. Each flow is accounted therefore, if unusual behavior occurs in the network, NetFlow collects and reports this change. This abnormal activity could be A DoS attack. Where many flows are being targeted to one destination IP address and probably one destination Layer 4 port, such as SYN flooding. An active worm. Propagates in your network by aggressively scanning your network this causes many...

Telnet Flooding with CoPP

Numerous alternatives exist to protect against attacks on the management plane. One option is to ensure that only traffic from prevalidated IP addresses is allowed (only allow packets from the management network). A second option is to implement a CoPP policy to protect the services on the management plane. In this example, a simple CoPP policy is created to protect Telnet (TCP port 23) and SSH (TCP port 22). First, create an access list that specifies the traffic we want to inspect access-list...

Protecting the Infrastructure Using ACLs

In an effort to protect switches and routers from various risks both accidental and malicious infrastructure-protection ACLs need to be deployed at network ingress points. These ACLs deny access from external sources to all infrastructure addresses, such as router interfaces. At the same time, these ACLs permit legitimate transit traffic to flow uninterrupted through the infrastructure. A common set of ACLs consists of filtering addresses that have no business entering the network. Those are,...

Introduction to Security

Security is a vast topic, and it can be applied to many domains. So a common framework exists for all domains from protecting against network hackers to protecting against fire or flood protection. This chapter introduces and explains only the major security concepts. It also introduces you to the vocabulary and techniques used throughout this book. NOTE If you are familiar with security vocabulary and techniques (for example, you hold a Certified Information Systems Security Professionals...

Stateless Configuration with Router Advertisement

IPv6 has a stateless configuration mode to make the end node's configuration easier (especially with mobile nodes). It's called stateless because it does not act like DHCP, where there's an actual four-step protocol exchange between the DHCP client and the DHCP server. DHCP consists of four different steps as described in Chapter 5 Step 1 The end node sends a broadcast DHCP DISCOVER message and hopes to reach at least one DHCP server. Step 2 All DHCP servers reply with a DHCP OFFER message to...

Hardware Rate Limiters

The hardware rate limiters are primarily used to control traffic where an ACL cannot be used. Examples of this are IP options, Time to Live (TTL), and maximum transmission unit (MTU) failures, and other special cases. It is possible to specify up to 32 different rate limiters, but some of them share one of the physical rate limiters. Ten physical rate limiters are available, 2* Layer 2 and 8* General Unicast Multicast . To see which hardware rate limiters are active, use the command shown in...

CDP Flooding

For this lab, you flood the switch using fake CDP announcements that the Yersinia3 tool generates. The default configuration of the switch assigns the UNI role to all edge ports. This should result in dropping all CDP packets arriving from a user port. After a while, check the CPU load of the switch CPU utilization for five seconds 5 0 one minute 4 five minutes 8 This output shows that the switch is not affected because it ignores the CDP packets. It drops them in hardware with no impact on the...

DHCP Snooping Against Ipmac Spoofing Attacks

A switch can use the DHCP snooping bindings to prevent IP and MAC address spoofing attacks. MAC spoofing attacks, as Figure 5-7 shows, consist in malicious clients generating traffic by using MAC addresses that do not belong to them. The motivation behind a MAC spoofing attack is the potential ability to gain network access when access control is based on MAC information, for example. Received Traffic Source Address 10.1.1.3 MAC B Attacker Sends Packets with Spoofed Source MAC Address If...

Forcing an Excessive Flooding Condition

If a switch does not have an entry pointing to a destination MAC address, it floods the frame. What happens when a switch does not have room to store a new MAC address And what happens if an entry that was there 2 seconds ago was just overwritten by another entry These questions are probably what Ian Vitek must have asked himself back in 1999 when he wrote a little tool called macof (later ported to C by Dug Song).2 How switches behave when their bridging table is full depends on the vendor....

Securing Networks with RMON

Remote Monitoring (RMON) is a specific SNMP Management Information Base (MIB) for remote monitoring and management of network equipment. MIB is standardized at the IETF as RFC 20216 and RFC 28197. It transforms every RMON-capable network device into a remote protocol analyzer. Different pieces of information can be collected Host. Related to each host discovered in the network by keeping MAC addresses captured in promiscuous mode. Matrix. Used for conversations between sets of two addresses....

Detecting DoS with Net Flow

NetFlow1 is a well-known telemetry technology that has been around for more than ten years. (It first appeared in 1996.) NOTE This section introduces the NetFlow technology. If you're already familiar with this technology, move on to the section, NetFlow as a Security Tool. You can use NetFlow in a wide range of routers and on some high-end switches, such as the Catalyst 6500, Cisco 7600, Catalyst 4500 with Sup V, and with the help of a daughter card on Catalyst 4500 with Sup IV. An IP flow is...

Introducing the macof Tool

Today, various tools can perform MAC flooding attacks. These tools include Ettercap3, Yersinia4, THC Parasite5, and macof. Macof is efficient and extremely simple to use. Example 2-1 presents its manual page. macof - flood a switched LAN with random MAC addresses SYNOPSIS macof -i interface -s src -d dst -e tha -x sport -y dport -n times macof floods the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). A straight C port of...

Using Strong Authentication

The easiest way to partly mitigate an HSRP attack is to use strong authentication. Cisco routers and switches running 12.3(2)T and above can use a message digest algorithm 5 (MD5) Hash Message Authentication Code (HMAC) to authenticate all HSRP packets without ever sending the key in the clear. Example 9-1 shows the syntax when you use a chain of preshared keys Each key has a send lifetime (when this key sends HSRP messages) and an accept lifetime (when this key checks the validity of received...

DHCP Message Validation

For messages received on trusted ports, no validation is performed. For messages received on untrusted ports, the following steps are taken 1 DHCP messages normally exchanged from a DHCP server to a client are dropped. These messages are DHCPOFFER, DHCPACK, and DHCPNAK. 2 DHCP messages with a nonzero relay agent gateway IP address (also called giaddr field) or Option 82 data are dropped. 3 DHCPRELEASE DHCPDECLINE messages are verified against the binding-table entries to prevent a host from...

Elements of an ARP Spoofing Attack

An attack consists of sending fake unsolicited ARP replies to host A, as Figure 6-4 shows. The attacker, host C, sends this gratuitous ARP without any MAC spoofing to host A. The content contains a new but incorrect mapping of host B's IP address to the MAC address of host C (the attacker). MAC 0666 -> CAFE 10.0.0.2 is at 0666 MAC 0666 -> CAFE 10.0.0.2 is at 0666 Host C IP 10.0.0.3 MAC 0000.0666.0000 Upon receipt of the faked gratuitous ARP reply, host A updates its ARP table with the new...

MAB Operation

As indicated in preceding sections for 802.1X deployments, only EAPOL control frames are typically processed by switch ports while 802.1X is maintained in an operating and active state. However, this also means that MAC addresses from any edge device might not be known until EAPOL frames are processed from it. These are the security benefits of 802.1X, and they do not change in any way with respect to any MAB implementation. Because it is noteworthy to this discussion, spanning tree is not even...

CDP Risk Analysis

The most obvious risk associated with CDP is the information leak that is, an attacker learns a lot by listening to CDP. This attack is purely passive there is no way to detect this information leak, and it causes no damage to the network. Many sniffing tools have the ability to decode CDP, such as Yersinia1 (shown in Figure 11-2), but there are also generic sniffers, such as Ethereal. Figure 11-2 CDP Packet Decode by Yersinia Figure 11-2 CDP Packet Decode by Yersinia After a maximum of 60...

Configuring Software Based CoPP

Creating a CoPP policy requires a good understanding of which control plane and management plane protocols and services are in use. In addition, you must understand the packet rate that those protocols and services require. Too low a value for a rate limit can cause problems with passing normal traffic, and too high a value can allow attacks to slip through. The recommended method to develop a good CoPP policy is to separate the different protocols and services into groups based on relative...

Disabling STP

As shown in Chapter 3, Attacking the Spanning Tree Protocol, STP can and should be disabled on an access port because an end host (workstation, printer, and so on) never sends IEEE 802.1d or 802.1w bridge protocol data units (BPDU). This can be done with the help of BPDU-guard IOS(config) interface FastEthernet 0 0 IOS(config-if) spanning-tree bpduguard enable CatOS> (enable) set spantree bpdu-guard 2 47 enable Spantree port 2 47 bpdu guard enabled. Chapter 3 demonstrated that a DoS attack...

Disabling Other Control Plane Activities

Obviously some control plane activities cannot be disabled, even for access ports (for example, ICMP message generation, IEEE 802.1X, CDP, and IPv6 forwarding). ICMP unreachable messages are generated by the central processor and can lead to a DoS attack if the central processor spends its time just doing ICMP generation. This notably includes the following Administratively prohibited. Occurs when an ACL drops a packet. TTL expired. Occurs when an IP packet with Time to Live (TTL) equal to 0 or...

Attack of the 8021Q Tag Stack

Port Security Cisco

Nothing in the 802.1Q specification forbids multiple consecutive tags to be chained, thereby achieving a 802.1Q tag stack. Figure 4-3 represents a two-level 802.1Q tag stack. Double 802.1Q Stack 4 Bytes 4 Bytes Double 802.1Q Stack 4 Bytes 4 Bytes Source MAC Dot 1Q Dot 1Q EtherType 1 Ethernet Frame with Two 802.1Q Tags (Not to scale) Ethernet Frame with Two 802.1Q Tags (Not to scale) There are legitimate use cases for stacking multiple 802.1Q tags. One of them is Cisco QinQ, where up to 4096...

Dynamic ARP Inspection

Chapter 5, Leveraging DHCP Weaknesses, explained that Layer 3 switches can inspect DHCP traffic to prevent attacks against the DHCP. DHCP snooping also means that the switch now knows the < IP, MAC> mapping for all hosts using DHCP. With this correct mapping knowledge, the switch can inspect all ARP traffic and check whether the information inside the ARP replies is valid if it's not, the switch simply drops the ARP packet. This technique is called Dynamic ARP Inspection (DAI). NOTE DAI...

TTL Expiry Attack

When a packet expires on a routing platform because its TTL reaches 0, it is required to send an ICMP TTL Exceeded message back to the sender (RFC 17162). This functionality can, however, be misused. If an attacker sends a flood of packets with the TTL value set such that the packets expire on the switch, the switch is forced to generate a large amount of ICMP TTL Exceeded messages. This causes a high CPU load. Regarding TTL expiry attacks, what is really troubling is that an attacker can be...

Crafting a DTP Attack

Its purpose is to determine whether two switches that are connected want to create a trunk. In the event that both switches seem to agree, a trunk is automatically brought up with a range of mutually acceptable parameters, such as encapsulation and the VLAN range. NOTE Ample DTP literature3 is available in other publications, and it's beyond this book's scope to cover all configuration aspects or enumerate matrices of possible DTP combinations. As a quick...

CDP Flooding with L2TP Tunneling

In some cases, it is required to bridge a port on one switch to a port on a different switch, making the end-user equipment unaware that an underlying network connects the two switches. This, however, requires that control packets, such as CDP, STP, VTP, and others, tunnel through the network using Layer 2 Tunneling Protocol (L2TP). What happens if you flood the switch while it is configured in this way By default, when a UNI port is configured for L2TP tunneling, the switch assigns a rate...