Please enable JavaScript.
Coggle requires JavaScript to display documents.
Modulo 14: Layer 2 Security Considerations - Coggle Diagram
Modulo 14: Layer 2 Security Considerations
14.1 Layer Security Threats
14.1.1 Describe Layer 2 Vulnerabilities
The OSI reference model is divided into seven layers which work independently of each other.
Network administrators routinely implement security solutions to protect the elements in Layer 3 up through Layer 7 using VPNs, firewalls, and IPS devices.
Lower Levels Affect Higher Levels
14.1.2 Switch Attack Categories
The first step in mitigating attacks on the Layer 2 infrastructure is to understand the underlying operation of Layer 2 and the threats posed by the Layer 2 infrastructure.
14.2 MAC Table Attacks
14.2.1 Switch Fundamentals
An Ethernet switch examines its MAC address table to make a forwarding decision for each frame, unlike legacy Ethernet hubs that repeat bits out all ports except the incoming port.
14.2.2 Switch Learning and Forwarding
Examine the Source MAC Address
Find the Destination MAC Address
14.2.3 Filtering Frames
PC-D is replying back to PC-A.
MAC address for PC-A in the MAC Address Table
PC-A sends another frame to PC-D, as shown in the figure
14.2.4 MAC Address Table Flooding
This condition now allows a threat actor to capture all of the frames sent from one host to another on the local LAN or local VLAN.
14.2.5 MAC Address Table Attack Mitigation
A tool such as macof can flood a switch with up to 8,000 bogus frames per second
14.3 Mitigate MAC Table Attacks
14.3.1 Secure Unused Ports
If a port must be reactivated at a later time, it can be enabled with the no shutdown command.
14.3.2 Mitigate MAC Address Table Attacks
The simplest and most effective method to prevent MAC address table overflow attacks is to enable port security.
14.3.3 Enable Port Security
Notice in the example, the switchport port-security command was rejected.
Use the show port-security interface command to display the current port security settings for FastEthernet 0/1,
14.3.4 Limit and Learn MAC Addresses
To set the maximum number of MAC addresses allowed on a port, use the following command:
14.3.5 Port Security Aging
Port security aging can be used to set the aging time for static and dynamic secure addresses on a port. Two types of aging are supported per port:
Absolute -
The secure addresses on the port are deleted after the specified aging time.
Inactivity -
The secure addresses on the port are deleted only if they are inactive for the specified aging time.
14.3.6 Port Security Violation Modes
If the MAC address of a device that is attached to the port differs from the list of secure addresses, then a port violation occurs. By default, the port enters the error-disabled state.
14.3.7 Ports in error-disabled State
The port is physically shutdown and placed in the error-disabled state, and no traffic is sent or received on that port.
14.3.8 Verify Port Security
Port Security for All Interfaces
To display port security settings for the switch, use the show port-security command. The example indicates that only one port is configured with the switchport port-security command.
Port Security for a Specific Interface
Use the show port-security interface command to view details for a specific interface, as shown previously and in this example.
Verify Learned MAC Addresses
To verify that MAC addresses are “sticking” to the configuration, use the show run command as shown in the example for FastEthernet 0/19.
14.4 Mitigate VLAN Attacks
14.4.1 VLAN Hopping Attacks
A VLAN hopping attack enables traffic from one VLAN to be seen by another VLAN without the aid of a router
14.4.2 VLAN Double-Tagging Attack
Step1
Step 2
Step 3
14.4.3 Mitigating VLAN Hopping Attacks
Use the following steps to mitigate VLAN hopping attacks:
Step 1: Disable DTP (auto trunking) negotiations on non-trunking ports by using the switchport mode access interface configuration command.
Step 2: Disable unused ports and put them in an unused VLAN. In the example it is VLAN 1000.
Step 3: Manually enable the trunk link on a trunking port by using the switchport mode trunk command.
Step 4: Disable DTP (auto trunking) negotiations on trunking ports by using the switchport nonegotiate command.
Step 5: Set the native VLAN to a VLAN other than VLAN 1 by using the switchport trunk native vlan vlan_number command.
14.4.5 Private VLANs
There are three types of PVLAN ports:
Promiscuous - A promiscuous port can talk to everyone. It can communicate with all interfaces, including the isolated and community ports within a PVLAN.
Isolated - An isolated port can only talk to promiscuous ports. An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from an isolated port is forwarded only to promiscuous ports.
Community - Community ports can talk to other community and promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN
14.4.6 PVLAN Edge Feature
The PVLAN Edge feature has the following characteristics:
A protected port does not forward any traffic, such as unicast, multicast, or broadcast, to any other port that is also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control traffic is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.
Forwarding behavior between a protected port and a non-protected port proceeds as usual.
The default is to have no protected ports defined.
14.5 Mitigate DHCP Attacks
14.5.1 DHCP Attacks
DHCP Spoofing Attack
Wrong DNS server - The rogue server provides an incorrect DNS server address that points the user to a nefarious website.
Wrong IP address - The rogue server provides an invalid IP address which effectively creates a DoS attack on the DHCP client.
Wrong default gateway - The rogue server provides an invalid gateway, or its own IP address, to create a man-in-the-middle attack. This may go entirely undetected as the intruder intercepts the data flow through the network and then forwards it on to the real default gateway.
14.5.2 DHCP Attacks Mitigation
It is easy to mitigate DHCP starvation attacks by using port security.
14.5.3 Steps to Implement DHCP Snooping
Use the following steps to enable DHCP snooping:
Step 1. Enable DHCP snooping by using the ip dhcp snooping global configuration command.
Step 2. On trusted ports, use the ip dhcp snooping trust interface configuration command.
Step 3. Limit the number of DHCP discovery messages that can be received per second on untrusted ports by using the ip dhcp snooping limit rate interface configuration command.
Step 4. Enable DHCP snooping by VLAN, or by a range of VLANs, by using the ip dhcp snooping vlan global configuration command.
14.5.4 DHCP Snooping Configuration Example
14.6 Mitigate ARP Attacks
14.6.1 ARP Attacks
This is typically done to discover the MAC address of the default gateway.
Normal State with Converged MAC Tables
ARP Spoofing Attack
The first one informs all devices on the LAN that the threat actor’s MAC address (CC:CC:CC) maps to R1’s IPv4 address, 10.0.0.1.
The second one informs all devices on the LAN that the threat actor’s MAC address (CC:CC:CC) maps to PC1’s IPv4 address, 10.0.0.11.
ARP Poisoning Attack with Man-in-the-Middle Attack
14.6.3 Dynamic ARP Inspection
Dynamic ARP inspection (DAI) requires DHCP snooping and helps prevent ARP attacks by:
Not relaying invalid or gratuitous ARP Requests out to other ports in the same VLAN
Intercepting all ARP Requests and Replies on untrusted ports
Verifying each intercepted packet for a valid IP-to-MAC binding
Dropping and logging ARP Requests coming from invalid sources to prevent ARP poisoning
Error-disabling the interface if the configured DAI number of ARP packets is exceeded
14.6.4 DAI Implementation Guidelines
To mitigate the chances of ARP spoofing and ARP poisoning, follow these DAI implementation guidelines:
14.6.5 DAI Configuration Example
Destination MAC - Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP packet body
Source MAC - Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP packet body
IP address - Checks the ARP packet body for invalid and unexpected IP addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses
14.7 Mitigate Address Spoofing Attacks
The method used by switches to populate the MAC address table leads to a vulnerability known as MAC address spoofing. MAC address spoofing attacks occur when attackers alter the MAC address of their host to match another known MAC address of a target host, as shown in the figure. The attacking host then sends a frame throughout the network with the newly-configured MAC address
Address Spoofing Attack Mitigation
Source IP address filter - IP traffic is filtered based on its source IP address and only IP traffic with a source IP address that matches the IP source binding entry is permitted. When a new IP source entry binding is created or deleted on the port, the PVACL automatically adjusts itself to reflect the IP source binding change.
Source IP and MAC address filter - IP traffic is filtered based on its source IP address in addition to its MAC address. Only IP traffic with source IP and MAC addresses that match the IP source binding entry are permitted.
14.8 Spanning Tree Protocol
14.8.1 Spanning Tree Protocol
Spanning Tree Protocol (STP) is a loop-prevention network protocol that allows for redundancy while creating a loop-free Layer 2 topology.
14.8.2 STP Recalculation
STP Compensates for Network Failure
14.8.3 Layer 2 Loops
Without STP enabled, Layer 2 loops can form, causing broadcast, multicast and unknown unicast frames to loop endlessly
14.8.4 STP Port Roles
STP Ports
14.8.5 STP Root Bridge
Bridge ID (BID) Fields
14.8.6 STP Path Cost
14.8.7 Select the Root Bridge
14.9.-Mitigate STP Attacks
To conduct an STP manipulation attack, the attacking host broadcasts STP bridge protocol data units (BPDUs) containing configuration and topology changes that will force spanning-tree recalculations, as shown in the figure. The BPDUs that are sent by the attacking host announce a lower bridge priority in an attempt to be elected as the root bridge.
Mitigating STP Attacks
PortFast - PortFast immediately brings an interface that is configured as an access or trunk port to the forwarding state from a blocking state. This bypasses the listening and learning states. It should be applied to all end-user ports. PortFast should only be configured when there is a host attached to the port, and not another switch.
BPDU Guard - BPDU guard immediately error disables a port that receives a BPDU. It is typically used on PortFast enabled ports. Apply to all end-user ports.
Root Guard - Root guard prevents an inappropriate switch from becoming the root bridge. Root guard limits the switch ports out of which the root bridge may be negotiated. Apply to all ports which should not become root ports.
Loop Guard - Loop guard prevents alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link. Apply to all ports that are or can become non-designated.
STP Stability Mechanisms
