Please enable JavaScript.

Coggle requires JavaScript to display documents.

Module 14: Layer 2 Security Considerations, Layer 2 Loops - Coggle Diagram

- - - - MAC Table Attacks
        
        Includes MAC table overflow (also called MAC Address Flooding) Attacks.
      - VLAN Attacks
        
        Includes VLAN hopping and VLAN double-tagging attacks. It also includes attacks between devices on a common VLAN.
      - DHCP Attacks
        
        Includes DHCP starvation and DHCP spoofing attacks.
      - ARP Attacks
        
        Includes ARP spoofing and ARP poisoning attacks.
      - Address Spoofing Attacks
        
        Includes MAC Address and IP address spoofing attacks.
      - STP Attacks
        
        Includes Spanning Tree Protocol manipulation attacks.
    - - Port Security
        
        Port security prevents many types of attacks including MAC table overflow attacks and DHCP starvation attacks.
        
        DHCP Snooping
        
        DHCP Snooping prevents DHCP starvation and DHCP spoofing attacks by rogue DHCP servers.
        
        Dynamic ARP Inspection (DAI)
        
        DAI prevents ARP spoofing and ARP poisoning attacks.
        
        IP Source Guard (IPSG)
        
        IP Source Guard prevents MAC and IP address spoofing attacks.
- - - - The switch dynamically builds the MAC address table by examining the source MAC address of the frames that are received on a port. The switch forwards frames by searching for a match between the destination MAC address in the frame and an entry in the MAC address table.
        
        Learning
        
        Examine the Source MAC Address
        Every frame that enters a switch is checked for new information to learn. It does this by examining the source MAC address of the frame and the port number where the frame entered the switch. If the source MAC address does not exist, it is added to the table along with the incoming port number. If the source MAC address does exist, the switch updates the refresh timer for that entry in the table. By default, most Ethernet switches keep an entry in the table for 5 minutes.
        
        Forwarding
        
        Find the Destination MAC Address
        If the destination MAC address is a unicast address, the switch will look for a match between the destination MAC address of the frame and an entry in its MAC address table. If the destination MAC address is in the table, it will forward the frame out the specified port. If the destination MAC address is not in the table, the switch will forward the frame out all ports except the incoming port. This is called an unknown unicast.
        
        As a switch receives frames from different devices, it is able to populate its MAC address table by examining the source MAC address of every frame. When the MAC address table of the switch contains the destination MAC address, it is able to filter the frame and forward out a single port.
        
        PC-D to Switch
        
        Switch to PC-A
        
        PC-A to Switch to PC-D
- - - - A VLAN hopping attack enables traffic from one VLAN to be seen by another VLAN without the aid of a router. In a basic VLAN hopping attack, the threat actor configures a host to act like a switch to take advantage of the automatic trunking port feature enabled by default on most switch ports.
  - - - Use the following steps to mitigate VLAN hopping attacks:
      - Step 2: Disable unused ports and put them in an unused VLAN. In the example it is VLAN 1000.
      - Step 3: Manually enable the trunk link on a trunking port by using the switchport mode trunk command.
      - Step 4: Disable DTP (auto trunking) negotiations on trunking ports by using the switchport nonegotiate command.
      - Step 5: Set the native VLAN to a VLAN other than VLAN 1 by using the switchport trunk native vlan vlan_number command.
  - - - Promiscuous - A promiscuous port can talk to everyone. It can communicate with all interfaces, including the isolated and community ports within a PVLAN.
      - Isolated - An isolated port can only talk to promiscuous ports. An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from an isolated port is forwarded only to promiscuous ports.
      - Community - Community ports can talk to other community and promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.
  - - - A protected port does not forward any traffic, such as unicast, multicast, or broadcast, to any other port that is also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control traffic is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.
      - Forwarding behavior between a protected port and a non-protected port proceeds as usual.
      - The default is to have no protected ports defined.
- - - - The goal of the DHCP starvation attack is DoS for connecting clients. DHCP starvation attacks require an attack tool such as Gobbler. Gobbler has the ability to look at the entire scope of leasable IP addresses and tries to lease them all. Specifically, it creates DHCP discovery messages with bogus MAC addresses.
    - - A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients. A rogue server can provide a variety of misleading information:
        
        Wrong DNS server - The rogue server provides an incorrect DNS server address that points the user to a nefarious website.
        
        Wrong IP address - The rogue server provides an invalid IP address which effectively creates a DoS attack on the DHCP client.
        
        Wrong default gateway - The rogue server provides an invalid gateway, or its own IP address, to create a man-in-the-middle attack. This may go entirely undetected as the intruder intercepts the data flow through the network and then forwards it on to the real default gateway.
      - An example:
        
        Step 1
        
        Threat Actor Connects Rogue DHCP Server
        
        A threat actor successfully connects a rogue DHCP server to a switch port on the same subnet and VLANs as the target clients. The goal of the rogue server is to provide clients with false IP configuration information.
        
        Step 2
        
        Client Broadcasts DHCP Discovery Messages
        
        A legitimate client connects to the network and requires IP configuration parameters. Therefore, the client broadcasts a DHCP Discovery request looking for a response from a DHCP server. Both servers will receive the message and respond.
        
        Step 3
        
        Legitimate and Rogue DHCP Reply
        
        The legitimate DHCP server responds with valid IP configuration parameters. However, the rogue server also responds with a DHCP offer containing IP configuration parameters defined by the threat actor. The client will reply to the first offer received.
        
        Step 4
        
        Client Accepts Rogue DHCP Offer
        
        The rogue offer was received first, and therefore, the client broadcasts a DHCP request accepting the IP parameters defined by the threat actor. The legitimate and rogue server will receive the request.
        
        Step 5
        
        Rogue Server Acknowledges
        
        The rogue server unicasts a reply to the client to acknowledge its request. The legitimate server will cease communicating with the client.
      - Configuration:
        
        S1(config)#ip dhcp snooping
        
        Enter interface configuration mode for g0/1 - 2, trust the interfaces, and return to global configuration mode.
        
        S1(config)#interface range g0/1 - 2
        
        S1(config-if-range)#ip dhcp snooping trust
        
        S1(config-if-range)#exit
        
        Enter interface configuration mode for f0/1 - 24, limit the DHCP messages to no more than 10 per second, and return to global configuration mode.
        
        S1(config)#interface range f0/1 - 24
        
        S1(config-if-range)#ip dhcp snooping limit rate 10
        
        S1(config-if-range)#exit
        
        Enable DHCP snooping for VLANs 10,20,30-49.
        
        S1(config)#ip dhcp snooping vlan 10,20,30-49
        
        S1(config)# exit
        
        Enter the command to verify DHCP snooping.
        
        S1#show ip dhcp snooping
- - - - Step2
        
        ARP Spoofing Attack
        
        The threat actor sends two spoofed gratuitous ARP Replies in an attempt to replace R1 as the default gateway:
        
        The first one informs all devices on the LAN that the threat actor’s MAC address (CC:CC:CC) maps to R1’s IPv4 address, 10.0.0.1.
        
        The second one informs all devices on the LAN that the threat actor’s MAC address (CC:CC:CC) maps to PC1’s IPv4 address, 10.0.0.11.
      - Step 3
        
        ARP Poisoning Attack with Man-in-the-Middle Attack
        
        R1 and PC1 remove the correct entry for each other’s MAC address and replace it with PC2’s MAC address. The threat actor has now poisoned the ARP caches of all devices on the subnet. ARP poisoning leads to various man-in-the-middle attacks, posing a serious security threat to the network.
      - Step 1
        
        Normal State with Converged MAC Tables
        
        Each device has an accurate MAC table with the correct IPv4 and MAC addresses for the other devices on the LAN.
    - - In a typical ARP attack, a threat actor can send unsolicited ARP requests to other hosts on the subnet with the MAC Address of the threat actor and the IP address of the default gateway. To prevent ARP spoofing and the resulting ARP poisoning, a switch must ensure that only valid ARP Requests and Replies are relayed.
        
        Dynamic ARP inspection (DAI) requires DHCP snooping and helps prevent ARP attacks by:
        
        Not relaying invalid or gratuitous ARP Requests out to other ports in the same VLAN
        
        Intercepting all ARP Requests and Replies on untrusted ports
        
        Verifying each intercepted packet for a valid IP-to-MAC binding
        
        Dropping and logging ARP Requests coming from invalid sources to prevent ARP poisoning
        
        Error-disabling the interface if the configured DAI number of ARP packets is exceeded
        
        DAI Implementation Guidelines
        
        To mitigate the chances of ARP spoofing and ARP poisoning, follow these DAI implementation guidelines:
        
        Enable DHCP snooping globally.
        
        Enable DHCP snooping on selected VLANs.
        
        Enable DAI on selected VLANs.
        
        Configure trusted interfaces for DHCP snooping and ARP inspection.
        
        It is generally advisable to configure all access switch ports as untrusted and to configure all uplink ports that are connected to other switches as trusted.
        
        DAI Configuration Example
        
        You are currently logged into S1. Enable DHCP snooping globally for the switch.
        
        S1(config)#ip dhcp snooping
        
        Enter interface configuration mode for g0/1 - 2, trust the interfaces for both DHCP snooping and DAI, and then return to global configuration mode.
        
        S1(config)#interface range g0/1 - 2
        
        S1(config-if-range)#ip dhcp snooping trust
        
        S1(config-if-range)#ip arp inspection trust
        
        S1(config-if-range)#exit
        
        Enable DHCP snooping and DAI for VLANs 10,20,30-49.
        
        S1(config)#ip dhcp snooping vlan 10,20,30-49
        
        S1(config)#ip arp inspection vlan 10,20,30-49
- - - - IP traffic is filtered based on its source IP address and only IP traffic with a source IP address that matches the IP source binding entry is permitted. When a new IP source entry binding is created or deleted on the port, the PVACL automatically adjusts itself to reflect the IP source binding change.
    - - IP traffic is filtered based on its source IP address in addition to its MAC address. Only IP traffic with source IP and MAC addresses that match the IP source binding entry are permitted.
- - - - STP Compensates for Network Failure
  - - - STP Root Bridge
        
        Bridge ID (BID) Fields
        
        Select the Root Bridge
- - - - STP Stability Mechanisms
        
        Syntax Checker -Mitigate STP Attacks
        
        Configure Root Guard
        
        Configure Loop Guard
    - - PortFast immediately brings an interface that is configured as an access or trunk port to the forwarding state from a blocking state.
      - BPDU Guard
        
        BPDU guard immediately error disables a port that receives a BPDU. It is typically used on PortFast enabled ports. Apply to all end-user ports.
        
        Root Guard
        
        Root guard prevents an inappropriate switch from becoming the root bridge. Root guard limits the switch ports out of which the root bridge may be negotiated. Apply to all ports which should not become root ports.
        
        Loop Guard
        
        Loop guard prevents alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link. Apply to all ports that are or can become non-designated.