Please enable JavaScript.
Coggle requires JavaScript to display documents.
Chapter 5.1 Switch Security - Coggle Diagram
Chapter 5.1 Switch Security
Endpoint Security
(Slide 23 - 28)
Network Attacks Today
DISTRIBUTED DENIAL OF SERVICE (DDoS)
Coordinated attack in hordes in terms of devices like zombies. With effect to degrade or halt public access to an organization's website and resources.
DATA BREACH
Attack on the organization's data servers or hosts to steal confidential information.
MALWARE
An attack on organization's hosts with malicious software that causes multiple problems. Like a virus to the human body.
Example:
Ransomware "WanndaCry" that encrypts data on host and locks access until the ransom is paid.
Network Security Devices
Virtual Private Network (VPN)
Enabled on router- provides secure connection to remote users across a public network into the enterprise network. VPN can be integrated into one's firewall
Next-Generation Firewall (NGFW)
Stateful packet inspection, visibility and control on application. a next-gen intrusion prevention system (NGIPS), advanced malware protection (AMP), and URL filtering.
Network Access Control (NAC)
Authentication, authorization and accounting (AAA) services.
Larger scale, services incorporated into appliance that can manage access policies across a wide variety of users and device types.
The CISCO Identity Services Engine (ISE) is an example of a NAC device.
Endpoint Protection
Endpoints are end devices which hosts common devices like laptops, servers and IP phones.
Mostly susceptible to malware related attacks originated from email or web browsing.
Endpoints uses traditional host-based security features.
Antivirus/Antimalware
Host-based firewall
Host-based intrusion prevention systems (HIPSs)
Endpoints
TODAY
Uses combination of:
NAC
AMP software
Email security appliance (ESA)
Web security appliance (WSA)
CISCO Email Security Appliance
To monitor Simple Mail Transfer Protocol (SMTP)
Constantly updated by real-time feeds from CISCO Talos.
Cisco Talos
- detects, correlates threats and solutions using worldwide database monitoring system.
Threat intelligence data pulled by Cisco ESA every 3~5 minutes.
Cisco ESA functions:
Block known threats
Remediate against stealth malware that evaded intial detection
Discard emails with bad links
Block access to newly infected sites
Encrypt content in outgoing email to prevent data loss
Cisco Web Security Appliance
Cisco WSA is a mitigation tech for web-based threats. Helps address challenges of securing and controlling web traffic.
Combines advanced malware protection, application visibility and control, acceptable use policy controls and reporting.
Cisco WSA gives complete control over to users on access of the internet. Features like chat, messaging, video and audio are allowed. Restricted with time and bandwith limits, or blocked according to organization's requirements.
Cisco WSA can blacklist URLs, URL-filter, malware scanning, URL categorization, Web application filtering and encryption/decryption of web traffic
MAC Address Table Attack
(Slide 7 - 10)
Switch Operation Review
A Layer 2 LAN switch builds a table based on the source MAC addresses in received frames. This is called a MAC address table. MAC address tables are stored in memory and are used to more efficiently switch frames.
MAC Address Table Flooding
Mac addresses flooding attacks take advantage of this limitation by bombarding the switch with fake source MAC addresses until the switch MAC address table is full.
When this occurs, the switch treats the frame as an unknown unicast and begins to flood all incoming traffic out all ports on the same VLAN without referencing the MAC table. This condition allows a threat actor to capture all of frames sent from one host to another on the local LAN or local VLAN.
MAC Address Table Mitigation
What makes tools such as
macof
so dangerous can create a MAC table overflow attack very quickly. For instance, a Catalyst 6500 switch can store 132,000 MAC addresses in its MAC address table. A tool such as
macof
can flood a switch with up tp 8,000 bogus per second; creating a MAC address table overflow attack in a matter of a few seconds.
To mitigate MAC address table overflow attack, network administrators must implement port security. Port security will only allow a specified number of source MAC addresses to be learned on the port. Port security is further discussed in another module.
Lan Attacks
(Slide 11 - 22)
Video for lan attack
https://youtu.be/WZYHfq5OZf0
Vlan Hopping Attacks
enables traffic from one Vlan to be seen by another VLAN without the aid of router
threat actor configures a host to act like a switch to take advantages of the automatic trunking port feature enabled by default on most switch port
Threat actor configures the host to spoof 802.1Q signaling and Cisco-propietary Dynamic Trunking Protocol (DTP) signaling to trunk with the connecting switch
If success, the switch establishes a trunk link with the host
Now the threat can access all the VLAN in the switch
VLAN Double-Tagging Attacks
Threat actor sends a double0tagged 802.1Q frame to the switch.The outer header has the VLAN tag of the threat actor, which is the same as the native Vlan of the trunk port
Frame arrives on the first switch, which loks at the first 4-byte 802.1Qtag. The switch frwards the packet out all native VLAN ports after stripping the Vlan tag. The frame is not retagged because it is part of the native VLAN. At this point, the inner VLAN tag is still intact and has not been inspected by the first switch
Frame arrives at the second switch which has no knowledge that it was supposed to be for the native VLAN. Native VLAN traffic is not tagged by the sending switch as specified
in the 802.1Q specification. The second switch looks only at the inner 802.1Q tag that the threat actor inserted and sees that the frame is destined the target VLAN. The second switch sends
the frame on to the target or floods it, depending on whether there is an existing MAC address table entry for the target
cont
unidirectional and works only when the attacker connected to a port residing in the same VLAN as the native VLAN of the trunk port.
VLAN Attack Mitigation
Disable trunking on all access ports
Disable auto trunk links so that trunks must be manually enabled
Be sure that the native VLAN is only used for trunk links
DHCP Attacks
DHCP Starvation Attack
to create a DOS for connecting clients
DHCP starvation attacks require an attack tool such as Gobbler
Gobbler has the ability to look at the entire scope of leasable IP addresses and tries to lease them all
Create DHCP discovery messages with bogus MAC addresses
DHCP Spoofing Attack
This occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legimate client.
A rogue server can provide a variety of misleading information,incuding :
Wrong default gateway
Wrong IP address
Wrong DNS server
ARP Attacks
Hosts broadcast ARP Requests to determine the MAC address of a host with a destination IP
address. All hosts on the subnet receive and process the ARP Request. The host with the matching IP address in the ARP Request sends an ARP Reply.
A client can send an unsolicited ARP Reply called a “gratuitous ARP”. Other hosts on the subnet
store the MAC address and IP address contained in the gratuitous ARP in their ARP tables
An attacker can send a gratuitous ARP message containing a spoofed MAC address to a
switch, and the switch would update its MAC table accordingly. In a typical attack, a threat actor sends unsolicited ARP Replies to other hosts on the subnet with the MAC Address of the threat
actor and the IP address of the default gateway, effectively setting up a man-in-the-middle attack.
There are many tools available on the internet to create ARP man-in-the-middle attacks.
IPv6 uses ICMPv6 Neighbor Discovery Protocol for Layer 2 address resolution. IPv6 includes
strategies to mitigate Neighbor Advertisement spoofing, similar to the way IPv6 prevents a spoofed ARP Reply.
• ARP spoofing and ARP poisoning are mitigated by implementing Dynamic ARP Inspection
(DAI).
Address Spoofing Attacks
a threat actor hijacks a valid IP address of another device
on the subnet or uses a random IP address
MAC address spoofing attacks occur when the threat actors alter the MAC address of
their host to match another known MAC address of a target host.
switch
overwrites the current MAC table entry and assigns the MAC address to the new port.
It then inadvertently forwards frames destined for the target host to the attacking host.
When the target host sends traffic, the switch will correct the error, realigning the MAC
address to the original port. To stop the switch from returning the port assignment to its correct state, the threat actor can create a program or script that will constantly send
frames to the switch so that the switch maintains the incorrect or spoofed information.
There is no security mechanism at Layer 2 that allows a switch to verify the source of
MAC addresses, which is what makes it so vulnerable to spoofing.
CDP(Cisco Discovery Protocol) Reconnaissance
Proprietary layer 2 link discovery protocol
It is enabled on all Cisco devices by default.
CDP to help configure and troubleshoot network devices
CDP information is send out t CDP-enabled ports in periodic,
unencrypted, unauthenticated broadcasts.
CDP information includes the IP address of the
device, IOS software version, platform, capabilities, and the native VLAN. The device receiving the CDP message updates its CDP database
to mitigate the exploitation of CDP, limit the use of CDP on devices or ports
For example, disable CDP on edge ports that connect to untrusted devices
To disable CDP globally on a device, use the
no cdp enable
global configuration mode command. To enable CDP globally, use the
cdp run
global configuration command
To disable CDP on a port, use the no
cdp enable
interface configuration command. To
enable CDP on a port, use the
cdp enable
interface configuration command.
Layer 2 Security Threats
(Slide 3 - 6)
Switch Attack Categories
Security is only as strong as the weakest link in the system, and Layer 2 is considered to be that weak link. This is because LANs were traditionally under the administrative control of a single organization. On this present day, with BYOD and more sophisticated attacks, our LANs have become more vulnerable to penetration.
Layer 2 Vulnerabilities
Recall back the OSI reference model is divided into seven layers which work independently of each other. The figure shows the function of each layer and the core elements that can be exploited.
Network administrators routinely implement security solutions to protect the elements in Layer 3 up through Layer 7. They use VPNs, firewalls and IPS devices to protect these elements. However, if Layer 2 is compromised, then all the layers above it are also affected.
e.g: If a threat actor with access to the internal network captured Layer 2 frames, then all the security implemented on the layers above would be useless
Switch Attack Mitigation Techniques
Theses Layer 2 solutions will not be effective if the management protocols are not secured. The following strategies are recommended:
Always use secure variants of management protocols such as SSH, Security, Secure Copy Protocol (SCP), and Secure Socket Layer/Transport Layer Security (SSL/TLS).
Consider using out-of-band management network to manage devices.
Use ACLS to filter unwanted access.
