Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 14: Layer 2 Security Considerations, image, image, image, image,…
Module 14: Layer 2 Security Considerations
14.1 Layer 2 Security Threats
14.1.1 Describe Layer 2 Vulnerabilities
The OSI reference model is divided into seven layers which work independently of each other.
14.1.2 Switch Attack Categories
Security is only as strong as the weakest link in the system, and Layer 2 is considered to be that weakest link.
14.2 MAC Table Attacks
14.2.1 Switch Fundamentals
A switch uses MAC addresses to forward (or discard) frames to other devices on a network.
14.2.2 Switch Learning and Forwarding
Learn
It does this by examining the source MAC address of the frame and the port number where the frame entered the switch.
Fordward
The switch will look for a match between the destination MAC address of the frame and an entry in its MAC address table.
14.2.3 Filtering Frames
It is able to populate its MAC address table by examining the source MAC address of every frame.
14.2.4 MAC Address Table Flooding
All MAC tables have a fixed size and consequently, a switch can run out of resources in which to store MAC addresses.
14.2.5 MAC Address Table Attack Mitigation
What makes tools such as macof so dangerous is that an attacker can create a MAC table overflow attack very quickly.
14.3 Mitigate MAC Table Attacks
14.3.1 Secure Unused Ports
Layer 2 devices are considered to be the weakest link in a company’s security infrastructure.
14.3.2 Mitigate MAC Address Table Attacks
It allows an administrator to manually configure MAC addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses.
14.3.3 Enable Port Security
Use the show port-security interface command to display the current port security settings for FastEthernet 0/1
14.3.4 Limit and Learn MAC Addresses
Use the show port-security interface and the show port-security address command to verify the configuration.
14.3.5 Port Security Aging
Port security aging can be used to set the aging time for static and dynamic secure addresses on a port.
14.3.6 Port Security Violation Modes
If the MAC address of a device that is attached to the port differs from the list of secure addresses, then a port violation occurs.
14.3.7 Ports in error-disabled State
The port is physically shutdown and placed in the error-disabled state, and no traffic is sent or received on that port.
14.4 Mitigate VLAN Attacks
14.4.1 VLAN Hopping Attacks
Endpoints that are located in one VLAN are unable to communicate with endpoints that are on another VLAN unless permitted to do so by a router or Layer 3 switch.
14.4.2 VLAN Double-Tagging Attack
A threat actor in specific situations could embed a hidden 802.1Q tag inside the frame that already has an 802.1Q tag.
14.4.3 Mitigating VLAN Hopping Attacks
Use the following steps to mitigate VLAN hopping attacks
14.4.5 Private VLANs
VLANs are broadcast domains. However, in some situations, it may useful to break this rule and allow only the minimum required L2 connectivity within the VLAN.
14.4.6 PVLAN Edge Feature
Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor.
14.4.7 Configure PVLAN Edge
The PVLAN Edge feature can be configured on a physical interface or an EtherChannel group.
14.5 Mitigate DHCP Attacks
14.5.1 DHCP Attacks
DHCP Starvation Attack
The goal of the DHCP starvation attack is DoS for connecting clients. DHCP starvation attacks require an attack tool such as Gobbler.
DHCP Spoofing Attack
A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients.
14.5.2 DHCP Attacks Mitigation
It is easy to mitigate DHCP starvation attacks by using port security. However, mitigating DHCP spoofing attacks requires more protection.
14.5.4 DHCP Snooping Configuration Example
The reference topology for this DHCP snooping example is shown in the figure. Notice that F0/5 is an untrusted port because it connects to a PC. F0/1 is a trusted port because it connects to the DHCP server.
14.6 Mitigate ARP Attacks
14.6.1 ARP Attacks
Recall that hosts broadcast ARP Requests to determine the MAC address of a host with a particular IPv4 address. This is typically done to discover the MAC address of the default gateway.
14.6.3 Dynamic ARP Inspection
In a typical ARP attack, a threat actor can send unsolicited ARP requests to other hosts on the subnet with the MAC Address of the threat actor and the IP address of the default gateway.
14.6.4 DAI Implementation Guidelines
To mitigate the chances of ARP spoofing and ARP poisoning, follow these DAI implementation guidelines
14.6.5 DAI Configuration Example
In the previous topology, S1 is connecting two users on VLAN 10. DAI will be configured to mitigate against ARP spoofing and ARP poisoning attacks
14.7. Mitigate Address Spoofing
14.7.1 Address Spoofing Attacks
Spoofing attacks occur when one host poses as another to receive otherwise inaccessible data, or to circumvent security configurations.
Attacker Spoofs a Server’s MAC Address
When the switch receives the frame, it examines the source MAC address.
Switch Updates MAC Table with Spoofed Address
When the switch changes the MAC table, the target host does not receive any traffic until it sends traffic.
14.7.2 Address Spoofing Attack Mitigation
To protect against MAC and IP address spoofing, configure the IP Source Guard (IPSG) security feature.
Source IP address filter
P traffic is filtered based on its source IP address and only IP traffic with a source IP address that matches the IP source binding entry is permitted.
Source IP and MAC address filter
IP traffic is filtered based on its source IP address in addition to its MAC address.
14.7.3 Configure IP Source Guard
IP Source Guard is enabled on untrusted ports using the ip verify source command as shown in the configuration below.
14.8 Apanning Tree Protocol
14.8.1 Spanning Tree Protocol
Spanning Tree Protocol (STP) is a loop-prevention network protocol that allows for redundancy while creating a loop-free Layer 2 topology.
14.8.2 STP Recalculation
14.8.3 Layer 2 Loops
Without STP enabled, Layer 2 loops can form, causing broadcast, multicast and unknown unicast frames to loop endlessly
14.8.4 STP Port Roles
The spanning tree algorithm designates a single switch as the root bridge and uses it as the reference point for all path calculations.
14.8.5 STP Root Bridge
The root bridge serves as a reference point for all spanning tree calculations to determine which redundant paths to block.
Bridge ID (BID) Fields
After a switch boots, it begins to send out BPDU frames every two seconds.
14.8.6 STP Path Cost
When the root bridge has been elected for the spanning tree instance, the spanning tree algorithm starts the process of determining the best paths to the root bridge from all destinations in the broadcast domain.
14.8.7 Select the Root Bridge
When an administrator wants a specific switch to become a root bridge, the bridge priority value must be adjusted to ensure it is lower than the bridge priority values of all the other switches on the network.
14.9 Mitigate STP Attacks
14.9.1 STP Attack
Threat actors can manipulate the Spanning Tree Protocol (STP) to conduct an attack by spoofing the root bridge and changing the topology of a network
14.9.2 Mitigating STP Attacks
To mitigate STP manipulation attacks, use the Cisco STP stability mechanisms to enhance the overall performance of the switches and to reduce the time that is lost during topology changes.
14.9.3 Configure PortFast
PortFast bypasses the STP listening and learning states to minimize the time that access ports must wait for STP to converge.
14.9.4 Configure BPDU Guard
Even though PortFast is enabled, the interface will still listen for BPDUs. Unexpected BPDUs might be accidental, or part of an unauthorized attempt to add a switch to the network
14.9.6 Configure Root Guard
There are some switches in a network that should never, under any circumstances, become the STP root bridge.
14.9.7 Configure Loop Guard
Traffic on bidirectional links flows in both directions. If for some reason one-direction traffic flow fails, this creates a unidirectional link which can result in a Layer 2 loop.
