Monday, August 24, 2009

Layer 2 Security >> Imagine Unmanaged switch….

Ok i have finished the “Layer 2 security” topic of the SNRS exam & posting the abridged learning's for reference.
How to find out vulnerabilities in any network
Check (lookout) for the following:
- Written Security Policies (Big trouble, if an organisation don't have one)
- Patch Management System
- OS & application vulnerabilities (e.g. IE6,
conficker etc)
- Protocols used & their weaknesses (e.g: ICMP)
- Network Configuration errors (e.g: weak passwords, default config’s)
- Last but not least user awareness (many social engg. attacks start here)  

Types of Layer 2 Attacks
# Cam Table overflow (flood switch with fake MAC addresses) 
# VLAN hopping 
# STP manipulation 
# DHCP Attacks
    - DHCP Starvation
    - Rogue DHCP Server
# PVLAN attacks 
# MAC address spoofing
Mitigating Layer 2 Attacks
# Cam Table Overflow: When attacker sends/floods the port with fake MAC’s so that switch can start working as hub or start broadcasting all packets for the VLAN to which the attacker is connected.
       Mitigation >>  Configure
Port Security
Switch(config-if)# switchport port-security [mac-address mac-address] |
 [mac-address sticky [mac-address]] | [maximum value] |
 [violation {protect |restrict|shutdown}]

# VLAN Hopping : attacker trying to behave like a switch by negotiating trunk port so that he/she can send & receive data among other VLAN’s 
       Mitigation >> Configure access ports for all users & move unused ports to an unused VLAN

# STP manipulation : attacker tries to change the topology of a network by attacking/ sending STP BPDU with a higher priority to appear as the root bridge or by manipulating STP root bridge calculations & forcing recalculations.
       Mitigation >>  Configure root guard & bpdu guard

Switch(config)# spanning-tree portfast bpduguard default  
On an interface
Switch(config-if)# spanning-tree guard root

# DHCP Attacks
    - DHCP Starvation: broadcasting DHCP requests with spoofed MAC addresses. 
    - Rogue DHCP Server: Attackers provide clients their own system as default gateway and DNS server resulting in man in the middle (MITM) attacks. 
       Mitigation >> 
Port Security & DHCP Snooping

switch(config)# ip dhcp snooping
switch(config)# ip dhcp snooping vlan <vlan range>
switch(config)# interface <interface-id>
switch(config-if)# ip dhcp snooping trust
switch(config-if)# ip dhcp snooping limit rate <rate>
switch(config-if)# end
switch#show ip dhcp snooping
switch#show ip dhcp snooping binding

# PVLAN Attacks : Frames are forwarded to host connected to promiscuous port (e.g: router) using source IP and MAC of attacker device, a destination IP of the target but destination MAC address of router/gateway. These attacks are normally unidirectional but could be bidirectional if both hosts are compromised.
       Mitigation >> ACL for PVLAN subnet

# MAC Spoofing : (aka MITM attacks) attacker use the a known MAC address of another host in attempt to make switch forward the forward packets destined for the known (authentic) host to attacker. Done by sending a single frame with source Ethernet address of known host which results in CAM table change/update.
       Mitigation >>  Configure
Port Security

Some Facts & Figures

>> Cisco Catalyst 6000 series switch contains 1,28,000 CAM entries divided into 8 pages of 16,000 each.
>> Exhausting of all DHCP addresses is not required to introduce a rogue DHCP server. Client request mechanism are implementation dependent. RFC –2131
>> Option 82 (Data insertion feature) is not supported when DHCP relay agent is enabled but DHCP snooping is disabled.

Will post the related lab for the same by next week. Well, maybe :)

If you know any good books, or DOC pages related to the topic…. Share the name/link in comments. THX

Checkout, some Delicious Stuff
Network Access Restrictions White Paper - Cisco Systems
Infiltrating a Botnet - Cisco Systems
Restrict WLAN Access based on SSID with WLC and Cisco Secure ACS Configuration Example - Cisco Systems
HowStuffWorks "How Internet Cookies Work"
Code_Bleu » Remote RDP & Socks Proxy using Reverse SSH Tunneling

& do checkout Google Results for “Layer 2 attacks”, some good PDF’s.

Keep Learning…… because once you fix it, vulnerabilities gonna come knocking another door ~ sorabhk5

No comments:

Post a Comment

Comments are not moderated, if i feel something doesn't need to be here, can be deleted.. Thanks for your time