You are on page 1of 61

BRKSEC-2002

14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 1

Understanding,
Preventing, and Defending
Against Layer 2 Attacks

BRKSEC-2002

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2

© 2006, Cisco Systems, Inc. All rights reserved. 1
Presentation_ID.scr
Agenda

ƒ Layer 2 Attack Landscape
ƒ Attacks and Countermeasures
VLAN Hopping
MAC Attacks
DHCP Attacks
ARP Attacks
Spoofing Attacks
General Attacks

ƒ Summary

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3

Caveats
ƒ All attacks and mitigation techniques assume a switched Ethernet
network running IP
If it is a shared Ethernet access (WLAN, hub, etc.) most of these attacks get
much easier
If you are not using Ethernet as your L2 protocol, some of these attacks may
not work, but chances are, you are vulnerable to different types of attacks
ƒ New theoretical attacks can move to practical in days
ƒ All testing was done on Cisco Ethernet switches
Ethernet switching attack resilience varies widely from vendor to vendor
ƒ This is not a comprehensive talk on configuring Ethernet
switches for security: the focus is mostly access L2 attacks
and their mitigation
ƒ These are IPv4 only attacks today, there is a session on IPv6
access security
ƒ There are data center sessions for security, this is access ports
for users
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4

© 2006, Cisco Systems, Inc. All rights reserved. 2
Presentation_ID.scr
Reference Materials
ƒ SAFE Blueprints
http://www.cisco.com/go/safe/
ƒ Cisco Catalyst® 3750
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/index.htm
ƒ Cisco Catalyst 4000
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/index.htm
ƒ Cisco Catalyst 6500
Cisco Catalyst OS and Cisco IOS®
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/
ƒ IP Phones
http://www.cisco.com/univercd/cc/td/doc/product/voice/c_ipphon/index.htm
ƒ Data Center
http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html
#anchor3
ƒ All SRNDs (System Network Reference Designs)
http://www.cisco.com/go/srnd/
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5

Associated Sessions

ƒ TECSEC-2002: Security for Network Engineers
ƒ TECSEC-2101: Protecting the Core: Detecting and
Mitigating Attacks Using Your Infrastructure
ƒ TECVVT-1000: Enterprise IP Telephony Design
and Deployment

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6

© 2006, Cisco Systems, Inc. All rights reserved. 3
Presentation_ID.scr
Black Hole Slide

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7

Agenda

ƒ Layer 2 Attack Landscape
ƒ Attacks and Countermeasures
VLAN Hopping
MAC Attacks
DHCP Attacks
ARP Attacks
Spoofing Attacks
General Attacks

ƒ Summary

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8

© 2006, Cisco Systems, Inc. All rights reserved. 4
Presentation_ID.scr
Why Worry About Layer 2 Security?
OSI Was Built to Allow Different Layers to Work
Without the Knowledge of Each Other

Host A Host B
Application Stream
Application Application

Presentation Presentation

Session Session

Transport Protocols/Ports Transport

Network IP Addresses Network

Data Link MAC Addresses Data Link

Physical Links
Physical Physical

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9

Lower Levels Affect Higher Levels
ƒ Unfortunately this means if one layer is hacked, communications are
compromised without the other layers being aware of the problem
ƒ Security is only as strong as the weakest link
ƒ When it comes to networking, Layer 2 can be a very weak link

Application Stream
Application Application
Compromised

POP3, IMAP, IM,
Presentation SSL, SSH Presentation

Session Session

Transport Protocols/Ports Transport

Network IP Addresses Network
Initial Compromise
Data Link Data Link

Physical Links
Physical Physical

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10

© 2006, Cisco Systems, Inc. All rights reserved. 5
Presentation_ID.scr
Who Owns VLANS? NetOPS/SecOPS?

Questions NetOPS SecOPS

ƒ Security Policy ƒ We have L2 ƒ I handle it at L3
for VLANs security issues? and above
ƒ Do you use ƒ I use them all ƒ I have no idea
VLANS often? the time how often
ƒ Do you use VLANs ƒ Routing in and out ƒ It is a switch, why
for security? of the same switch would I care?
are fine, that is
why we have a
Layer 3 switch
ƒ What addresses ƒ Security guy asks ƒ I ask NetOPS
are assigned per for a segment, they, they give
VLAN? I make a VLAN me ports and
and give it addresses
some addresses

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11

FBI/CSI Risk Assessment*

ƒ Many enterprises network ports are open
ƒ Usually any laptop can plug into the network and gain
access to the network
ƒ Of companies surveyed total loss was over $130 million
ƒ Average spending per employee $241 per year
ƒ 28% said they had no idea how many times or if they
were were attacked

*CIS/FBI Computer Crime and Security Survey—2005
http://www.ussecurityawareness.org/highres/free-resources.html
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12

© 2006, Cisco Systems, Inc. All rights reserved. 6
Presentation_ID.scr
FBI/CSI Risk Assessment
ƒ 28% said they did not know when of if they were attacked
ƒ Yet, 32% said they never had an attack on the inside?

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13

Agenda

ƒ Layer 2 Attack Landscape
ƒ Attacks and Countermeasures
VLAN Hopping
MAC Attacks
DHCP Attacks
ARP Attacks
Spoofing Attacks
General Attacks

ƒ Summary

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14

© 2006, Cisco Systems, Inc. All rights reserved. 7
Presentation_ID.scr
Basic Trunk Port Defined
Trunk with:
Native VLAN
VLAN 10
VLAN 10 VLAN 20 VLAN 20

VLAN 20 VLAN 10

ƒ Trunk ports have access to all VLANs by default
ƒ Used to route traffic for multiple VLANs across the same
physical link (generally between switches or phones)
ƒ Encapsulation can be 802.1q or ISL

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15

Dynamic Trunk Protocol (DTP)
ƒ What is DTP?
Automates 802.1x/ISL
trunk configuration
Operates between switches
(Cisco IP phone is a switch)
Does not operate on routers Dynamic
Support varies, Trunk
check your device Protocol

ƒ DTP synchronizes the
trunking mode on end links
ƒ DTP state on 802.1q/ISL
trunking port can be set to
“Auto,” “On,” “Off,” “Desirable,”
or “Non-Negotiate”

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16

© 2006, Cisco Systems, Inc. All rights reserved. 8
Presentation_ID.scr
Basic VLAN Hopping Attack
Trunk with:
Native VLAN
VLAN 10
VLAN 10 VLAN 20 VLAN 20

Trunk with: VLAN 10
Native VLAN
VLAN 10
VLAN 20

ƒ An end station can spoof as a switch with ISL or 802.1q
ƒ The station is then a member of all VLANs
ƒ Requires a trunking configuration of the native VLAN to be VLAN 1

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17

Double 802.1q Encapsulation
VLAN Hopping Attack
Strip Off First,
and Send
80
Back Out
2.1
q,8
02
.1 q
802.1q Frame
Fr
am
e

ƒ Send 802.1q double encapsulated frames
ƒ Switch performs only one level of decapsulation
ƒ Unidirectional traffic only
ƒ Works even if trunk ports are set to off
Note: Only works if trunk has the same VLAN as the attacker
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18

© 2006, Cisco Systems, Inc. All rights reserved. 9
Presentation_ID.scr
IP Phones VLAN Security
Configurable Options
ƒ Block voice VLAN
from PC port
ƒ Ignore Gratuitous
ARPs (GARPs)

These Features Were All Introduced in
CCM 3.3(3), Except Signed Config Files
and Disable Web Access Which Were
Introduced in CCM 4.0

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19

Voice VLAN Access

VLAN 10

VLAN 20 VLAN 20

ƒ Normal VLAN operation
VLAN 20 is native to the PC and is not tagged
VLAN 10 is the voice VLAN, and is tagged with 10

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20

© 2006, Cisco Systems, Inc. All rights reserved. 10
Presentation_ID.scr
Voice VLAN Access: Attack

VLAN 10 Attacker Sends
Has PC Traffic VLAN 10 Frames

VLAN 20
VLAN 10

ƒ Attacking voice VLAN
Attacker sends 802.1q tagged frames from the PC to the phone
Traffic from the PC is now in the voice VLAN

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21

IP Phone
PC Voice VLAN Access Setting

Attacker Sends
VLAN 10 Frames
VLAN 10

VLAN 20

ƒ Preventing voice VLAN attacks
Enable settings for PC voice VLAN access
Tagged traffic will be stopped at the PC port on the phone

ƒ Differences between phone model implementations
7940, 7960, 7941G, 7961G, and 7971G only block voice VLAN,
allowing PC to run 802.1Q on any other VLAN
7970, 7961, and 7941 block all packets containing an 802.1Q header
7912 doesn’t block anything
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22

© 2006, Cisco Systems, Inc. All rights reserved. 11
Presentation_ID.scr
Security Best Practices for
VLANs and Trunking

ƒ Always use a dedicated VLAN ID for all trunk ports
ƒ Disable unused ports and put them in an
unused VLAN
ƒ Be paranoid: do not use VLAN 1 for anything
ƒ Disable auto-trunking on user facing ports (DTP off)
ƒ Explicitly configure trunking on infrastructure ports
ƒ Use all tagged mode for the native VLAN on trunks
ƒ Use PC voice VLAN access on phones that support it
ƒ Use 802.1q tag all on the trunk port

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23

Agenda

ƒ Layer 2 Attack Landscape
ƒ Attacks and Countermeasures
VLAN Hopping
MAC Attacks
DHCP Attacks
ARP Attacks
Spoofing Attacks
General Attacks

ƒ Summary

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24

© 2006, Cisco Systems, Inc. All rights reserved. 12
Presentation_ID.scr
MAC Address/CAM Table Review
48-Bit Hexadecimal Number Creates Unique Layer Two Address

1234.5678.9ABC
First 24-Bits = Manufacture Code Second 24-Bits = Specific Interface,
Assigned by IEEE Assigned by Manufacture
0000.0cXX.XXXX 0000.0cXX.XXXX
All Fs = Broadcast

FFFF.FFFF.FFFF

ƒ CAM table stands for Content Addressable Memory
ƒ The CAM table stores information such as MAC addresses
available on physical ports with their associated VLAN parameters
ƒ All CAM tables have a fixed size
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25

Normal CAM Behavior (1/3)
MAC Port
A 1
rB

C 3 Port 2
fo

MAC B
P
AR

ARP for B

Port 1
MAC A Port 3
AR
P
fo

B Is Unknown—
rB

Flood the Frame

MAC C
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26

© 2006, Cisco Systems, Inc. All rights reserved. 13
Presentation_ID.scr
Normal CAM Behavior (2/3)
MAC Port
A 1
B 2

B
AC
Port 2

M
C 3
MAC B

m
IA
I Am MAC B

Port 1
MAC A Port 3

A Is on Port 1
Learn:
B Is on Port 2
MAC C
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27

Normal CAM Behavior (3/3)
MAC Port
A 1
B 2
B

Port 2
Æ

C 3
A

MAC B
fic
af
Tr

Traffic A Æ B

Port 1
MAC A Port 3

B Is on Port 2

Does Not See MAC C
Traffic to B
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28

© 2006, Cisco Systems, Inc. All rights reserved. 14
Presentation_ID.scr
CAM Overflow (1/2)

ƒ macof tool since 1999
About 100 lines of perl
Included in “dsniff”

ƒ Attack successful by exploiting the size limit on
CAM tables
ƒ Yersinia—flavor of the month attack tool

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29

CAM Overflow (2/2)
MAC Port
A 1
Assume CAM Table Now Full
Y 3
Z
B 3
2
B
Æ

C 3 Port 2
A

Y Is on Port 3 MAC B
c
affi
Tr

Traffic A Æ B

Port 1
MAC A Port 3
IA
Im
TAr

Z Is on Port 3
am
Mf
fAiMc
CAA
YCÆ
Z
B

MAC C
I See Traffic to B
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30

© 2006, Cisco Systems, Inc. All rights reserved. 15
Presentation_ID.scr
Mac Flooding Switches with macof
macof –i eth1
36:a1:48:63:81:70 15:26:8d:4d:28:f8 0.0.0.0.26413 > 0.0.0.0.49492: S 1094191437:1094191437(0) win 512
16:e8:8:0:4d:9c da:4d:bc:7c:ef:be 0.0.0.0.61376 > 0.0.0.0.47523: S 446486755:446486755(0) win 512
18:2a:de:56:38:71 33:af:9b:5:a6:97 0.0.0.0.20086 > 0.0.0.0.6728: S 105051945:105051945(0) win 512
e7:5c:97:42:ec:1 83:73:1a:32:20:93 0.0.0.0.45282 > 0.0.0.0.24898: S 1838062028:1838062028(0) win 512
62:69:d3:1c:79:ef 80:13:35:4:cb:d0 0.0.0.0.11587 > 0.0.0.0.7723: S 1792413296:1792413296(0) win 512
c5:a:b7:3e:3c:7a 3a:ee:c0:23:4a:fe 0.0.0.0.19784 > 0.0.0.0.57433: S 1018924173:1018924173(0) win 512
88:43:ee:51:c7:68 b4:8d:ec:3e:14:bb 0.0.0.0.283 > 0.0.0.0.11466: S 727776406:727776406(0) win 512
b8:7a:7a:2d:2c:ae c2:fa:2d:7d:e7:bf 0.0.0.0.32650 > 0.0.0.0.11324: S 605528173:605528173(0) win 512
e0:d8:1e:74:1:e 57:98:b6:5a:fa:de 0.0.0.0.36346 > 0.0.0.0.55700: S 2128143986:2128143986(0) win 512

ƒ Macof sends random source MAC and IP addresses
ƒ Much more aggressive if you run the command
“macof -i eth1 2> /dev/null”
macof (part of dsniff): http://monkey.org/~dugsong/dsniff/

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31

CAM Table Full

ƒ Once the CAM table on the switch is full, traffic without
a CAM entry is flooded out every port on that VLAN
ƒ This will turn a VLAN on a switch basically into a hub
ƒ This attack will also fill the CAM tables of adjacent
switches

10.1.1.22 -> (broadcast) ARP C Who is 10.1.1.1, 10.1.1.1 ?
10.1.1.22 -> (broadcast) ARP C Who is 10.1.1.19, 10.1.1.19 ?
10.1.1.26 -> 10.1.1.25 ICMP Echo request (ID: 256 Sequence number: 7424) Å OOPS
10.1.1.25 -> 10.1.1.26 ICMP Echo reply (ID: 256 Sequence number: 7424) Å OOPS

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32

© 2006, Cisco Systems, Inc. All rights reserved. 16
Presentation_ID.scr
Countermeasures for MAC Attacks
Port Security Limits the Amount of MACs on
an Interface

00:0e:00:aa:aa:aa Only One MAC
00:0e:00:bb:bb:bb Addresses
Allowed on the
Port: Shutdown

132,000
Bogus MACs

Solution
ƒ Port security limits MAC
flooding attack and locks down
port and sends an SNMP trap
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33

Countermeasures for MAC Attacks
with IP Phones
Could Use Two
ƒ Phones can use two or three or Three MAC
depending on the switch Addresses
hardware and software Allowed on the
Port: Shutdown
Some switches look at the CDP
traffic and some don’t, if they
don’t, they need two, if they do
they need three
Some hardware (3550) will
always need three

ƒ Default config is disable port,
might want to restrict for VoIP
ƒ This feature is to protect that
switch, you can make the
number anything you like as
long as you don’t overrun the
CAM table
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34

© 2006, Cisco Systems, Inc. All rights reserved. 17
Presentation_ID.scr
Port Security: Example Config
Will Enable Voice
Cisco Catalyst OS
to Work Under Attack
set port security 5/1 enable
set port security 5/1 port max 3
set port security 5/1 violation restrict
set port security 5/1 age 2
set port security 5/1 timer-type inactivity
Cisco IOS
switchport port-security
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity

ƒ Number is not to control access, it is to protect the switch from attack
ƒ Depending on security policy, disabling the port might be preferred, even with VoIP
ƒ Aging time of two and aging type inactivity to allow for phone CDP of 1 minute

If violation error-disable, the following log message will be produced: 4w6d: %PM-4-ERR_
DISABLE: Psecure-Violation Error Detected on Gi3/2, Putting Gi3/2 in Err-Disable State
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35

New Features for Port Security
New Commands
Cisco IOS
switchport port-security
switchport port-security maximum 1 vlan voice
switchport port-security maximum 1 vlan access
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
snmp-server enable traps port-security trap-rate 5

ƒ Per port per VLAN max MAC addresses
ƒ Restrict now will let you know something has happened—
you will get an SNMP trap
Everyone asked so Cisco did it

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36

© 2006, Cisco Systems, Inc. All rights reserved. 18
Presentation_ID.scr
Port Security
Not All Port Security Created Equal
ƒ In the past you would have to type in the only MAC
you were going to allow on that port
ƒ You can now put a limit to how many MAC address
a port will learn
ƒ You can also put timers in to state how long the
MAC address will be bound to that switch port
ƒ You might still want to do static MAC entries on
ports that there should be no movement of devices,
as in server farms
ƒ CHANGE XXX called “Sticky Port Security”; settings
will survive reboot (not on all switches)

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37

Port Security and LLDP-MED
ƒ Link Layer Discovery Protocol-Media Endpoint Discovery
(LLDP)
A standard that works like CDP for media endpoints
Could affect port security deployments
ƒ If the switch does not understand LLDP-MED
You will need to set the port to three; the device (phone) can be in both
VLAN—voice and data—and the PC will be in the data VLAN
Or the setting can be two for the data VLAN (one phone and one PC)
and one in the voice VLAN for the phone
ƒ If the switch supports LLDP-MED
The LLDP-MED should be treated as CDP and will not be counted
on the port so the setting could be two or higher
Early versions of switch Cisco IOS did count the LLDP-MED,
so please be careful with the settings
Good link for this is: http://en.wikipedia.org/wiki/LLDP-MED
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38

© 2006, Cisco Systems, Inc. All rights reserved. 19
Presentation_ID.scr
Port Security: What to Expect
Notice: When Using the Restrict Feature of Port
Security, if the Switch Is Under Attack, You Will
See a Performance Hit on the CPU
ƒ The performance hit seen with multiple attacks happening at one time is
up to 99% CPU utilization
ƒ Because the process is a low priority, on all switches packets were not
dropped
ƒ Telnet and management were still available
ƒ Would want to limit the SNMP message, don’t want 1000s
ƒ Voice MOS scores under attack were very good, as long as QoS was
configured
ƒ Designed to protect the switch and limit MAC addresses, has no
authentication; look at 802.1x for that
ƒ Minimum settings for phones are two usually, higher numbers should be
considered
MOS: Mean Opinion Score; http://en.wikipedia.org/wiki/Mean_Opinion_Score
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39

Building the Layers

ƒ Port Security prevents
CAM attacks and DHCP
starvation attacks

Port Security

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40

© 2006, Cisco Systems, Inc. All rights reserved. 20
Presentation_ID.scr
Agenda

ƒ Layer 2 Attack Landscape
ƒ Attacks and Countermeasures
VLAN Hopping
MAC Attacks
DHCP Attacks
ARP Attacks
Spoofing Attacks
General Attacks

ƒ Summary

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41

DHCP Function: High Level
DHCP Server

Client Send My Configuration Information

IP Address: 10.10.10.101
Subnet Mask: 255.255.255.0
Default Routers: 10.10.10.1
DNS Servers: 192.168.10.4, 192.168.10.5
Lease Time: 10 days

Here Is Your Configuration

ƒ Server dynamically assigns IP address on demand
ƒ Administrator creates pools of addresses available for assignment
ƒ Address is assigned with lease time
ƒ DHCP delivers other configuration information in options
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42

© 2006, Cisco Systems, Inc. All rights reserved. 21
Presentation_ID.scr
DHCP Function: Lower Level
DHCP Server

Client
DHCP Discover (Broadcast)

DHCP Offer (Unicast)

DHCP Request (Broadcast)

DHCP Ack (Unicast)

ƒ DHCP defined by RFC 2131

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43

DHCP Function: Lower Level
DHCP Request/Reply Types
Message Use
DHCPDISCOVER Client Broadcast to Locate Available Servers
Server to Client in Response to DHCPDISCOVER with Offer of
DHCPOFFER
Configuration Parameters
Client Message to Servers Either (a) Requesting Offered Parameters
from One Server and Implicitly Declining Offers from All Others,
DHCPREQUEST (b) Confirming Correctness of Previously Allocated Address After,
e.g., System Reboot, or (c) Extending the Lease on a Particular
Network Address
Server to Client with Configuration Parameters, Including Committed
DHCPACK
Network Address
Server to Client Indicating Client’s Notion of Network Address Is Incorrect
DHCPNAK
(e.g., Client Has Moved to New Subnet) or Client’s Lease as Expired
DHCPDECLINE Client to Server Indicating Network Address Is Already in Use
Client to Server Relinquishing Network Address and Canceling
DHCPRELEASE
Remaining Lease
Client to Server, Asking Only for Local Configuration Parameters;
DHCPINFORM
Client Already Has Externally Configured Network Address.
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44

© 2006, Cisco Systems, Inc. All rights reserved. 22
Presentation_ID.scr
DHCP Function: Lower Level
IPv4 DHCP Packet Format
Hardware Hardware
OP Code HOPS
Type Length
Transaction ID (XID)
Seconds Flags
Client IP Address (CIADDR)

Your IP Address (YIADDR)

Server IP Address (SIADDR)

Gateway IP Address (GIADDR)

Client Hardware Address (CHADDR)—16 Bytes

Server Name (SNAME)—64 Bytes

Filename—128 Bytes
DHCP Options
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45

DHCP Attack Types
DHCP Starvation Attack
Client

Gobbler DHCP
Server
DHCP Discovery (Broadcast) x (Size of Scope)

DHCP Offer (Unicast) x (Size of DHCPScope)

DHCP Request (Broadcast) x (Size of Scope)

DHCP Ack (Unicast) x (Size of Scope)

ƒ Gobbler/DHCPx looks at the entire DHCP scope and tries to
lease all of the DHCP addresses available in the DHCP scope
ƒ This is a Denial of Service DoS attack using DHCP leases
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46

© 2006, Cisco Systems, Inc. All rights reserved. 23
Presentation_ID.scr
Countermeasures for DHCP Attacks
DHCP Starvation Attack = Port Security
Client

Gobbler DHCP
Server
ƒ Gobbler uses a new MAC Cisco Catalyst OS
address to request a new
DHCP lease
set port security 5/1 enable
set port security 5/1 port max 1
ƒ Restrict the number of set port security 5/1 violation restrict
MAC addresses on
a port set port security 5/1 age 2
set port security 5/1 timer-type inactivity
ƒ Will not be able to lease Cisco IOS
more IP address then
MAC addresses allowed switchport port-security
on the port switchport port-security maximum 1
switchport port-security violation restrict
ƒ In the example the attacker
would get one IP address switchport port-security aging time 2
from the DHCP server switchport port-security aging type inactivity
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47

DHCP Attack Types
Rogue DHCP Server Attack
Client

DHCP
Rogue Server
Server
or Unapproved
DHCP Discovery (Broadcast)

DHCP Offer (Unicast) from Rogue Server

DHCP Request (Broadcast)

DHCP Ack (Unicast) from Rogue Server

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48

© 2006, Cisco Systems, Inc. All rights reserved. 24
Presentation_ID.scr
DHCP Attack Types
Rogue DHCP Server Attack

ƒ What can the attacker do if he is the DHCP server?

IP Address: 10.10.10.101
Subnet Mask: 255.255.255.0
Default Routers: 10.10.10.1
DNS Servers: 192.168.10.4, 192.168.10.5
Lease Time: 10 days

Here Is Your Configuration

ƒ What do you see as a potential problem with incorrect
information?
Wrong default gateway—Attacker is the gateway
Wrong DNS server—Attacker is DNS server
Wrong IP address—Attacker does DOS with incorrect IP
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49

Countermeasures for DHCP Attacks
Rogue DHCP Server = DHCP Snooping
DHCP Snooping-Enabled
Client
Untrusted Trusted

Untrusted
OK DHCP DHCP
Responses:
Rogue Server offer, ack, nak Server
BAD DHCP Cisco IOS
Responses: Global Commands
offer, ack, nak ip dhcp snooping vlan 4,104
no ip dhcp snooping information option
ip dhcp snooping

DHCP Snooping Untrusted Client DHCP Snooping Trusted Server
or Uplink
Interface Commands
no ip dhcp snooping trust (Default) Interface Commands
ip dhcp snooping limit rate 10 (pps) ip dhcp snooping trust

ƒ By default all ports in the VLAN are untrusted
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50

© 2006, Cisco Systems, Inc. All rights reserved. 25
Presentation_ID.scr
Countermeasures for DHCP Attacks
Rogue DHCP Server = DHCP Snooping
DHCP Snooping-Enabled
Client
Untrusted Trusted

Untrusted
OK DHCP DHCP
Responses:
Rogue Server offer, ack, nak Server
BAD DHCP
Responses:
offer, ack, nak

DHCP Snooping Binding Table
sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18

ƒ Table is built by “snooping” the DHCP reply to the client
ƒ Entries stay in table until DHCP lease time expires
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51

Advanced Configuration DHCP Snooping

ƒ Not all operating system (Linux) re DHCP on
link down
ƒ In the event of switch failure, the DHCP snooping
binding table can be written to bootflash, ftp, rcp,
slot0, and tftp
ƒ This will be critical in the next section

ip dhcp snooping database tftp://172.26.168.10/tftpboot/tulledge/ngcs-4500-1-dhcpdb
ip dhcp snooping database write-delay 60

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52

© 2006, Cisco Systems, Inc. All rights reserved. 26
Presentation_ID.scr
Advanced Configuration DHCP Snooping
ƒ Gobbler uses a unique Hardware Hardware
MAC for each DHCP OP Code HOPS
Type Length
request and port security
prevents Gobbler
Transaction ID (XID)
ƒ What if the attack used
the same interface MAC Seconds Flags
address, but changed the
client hardware address Client IP Address (CIADDR)
in the request?
ƒ Port security would not
Your IP Address (YIADDR)
work for that attack
Server IP Address (SIADDR)
ƒ The switches check the
CHADDR field of the
request to make sure it
Gateway IP Address (GIADDR)
matches the
hardware MAC in the Client Hardware Address (CHADDR)—16 Bytes
DHCP snooping binding
table Server Name (SNAME)—64 Bytes
ƒ If there is not a match, the
request is dropped at the Filename—128 Bytes
interface DHCP Options
Note: Some switches have this on by default, and other’s don’t;
please check the documentation for settings
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53

DHCP Rogue Server

ƒ If there are switches in the network that will not support
DHCP snooping, you can configure VLAN ACLs to
block UDP port 68
set security acl ip ROGUE-DHCP permit udp host 192.0.2.1 any eq 68
set security acl ip ROGUE-DHCP deny udp any any eq 68
set security acl ip ROGUE-DHCP permit ip any any
set security acl ip ROGUE-DHCP permit udp host 10.1.1.99 any eq 68

ƒ Will not prevent the CHADDR DHCP starvation attack

Router DHCP
192.0.2.1 Server
10.1.1.99
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54

© 2006, Cisco Systems, Inc. All rights reserved. 27
Presentation_ID.scr
Summary of DHCP Attacks

ƒ DHCP starvation attacks can be mitigated by
port security
ƒ Rogue DHCP servers can be mitigated by DHCP
snooping features
ƒ When configured with DHCP snooping, all ports in the
VLAN will be “untrusted” for DHCP replies
ƒ Check default settings to see if the CHADDR field is
being checked during the DHCP request
ƒ Unsupported switches can run ACLs for partial attack
mitigation (can not check the CHADDR field)

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55

DHCP Snooping Capacity

ƒ All DHCP snooping binding tables have limits
ƒ All entries stay in the binding table until the lease
runs out
ƒ If you have a mobile work environment, reduce the
lease time to make sure the binding entries will
be removed

sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56

© 2006, Cisco Systems, Inc. All rights reserved. 28
Presentation_ID.scr
Building the Layers

ƒ Port security prevents
CAM attacks and DHCP
starvation attacks
ƒ DHCP snooping prevents
rogue DHCP server
DHCP
attacks
Snooping

Port Security

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57

Agenda

ƒ Layer 2 Attack Landscape
ƒ Attacks and Countermeasures
VLAN Hopping
MAC Attacks
DHCP Attacks
ARP Attacks
Spoofing Attacks
General Attacks

ƒ Summary

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58

© 2006, Cisco Systems, Inc. All rights reserved. 29
Presentation_ID.scr
ARP Function Review
ƒ Before a station can talk to another station it must do an
ARP request to map the IP address to the MAC address
This ARP request is broadcast using protocol 0806

ƒ All computers on the subnet will receive and process the
ARP request; the station that matches the IP address in the
request will send an ARP reply

I Am
10.1.1.4
MAC A

Who Is
10.1.1.4?

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59

ARP Function Review
ƒ According to the ARP RFC, a client is allowed to send an
unsolicited ARP reply; this is called a gratuitous ARP; other
hosts on the same subnet can store this information in their
ARP tables
ƒ Anyone can claim to be the owner of any IP/MAC address
they like
ƒ ARP attacks use this to redirect traffic

You Are I Am You Are You Are
10.1.1.1 10.1.1.1 10.1.1.1 10.1.1.1
MAC A MAC A MAC A MAC A
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60

© 2006, Cisco Systems, Inc. All rights reserved. 30
Presentation_ID.scr
ARP Attack Tools

ƒ Many tools on the net for ARP man-in-the-middle
attacks
Dsniff, Cain & Abel, ettercap, Yersinia, etc.

ƒ ettercap: http://ettercap.sourceforge.net/index.php
Some are second or third generation of ARP attack tools
Most have a very nice GUI, and is almost point and click
Packet insertion, many to many ARP attack

ƒ All of them capture the traffic/passwords of applications
FTP, Telnet, SMTP, HTTP, POP, NNTP, IMAP, SNMP, LDAP,
RIP, OSPF, PPTP, MS-CHAP, SOCKS, X11, IRC, ICQ, AIM,
SMB, Microsoft SQL, etc.

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61

ARP Attack Tools
ƒ Ettercap in
action
ƒ As you can
see runs in
Window,
Linux, Mac
ƒ Decodes
passwords
on the fly
ƒ This example,
telnet
username/
password is
captured

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62

© 2006, Cisco Systems, Inc. All rights reserved. 31
Presentation_ID.scr
ARP Attack Tools: SSH/SSL
ƒ Using these tools SSL/SSH sessions can be intercepted and bogus
certificate credentials can be presented
ƒ Once you have excepted the certificate, all SSL/SSH traffic for all
SSL/SSH sites can flow through the attacker

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63

ARP Attack in Action
ƒ Attacker “poisons” the ARP tables
10.1.1.2 Is Now
10.1.1.1 MAC C
MAC A

ARP 10.1.1.1
Saying ARP 10.1.1.2
10.1.1.2 Is MAC C Saying
10.1.1.1 Is MAC C

10.1.1.3
MAC C 10.1.1.2
MAC B

10.1.1.1 Is Now
MAC C

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64

© 2006, Cisco Systems, Inc. All rights reserved. 32
Presentation_ID.scr
ARP Attack in Action
ƒ All traffic flows through the attacker
10.1.1.2 Is Now
10.1.1.1 MAC C
MAC A

Transmit/Receive
Traffic to Transmit/Receive
10.1.1.2 MAC C Traffic to
10.1.1.1 MAC C

10.1.1.3
MAC C 10.1.1.2
MAC B

10.1.1.1 Is Now
MAC C

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65

ARP Attack Clean Up
ƒ Attacker corrects ARP tables entries
10.1.1.2 Is Now
ƒ Traffic flows return to normal 10.1.1.1 MAC B
MAC A

ARP 10.1.1.1
Saying ARP 10.1.1.2
10.1.1.2 Is MAC B Saying
10.1.1.1 Is MAC A

10.1.1.3
MAC C 10.1.1.2
MAC B

10.1.1.1 Is Now
MAC A

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66

© 2006, Cisco Systems, Inc. All rights reserved. 33
Presentation_ID.scr
Countermeasures to ARP Attacks:
Dynamic ARP Inspection
ƒ Uses the DHCP
snooping binding
10.1.1.1 table information
MAC A
ƒ Dynamic ARP
IsNone
This Is My inspection
ARP 10.1.1.1 NO
Binding All ARP packets must
Matching DHCP Snooping-
Saying match the IP/MAC
ARPsTable?
in the Enabled Dynamic binding table entries
10.1.1.2 Is MAC C
Bit Bucket ARP Inspection- If the entries do not
Enabled match, throw them in
the bit bucket

10.1.1.3
MAC C 10.1.1.2
ARP 10.1.1.2 MAC B
Saying
10.1.1.1 Is MAC C

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67

Countermeasures to ARP Attacks:
Dynamic ARP Inspection

ƒ Uses the information from the DHCP snooping
binding table
sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18

ƒ Looks at the MacAddress and IpAddress fields to
see if the ARP from the interface is in the binding;
if not, traffic is blocked

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68

© 2006, Cisco Systems, Inc. All rights reserved. 34
Presentation_ID.scr
Countermeasures to ARP Attacks:
Dynamic ARP Inspection
Configuration of Dynamic ARP Inspection (DAI)
ƒ DHCP snooping had to be configured so the binding
table it built
ƒ DAI is configured by VLAN
ƒ You can trust an interface like DHCP snooping
ƒ Be careful with rate limiting—varies between platforms
ƒ Suggested for voice is to set the rate limit above the
default if you feel dial tone is important

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69

Countermeasures to ARP Attacks:
Dynamic ARP Inspection
Dynamic ARP Inspection Commands
Cisco IOS
Global Commands
ip dhcp snooping vlan 4,104
no ip dhcp snooping information option
ip dhcp snooping
ip arp inspection vlan 4,104
ip arp inspection log-buffer entries 1024
ip arp inspection log-buffer logs 1024 interval 10
Interface Commands
ip dhcp snooping trust
ip arp inspection trust

Cisco IOS
Interface Commands
no ip arp inspection trust
(default)
ip arp inspection limit rate 15
(pps)

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70

© 2006, Cisco Systems, Inc. All rights reserved. 35
Presentation_ID.scr
Additional Checks

ƒ Can check for both destination or source MAC and
IP addresses
Destination MAC: Checks the destination MAC address in the
Ethernet header against the target MAC address in ARP body
Source MAC: Checks the source MAC address in the Ethernet
header against the sender MAC address in the ARP body
IP address: Checks the ARP body for invalid and unexpected IP
addresses; addresses include 0.0.0.0, 255.255.255.255, and all
IP multicast addresses

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71

Cisco IOS Commands
Cisco IOS
Global Commands
ip arp inspection validate dst-mac

ip arp inspection validate src-mac

ip arp inspection validate ip

Enable all commands
ip arp inspection validate src-mac dst-mac ip

ƒ Each check can be enabled independently
Each by themselves, or any combination of the three

ƒ The last command overwrites the earlier command
If you have dst-mac enabled and then enable src-mac, dst-mac
is no longer active
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72

© 2006, Cisco Systems, Inc. All rights reserved. 36
Presentation_ID.scr
Countermeasures to ARP Attacks:
Dynamic ARP Inspection
Error Messages in Show Log

sh log:
4w6d: %SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 296 milliseconds on Gi3/2.
4w6d: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi3/2, putting Gi3/2 in err-disable state
4w6d: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi3/2, vlan
183.([0003.472d.8b0f/10.10.10.62/0000.0000.0000/10.10.10.2/12:19:27 UTC Wed Apr 19 2000])
4w6d: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi3/2, vlan
183.([0003.472d.8b0f/10.10.10.62/0000.0000.0000/10.10.10.3/12:19:27 UTC Wed Apr 19 2000])

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73

Phone ARP Features
Configurable Options
ƒ Block voice VLAN
from PC port
ƒ Ignore Gratuitous
ARPs (GARPs)

These Features Were All Introduced in CCM
3.3(3), Except Signed Config Files and
Disable Web Access Which Were Introduced
in CCM 4.0
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74

© 2006, Cisco Systems, Inc. All rights reserved. 37
Presentation_ID.scr
Phone ARP Features
ƒ Attacker “poisons” the
10.1.1.2 Is Now
ARP table on the router MAC C
10.1.1.1
MAC A

ARP 10.1.1.1
Saying ARP 10.1.1.2
10.1.1.2 Is MAC C Saying
10.1.1.1 Is MAC C

10.1.1.3
MAC C 10.1.1.2
MAC B

10.1.1.1 Is STILL
MAC A—Ignore

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75

Phone ARP Features
ƒ Traffic from the router to ƒ Traffic from the
the attacker—from the phone is protected,
10.1.1.1
phone to the router MAC A but the router is
still vulnerable
without dynamic
ARP inspection

10.1.1.3
MAC C 10.1.1.2
MAC B

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76

© 2006, Cisco Systems, Inc. All rights reserved. 38
Presentation_ID.scr
Non-DHCP Devices

ƒ Can use static bindings in the DHCP snooping
binding table
Cisco IOS
Global Commands
ip source binding 0000.0000.0001 vlan 4 10.0.10.200 interface fastethernet 3/1

ƒ Show static and dynamic entries in the DHCP snooping
binding table is different
Cisco IOS
Show Commands
show ip source binding

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77

Binding Table Info

ƒ No entry in the binding table—no traffic
ƒ Wait until all devices have new leases before turning on
dynamic ARP Inspection
ƒ Entrees stay in table until the lease runs out
ƒ All switches have a binding size limit
3000 switches—2500 entrees
4000 switches—4000 entrees (6000 for the SupV-10GE)
6000 switches—16,000 entrees

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78

© 2006, Cisco Systems, Inc. All rights reserved. 39
Presentation_ID.scr
Summary of ARP Attacks

ƒ Dynamic ARP inspection prevents ARP attacks by
intercepting all ARP requests and responses
ƒ DHCP snooping must be configured first, otherwise
there is no binding table for dynamic ARP Inspection
to use
ƒ The DHCP snooping table is built from the DHCP
request, but you can put in static entries
If you have a device that does not DHCP, but you would like
to turn on dynamic ARP Inspection, you would need a static
entry in the table

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79

More ARP Attack Information

ƒ Some IDS systems will watch for an unusually high
amount of ARP traffic
ƒ ARPWatch is freely available tool to track IP/MAC
address pairings
Caution—you will need an ARPWatch server on every VLAN
Hard to manage and scale
You can still do static ARP for critical routers and hosts
(administrative pain)

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80

© 2006, Cisco Systems, Inc. All rights reserved. 40
Presentation_ID.scr
Building the Layers

ƒ Port security prevents
CAM attacks and DHCP
starvation attacks
ƒ DHCP snooping prevents DAI
rogue DHCP server
DHCP
attacks
Snooping
ƒ Dynamic ARP inspection
prevents current ARP Port Security
attacks

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81

Agenda

ƒ Layer 2 Attack Landscape
ƒ Attacks and Countermeasures
VLAN Hopping
MAC Attacks
DHCP Attacks
ARP Attacks
Spoofing Attacks
General Attacks

ƒ Summary

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82

© 2006, Cisco Systems, Inc. All rights reserved. 41
Presentation_ID.scr
Spoofing Attacks

ƒ MAC spoofing
If MACs are used for network access an attacker can gain
access to the network
Also can be used to take over someone’s identity already
on the network

ƒ IP spoofing
Ping of death
ICMP unreachable storm
SYN flood
Trusted IP addresses can be spoofed

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83

Spoofing Attack: MAC
Received Traffic
Source Address
ƒ Attacker sends
10.1.1.3 packets with the
Mac B 10.1.1.1
MAC A incorrect source
MAC address
Traffic Sent with ƒ If network control is
MAC B Source by MAC address, the
attacker now looks
like 10.1.1.2

10.1.1.3
MAC C 10.1.1.2
MAC B

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84

© 2006, Cisco Systems, Inc. All rights reserved. 42
Presentation_ID.scr
Spoofing Attack: IP
Received Traffic
Source IP
ƒ Attacker sends
10.1.1.2 packets with the
Mac C 10.1.1.1
MAC A incorrect source
IP address
Traffic Sent with ƒ Whatever device the
IP 10.1.1.2
Source packet is sent to will
never reply to the
attacker

10.1.1.3
MAC C 10.1.1.2
MAC B

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85

Spoofing Attack: IP/MAC
Received Traffic
Source IP
ƒ Attacker sends packets
10.1.1.2 with the incorrect source
Mac B 10.1.1.1
MAC A IP and MAC address
ƒ Now looks like a device
Traffic Sent with IP that is already on the
10.1.1.2
MAC B Source network

10.1.1.3
MAC C 10.1.1.2
MAC B

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86

© 2006, Cisco Systems, Inc. All rights reserved. 43
Presentation_ID.scr
Countermeasures to Spoofing Attacks:
IP Source Guard
ƒ Uses the DHCP
10.1.1.1 snooping binding
MAC A table information

Nonmatching
Is This Is My ƒ IP Source Guard
Traffic Sent with DHCP Snooping-
IP 10.1.1.3 NO
Traffic
Binding
Enabled Dynamic Operates just like
Mac B Dropped
Table? dynamic ARP
ARP Inspection-
Enabled IP Source inspection, but looks
Guard-Enabled at every packet, not
just ARP packet

10.1.1.3
MAC C
10.1.1.2
Traffic Sent with MAC B
IP 10.1.1.2
Received Traffic Mac C
Source IP
10.1.1.2
Mac B

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87

Countermeasures to Spoofing Attacks:
IP Source Guard

ƒ Uses the information from the DHCP snooping
binding table
sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18

ƒ Looks at the MacAddress and IpAddress fields to see
if the traffic from the interface is in the binding table, it
not, traffic is blocked

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88

© 2006, Cisco Systems, Inc. All rights reserved. 44
Presentation_ID.scr
Countermeasures to Spoofing Attacks:
IP Source Guard
Configuration of IP Source Guard
ƒ DHCP snooping had to be configured so the binding
table it built
ƒ IP Source Guard is configured by port
ƒ IP Source Guard with MAC does not learn the MAC
from the device connected to the switch, it learns it
from the DHCP offer
ƒ There are very few DHCP servers that support
Option 82 for DHCP
ƒ If you do not have an Option 82-enabled DHCP you
most likely will not get an IP address on the client

Note: There are at least two DHCP servers that support
Option 82 Field Cisco Network Registrar® and Avaya
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89

Clear Up Source Guard
ƒ MAC and IP checking can be turned on separately or
together
For IP
Will work with the information in the binding table
For MAC
Must have an Option 82-enabled DHCP server
(Microsoft does not support Option 82)
Have to change all router configuration to support Option 82
All Layer 3 devices between the DHCP request and the DHCP
server will need to be configured to trust the Option 82 DHCP
request: ip dhcp relay information trust
ƒ Most enterprises do not need to check the MAC address
with IPSG
There are no known, good attacks that can use this information in
an enterprise network
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90

© 2006, Cisco Systems, Inc. All rights reserved. 45
Presentation_ID.scr
Countermeasures to Spoofing Attacks:
IP Source Guard
IP Source Guard

IP Source Guard Configuration
IP Checking Only (No Opt 82) IP Source Guard Configuration
What most Enterprises Will Run IP/MAC Checking Only (Opt 82)

Cisco IOS
Cisco IOS
Global Commands
Global Commands
ip dhcp snooping vlan 4,104
ip dhcp snooping vlan 4,104
ip dhcp snooping information option
no ip dhcp snooping information option
ip dhcp snooping
ip dhcp snooping
Interface Commands
Interface Commands
ip verify source vlan dhcp-snooping
ip verify source vlan dhcp-snooping
port-security

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91

Building the Layers

ƒ Port security prevents
CAM attacks and DHCP
starvation attacks IPSG

ƒ DHCP snooping prevents DAI
rogue DHCP server
DHCP
attacks
Snooping
ƒ Dynamic ARP inspection
prevents current Port Security
ARP attacks
ƒ IP Source Guard
prevents IP/MAC
spoofing
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92

© 2006, Cisco Systems, Inc. All rights reserved. 46
Presentation_ID.scr
Agenda

ƒ Layer 2 Attack Landscape
ƒ Attacks and Countermeasures
VLAN Hopping
MAC Attacks
DHCP Attacks
ARP Attacks
Spoofing Attacks
General Attacks

ƒ Summary

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93

Spanning Tree Basics
ƒ STP purpose: to maintain loop-free topologies in a redundant Layer 2
infrastructure
A Switch Is
Elected as Root

Root Root Selection Is
Based on the Lowest
Configured Priority
A ‘Tree-Like’,
of Any Switch 0–65535
Loop-Free Topology
Is Established from
the Perspective of
the Root Bridge X
ƒ STP is very simple; messages are sent using Bridge Protocol Data Units
(BPDUs); basic messages include: configuration, topology change
notification/acknowledgment (TCN/TCA); most have no “payload”
ƒ Avoiding loops ensures broadcast traffic does not become storms

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94

© 2006, Cisco Systems, Inc. All rights reserved. 47
Presentation_ID.scr
Spanning Tree Attack Example
ƒ Send BPDU messages to
become root bridge Access Switches
Root
Root

P

STP
ST
X Blocked

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95

Spanning Tree Attack Example
ƒ Send BPDU messages to
become root bridge Access Switches
Root
Root
The attacker then sees frames he Blocked
shouldn’t X
MITM, DoS, etc. all possible
Any attack is very sensitive to
the original topology, trunking,
PVST, etc.
Although STP takes link speed
into consideration, it is always
done from the perspective of
the root bridge; taking a Gb
backbone to half-duplex
10 Mb was verified
Requires attacker is dual
homed to two different
Root
switches (with a hub, it can
be done with just one interface
on the attacking host)
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96

© 2006, Cisco Systems, Inc. All rights reserved. 48
Presentation_ID.scr
STP Attack Mitigation
ƒ Try to design loop-free topologies where ever possible,
so you do not need STP
ƒ Don’t disable STP, introducing a loop would become
another attack
ƒ BPDU guard
ƒ Should be run on all user facing ports and infrastructure
facing ports
Disables ports using portfast upon detection of a BPDU message on the port
Globally enabled on all ports running portfast
Available in Cisco Catalyst OS 5.4.1 for Cisco Catalyst 2000 Series, Cisco
Catalyst 4000 Series, Cisco Catalyst 5000 Series, and Cisco Catalyst 6000
Series; 12.0XE for native Cisco IOS 6000 Series; 12.1(8a)EW for Cisco 4000
Series IOS; 12.1(4)EA1 for 3550; 12.1(6)EA2 for 2950

CatOS> (enable)set spantree portfast bpdu-guard enable
IOS(config)#spanning-tree portfast bpduguard
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97

STP Attack Mitigation

ƒ Root Guard
Disables ports who would become the root bridge due to their
BPDU advertisement
Configured on a per port basis
Available in Cisco Catalyst OS 6.1.1 for Cisco Catalyst 29XX,
Cisco Catalyst 4000 Series, Cisco Catalyst 5000 Series, Cisco
Catalyst 6000 Series; 12.0(7) XE for native Cisco IOS 6000
Series, 12.1(8a)EW for 4K Cisco IOS; 29/3500XL in 12.0(5)XU;
3550 in 12.1(4)EA1; 2950 in 12.1(6)EA2

CatOS> (enable) set spantree guard root 1/1
IOS(config)#spanning-tree guard root (or rootguard)

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98

© 2006, Cisco Systems, Inc. All rights reserved. 49
Presentation_ID.scr
Cisco Discovery Protocol (CDP)
ƒ Not normally an attack
ƒ Runs at Layer 2 and allows Cisco devices to chat with one another
ƒ Can be used to learn sensitive information about the CDP sender
(IP address, software version, router model, etc.)
ƒ CDP is in the clear and unauthenticated
ƒ Consider disabling CDP, or being very selective in its use in
security sensitive environments
ƒ Used by Cisco IPT for network management
ƒ Note: there was a reason Cisco developed CDP,
some Cisco apps make use of it
CatOS> (enable) set cdp disable <mod>/<port> | all
IOS(config)#no cdp run
IOS(config-if)#no cdp enable
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 99

CDP Attacks
ƒ Besides the information gathering benefit CDP offers an
attacker, there was a vulnerability in CDP that allowed Cisco
devices to run out of memory and potentially crash if you
sent it tons of bogus CDP packets
ƒ If you need to run CDP, be sure to use Cisco IOS code with
minimum version numbers: 12.2(3.6)B, 12.2(4.1)S,
12.2(3.6)PB, 12.2(3.6)T, 12.1(10.1), 12.2(3.6) or Cisco
Catalyst OS code 6.3, 5.5, or 7.1 and later
ƒ Problem was due to improper memory allocation for the
CDP process (basically there was no upper limit)
ƒ For more information
http://www.cisco.com/warp/public/707/cdp_issue.shtml
http://www.kb.cert.org/vuls/id/139491
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 100

© 2006, Cisco Systems, Inc. All rights reserved. 50
Presentation_ID.scr
Phone CDP Security

ƒ Switches can now check more then CDP to allow
a device in the voice VLAN
ƒ Can check for CDP and line power
ƒ Can check for CDP, line power, and full duplex
ƒ 3560 and 3750 version 12.2(36) SE only today

VLAN 10

VLAN 20 VLAN 20

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 101

Phone CDP Security
Delivered Feature Different Than Planned
Voice VLAN
Traffic
Switch Checks Line Power

Phone Sends
CDP

ƒ If CDP is sent and no power is drawn, port will disable
ƒ If a PC plugs in and no CDP is sent, the port disables because
no power is drawn
Not the suggested design
ƒ Future versions will work with PC, if no CDP, data traffic allowed
Will not work with soft clients on PC; if CDP is sent and no power is drawn,
the port will disable; first customer ship in Fall 2008

IOS(config-if)# switchport voice detect cisco-phone
Check Line Power and CDP
IOS(config-if)#switchport voice detect cisco-phone full-duplex
Check Line Power, CDP and only Full Duplex
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 102

© 2006, Cisco Systems, Inc. All rights reserved. 51
Presentation_ID.scr
Switch Management
ƒ Management can be your weakest link
All the great mitigation techniques we talked about aren’t worth much if the attacker telnets
into your switch and disables them
ƒ Most of the network management protocols we know and love are
insecure (syslog, SNMP, TFTP, telnet, FTP, etc.)
ƒ Consider secure variants of these protocols as they become available
(SSH, SCP, SSL, OTP etc.), where impossible, consider out of band
(OOB) management
Put the management VLAN into a dedicated nonstandard VLAN where nothing but
management traffic resides
Consider physically backhauling this interface to your management network
ƒ When OOB management is not possible, at least limit access to the
management protocols using the “set ip permit” lists on the management
protocols
ƒ SSH is available on Cisco Catalyst 6000 Series with Cisco Catalyst OS
6.1 and Cisco Catalyst 4000 Series/29XXG with Cisco Catalyst OS 6.3;
3550 in 12.1(11)EA1; 2950 in 12.1(12c)EA1; Cisco IOS 6000 Series
12.1(5c)E12; Cisco IOS 4000 Series in 12.1(13)EW
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 103

Agenda

ƒ Layer 2 Attack Landscape
ƒ Attacks and Countermeasures
VLAN Hopping
MAC Attacks
DHCP Attacks
ARP Attacks
Spoofing Attacks
General Attacks

ƒ Summary

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 104

© 2006, Cisco Systems, Inc. All rights reserved. 52
Presentation_ID.scr
Port Security: Example Config
Will Enable Voice
Cisco Catalyst OS
to Work Under Attack
set port security 5/1 enable
set port security 5/1 port max 3
set port security 5/1 violation restrict
set port security 5/1 age 2
set port security 5/1 timer-type inactivity
Cisco IOS
switchport port-security
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity

ƒ Number is not to control access, it is to protect the switch from attack
ƒ Depending on security policy, disabling the port might be preferred, even with VoIP
ƒ Aging time of two and aging type inactivity to allow for phone CDP of 1 minute

If violation error-disable, the following log message will be produced: 4w6d: %PM-4-ERR_
DISABLE: Psecure-Violation Error Detected on Gi3/2, Putting Gi3/2 in Err-Disable State
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 105

New Features for Port Security
New Commands
Cisco IOS
switchport port-security
switchport port-security maximum 1 vlan voice
switchport port-security maximum 1 vlan access
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
snmp-server enable traps port-security trap-rate 5

ƒ Per port per VLAN max MAC addresses
ƒ Restrict now will let you know something has happened—
you will get an SNMP trap
Everyone asked so Cisco did it

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 106

© 2006, Cisco Systems, Inc. All rights reserved. 53
Presentation_ID.scr
Countermeasures for DHCP Attacks
Rogue DHCP Server = DHCP Snooping
DHCP Snooping-Enabled
Client
Untrusted Trusted

Untrusted
OK DHCP DHCP
Responses:
Rogue Server offer, ack, nak Server
BAD DHCP
Responses:
offer, ack, nak

DHCP Snooping Binding Table
sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18

ƒ Table is built by “snooping” the DHCP reply to the client
ƒ Entries stay in table until DHCP lease time expires
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 107

Countermeasures to ARP Attacks:
Dynamic ARP Inspection
ƒ Uses the DHCP
snooping binding table
10.1.1.1 information
MAC A
ƒ Dynamic ARP inspection
IsNone
This Is My All ARP packets must
ARP 10.1.1.1 NO
Binding
Matching DHCP Snooping- match the IP/MAC binding
Saying
ARPsTable?
in the Enabled Dynamic
table entries
10.1.1.2 Is MAC C
Bit Bucket ARP Inspection- If the entries do not match,
Enabled throw them in the bit bucket

10.1.1.3
MAC C 10.1.1.2
ARP 10.1.1.2 MAC B
Saying
10.1.1.1 Is MAC C

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 108

© 2006, Cisco Systems, Inc. All rights reserved. 54
Presentation_ID.scr
Countermeasures to Spoofing Attacks:
IP Source Guard
ƒ Uses the DHCP
snooping binding table
10.1.1.1
MAC A information
ƒ IP Source Guard
Traffic Sent with Nonmatching
Is This Is My
DHCP Snooping- Operates just like dynamic
IP 10.1.1.3 NO
Traffic
Binding
Enabled Dynamic ARP inspection, but looks
Mac B Dropped
Table? at every packet, not just
ARP Inspection-
Enabled IP Source ARP packet
Guard-Enabled

10.1.1.3
MAC C 10.1.1.2
Traffic Sent with MAC B
IP 10.1.1.2
Received Traffic Mac C
Source IP
10.1.1.2
Mac B

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 109

The One Thing to Remember

ƒ If you do not have a binding table entry, you will not
allow traffic from that port with these features enabled
Dynamic ARP inspection
IP Source Guard

ƒ Users get grumpy when this happens
ƒ Would be wise to test and understand before
deployment

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 110

© 2006, Cisco Systems, Inc. All rights reserved. 55
Presentation_ID.scr
Matrix for Security Features (1/3)
6500/ 4500/
Feature/Platform Cisco Catalyst 6500/Cisco IOS Cisco Catalyst 4500/Cisco IOS
OS OS

Dynamic Port
7.6(1) 12.1(13)E 5.1(1) 12.1(13)EW
Security
Per VLAN 12.2(31)SGA
Dynamic Roadmapped* Roadmapped* N/A
Port Security ***

DHCP 12.1(12c)EW
8.3(1) 12.2(18)SXE* N/A
Snooping ***

12.1(19)EW
DAI 8.3(1) 12.2(18)SXE* N/A
***

12.1(19)EW
IP Source Guard 8.3(1)** 12.2(18)SXD2 N/A
***

*Works on trunks today, roadmapped for access ports
**Requires Sup720—support for Sup32 DHCP snooping and DAI
***For the Cisco Catalyst 4500-Cisco IOS-based platforms, this requires Sup2+ or above
These Sups are supported on the Cisco Catalyst 4006, 4503, 4506, and 4507R chassis running
Cisco Catalyst OS or any 2900 platform
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 111

Matrix for Security Features (2/3)

3750/3560
Feature/Platform 3550 EMI 2960 EI 2950 EI 2950 SI
EMI

Dynamic Port 12.0(5.2)WC 12.0(5.2)WC
12.1(25)SE 12.2(25)SEA 12.1(11)AX
Security 1 1
Per VLAN
Dynamic 12.2(37)SE NA 12.2(37)SE NA NA
Port Security
DHCP
12.1(25)SE 12.2(25)SEA 12.1(19)EA1 12.1(19)EA1 N/A
Snooping

DAI 12.2(25)SE 12.2(25)SEA N/A N/A N/A

IP Source Guard 12.2(25)SE 12.2(25)SEA N/A N/A N/A

Note: Old names of the Cisco IOS for the 3000 Series switches
Cisco IOS feature finder: http://tools.cisco.com/ITDIT/CFNhttps://www.scribd.com/jsp/index.jsp
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 112

© 2006, Cisco Systems, Inc. All rights reserved. 56
Presentation_ID.scr
Matrix for Security Features (3/3)

3750/3560 3550 3750/3560 3550
Feature/Platform
Advanced IP Advanced IP IP Base IP Base

Dynamic Port
12.1(25)SE 12.2(25)SEA 12.1(25)SEA 12.2(25)SEA
Security
Per VLAN
Dynamic 12.2(37)SE N/A 12.2(37)SEA N/A
Port Security
DHCP
12.1(25)SE 12.1(25)SEA 12.1(25)SEA 12.1(25)SEA
Snooping

DAI 12.2(25)SE 12.2(25)SEA 12.2(25)SEA 12.2(25)SEA

IP Source Guard 12.2 (25)SE 12.2(25)SEA 12.1(25)SEA 12.2(25)SEA

Note: Name change of the Cisco IOS on the 3000 Series switches
Cisco IOS feature finder: http://tools.cisco.com/ITDIT/CFNhttps://www.scribd.com/jsp/index.jsp
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 113

Building the Layers

ƒ Port security prevents
CAM attacks and DHCP
starvation attacks IPSG

ƒ DHCP snooping prevents DAI
rogue DHCP server
DHCP
attacks
Snooping
ƒ Dynamic ARP inspection
prevents current Port Security
ARP attacks
ƒ IP Source Guard
prevents IP/MAC
spoofing
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 114

© 2006, Cisco Systems, Inc. All rights reserved. 57
Presentation_ID.scr
Layer 2 Security Best Practices (1/2)

ƒ Manage switches in as secure a manner as possible
(SSH, OOB, permit lists, etc.)
ƒ Always use a dedicated VLAN ID for all trunk ports
ƒ Be paranoid: do not use VLAN 1 for anything
ƒ Set all user ports to nontrunking (unless you are
Cisco VoIP)
ƒ Deploy port-security where possible for user ports
ƒ Selectively use SNMP and treat community strings
like root passwords
ƒ Have a plan for the ARP security issues in your
network (ARP inspection, IDS, etc.)
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 115

Layer 2 Security Best Practices (2/2)

ƒ Enable STP attack mitigation
(BPDU Guard, Root Guard)
ƒ Decide what to do about DHCP attacks
(DHCP snooping, VACLs)
ƒ Use MD5 authentication for VTP
ƒ Use CDP only where necessary—with phones
it is useful
ƒ Disable all unused ports and put them in
an unused VLAN
All of the Preceding Features Are Dependent
on Your Own Security Policy
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 116

© 2006, Cisco Systems, Inc. All rights reserved. 58
Presentation_ID.scr
Lessons Learned
ƒ Carefully consider any time you
must count on VLANs to operate in a
security role
If properly configured, our testing did not discover
a method of VLAN Hopping using Cisco switches
Pay close attention to the configuration
Understand the organizational implications

ƒ Evaluate your security policy while
considering the other issues raised in
this session
Is there room for improvement?
What campus risks are acceptable based on
your policy?

ƒ Deploy, where appropriate, L2 security
best practices
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 117

Q and A

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 118

© 2006, Cisco Systems, Inc. All rights reserved. 59
Presentation_ID.scr
Recommended Reading

ƒ Continue your Cisco Live
learning experience with further
reading from Cisco Press
ƒ Check the Recommended
Reading flyer for suggested
books

Available Onsite at the Cisco Company Store
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 119

Complete Your Online
Session Evaluation
ƒ Give us your feedback and you could win Don’t forget to activate
fabulous prizes. Winners announced daily. your Cisco Live virtual
account for access to
ƒ Receive 20 Passport points for each session all session material
evaluation you complete. on-demand and return
for our live virtual event
ƒ Complete your session evaluation online now in October 2008.
(open a browser through our wireless network Go to the Collaboration
to access our portal) or visit one of the Internet Zone in World of
stations throughout the Convention Center. Solutions or visit
www.cisco-live.com.

BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 120

© 2006, Cisco Systems, Inc. All rights reserved. 60
Presentation_ID.scr
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 121

© 2006, Cisco Systems, Inc. All rights reserved. 61
Presentation_ID.scr