Please enable JavaScript.
Coggle requires JavaScript to display documents.
Layer 2 security Considerations - Coggle Diagram
Layer 2 security Considerations
Threats
:fire:
MAC Table Attacks
Includes MAC table overflow (also called MAC Address Flooding) Attacks
VLAN attacks
VLAN hopping
VLAN double-tagging
Attacks between devices on a common VLAN
DHCP Attacks
DHCP starvation
DHCP spoofing attacks
ARP Attacks
ARP spoofing
ARP poisoning attacks
Address Spoofing Attacks
MAC Address and IP address spoofing attacks
STP attacks
STP manipulation attacks
ARP Attacks
:crossed_swords:
Hosts broadcast ARP Requests to determine the MAC address of a host with a particular IPv4 address.
The problem is that an attacker can send a gratuitous ARP message containing a spoofed MAC address.
Each device has an accurate MAC table.
The threat actor sends two spoofed gratuitous ARP Replies in an attempt to replace R1 default gateway.
The threat actor has now poisoned the ARP caches of all devices on the subnet. (MiTM attack).
ARP spoofing and ARP poisoning are mitigated by implementing Dynamic ARP Inspection (DAI).
Dynamic ARP inspection
To prevent ARP spoofing and the resulting ARP poisoning, a switch must ensure that only valid ARP Requests and Replies are relayed.
DAI requires DHCP snooping and helps prevents ARP attacks.
Enable DHCP snooping globally
Enable DHCP snooping on selected VLAN's
Enable DAI on selected VLAN's
Configure trusted interfaces for DHCP snooping and ARP inspection.
Mitigation techniques :lock:
Port security
Prevents
Prevent MAC table overflow attakcs
DHCP starvation attacks
What does it do?
Limits the number of vaid MAC addresses allowd on a port
Commands
Enable port security
S1(config-if)#
switchport port-security
Verify port security on an interface
S1#
show port-security interface
interface-type-and-number
Set a maximum number of MAC addresses allowed on a port
S1(config-if)#
swithcport port-security maximum
value
Configure a static MAC address allowed on the port
S1(config-if)#
switchport port-security mac-address
mac-address
Configure a port to learn a MAC address and stick to it
S1(config-if)#
switchport port-security mac-address sticky
DHCP snooping
Prevents
DHCP spoofing attacks by rogue DHCP servers
DHCP starvation
Dynamic ARP Inspection
Prevents
ARP spoofing
ARP poisoning Attacks
IP Source Guard (IPSG)
Prevents
MAC Addrress spoofing
IP address spoofing
Switch Fundamentals
What does it do?
Makes frame forwarding decisions based only on MAC addresses
Learn
Switch learn from frame's source MAC address and incoming port
Forward
Switch forwards unicast frames throughout the port if it knows the port, else, forwards the frame out all ports exept the incoming port
Attacks
All MAC tables have fixed size, so attackers flood MAC addresses to the switch, so switch starts to flood out all incoming frames
Address Spoofing Attacks
Spoofing attacks occur when one host poses as another to receive otherwise inaccessible data, or to circumvent security configurations.
The method used by switches to populate the MAC address table leads to a vulnerability known as MAC address spoofing.
When the switch receives the frame, it examines the source MAC address. The switch overwrites the current MAC table entry and assigns the MAC address to the new port
The target host does not receive any traffic until it sends traffic
Address Spoofing Attack Mitigation
:lock:
To protect against MAC and IP address spoofing, configure the IP Source Guard (IPSG) security feature
This process restricts the client IP traffic to those source IP addresses that are configured in the binding
Source IP address filter
Source IP and MAC address filter
Configure IP source guard
:shield:
ip verify source
command on the untrusted interfaces
show ip verify source
command to verify the IP source guard config
Spanning Tree Protocol
:recycle:
STP is a loop-prevention network protocol that allows for redundancy.
STP Recalculation
:evergreen_tree:
When a link fails, the STP topology changes and send the frames to another link available.
STP recalculation redefines network paths after topology changes to maintain loop-free and efficient data flow.
Layer 2 Loops
:recycle:
Without STP enabled, Layer 2 loops can form, causing broadcast, multicast and unknown unicast frames to loop endlessly
When a loop occurs, the MAC address table on a switch will constantly change with the updates from the broadcast frames, which results in MAC database instability
Unknown unicast frames sent onto a looped network can result in duplicate frames arriving at the destination device.
STP Port roles
:silhouette:
The spanning tree algorithm designates a single switch as the root bridge and uses it as the reference point for all path calculations.
A BPDU is a messaging frame that is exchanged by switches for STP
Each BPDU contains a BID that identifies the switch that sent the BPDU.
When the spanning tree algorithm has determined which paths are most desirable relative to each switch, it assigns port roles to the participating switch ports
Root:
Root ports are switch ports that are closest to the root bridge.
Designated:
Designated ports are all non-root ports that STP permits to forward traffic on the network.
Alternate:
Backup ports are configured to be in a blocking state to prevent loops.
STP Root Bridge
:bridge_at_night:
The root bridge is a reference point for all spanning tree calculations to determine which redundant paths to block.
All switches in the broadcast domain participate in the election process. After a switch boots, it begins to send out BPDU frames every two seconds
If the root ID from a BPDU that has been received is lower than the root ID on the receiving switch, then the receiving switch updates its root ID,
The switch with the lowest BID is identified as the root switch.
There is a root bridge elected for each spanning tree instance.
