Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Ahmed Sultan
CCNA | CCNA Security | CCNP Security | JNCIA-Junos | CEH
1
Layer 2 Security
Perimeter
ACS
Firewall
Internet
VPN IPS
Hosts
Web Server Email Server
DNS
OSI Model
When it comes to networking, Layer 2 is often a very weak link.
Application Stream
Application Presentation
Compromised
Session Protocols and Ports IP Addresses Initial MACCompromise Addresses Physical Links Transport Network Data Link Physical
Switch Port
AABBcc
The switch keeps track of the endpoints by maintaining a MAC address table. In MAC spoofing, the attacker poses as another hostin this case, AABBcc
Port 1 Port 2
Attacker
I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly.
2009 Cisco Learning Institute.
Attacker
Port 2
The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly.
2009 Cisco Learning Institute.
The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MACaddress mappings in the MAC address table for these PCs.
1
Intruder runs macof to begin sending unknown bogus MAC addresses.
3/25 MAC X 3/25 MAC Y 3/25 MAC Z
VLAN 10
Host C
4
Attacker sees traffic to servers B and D.
C
2009 Cisco Learning Institute.
D
7
LAB
MAC ADDRESS TABLE OVERFLOW ATTACK
2009 Cisco Learning Institute.
STP builds a tree topology STP manipulation changes the topology of a networkthe attacking host appears to be the root bridge
Configure Portfast
Server
Workstation
Command Switch(config-if)# spanningtree portfast Switch(config-if)# no spanning-tree portfast Switch(config)# spanning-tree portfast default Switch# show running-config interface type slot/port
2009 Cisco Learning Institute.
Description Enables PortFast on a Layer 2 access port and forces it to enter the forwarding stateimmediately. Disables PortFast on a Layer 2 access port. PortFast is disabled by default. Globally enables the PortFast feature on all nontrunking ports. Indicates whether PortFast has been configured on a port.
10
F F
F F F
F
Root Bridge
Attacker
The attacking host broadcasts out STP configuration and topology change BPDUs. This is an attempt to force spanning tree recalculations.
11
BPDU Guard
Root Bridge
F F
B
BPDU Guard Enabled
Attacker
STP BPDU
12
Root Guard
Root Bridge Priority = 0 MAC Address = 0000.0c45.1a5d
F F
F
Root Guard Enabled
Attacker
13
Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN. These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network.
2009 Cisco Learning Institute.
14
VLAN Attacks
15
Server
A VLAN hopping attack can be launched by spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode.
16
Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C
Attacker 1
Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses
2009 Cisco Learning Institute.
Attacker 2
17
CLI Commands
Switch(config-if)# switchport mode access
Sets the maximum number of secure MAC addresses for the interface (optional)
18
LAB
MAC ADDRESS TABLE OVERFLOW ATTACK
2009 Cisco Learning Institute.
19
1. Disable trunking on all access ports. 2. Disable auto trunking and manually enable trunking 3. Be sure that the native VLAN is used only for trunk lines and no where else
2009 Cisco Learning Institute.
20
Controlling Trunking
Switch(config-if)# switchport mode trunk
21