© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Layer 2 Security Examining Layer 2 Attacks
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Types of Attacks CAM table overflow VLAN hopping Spanning tree manipulation MAC address spoofing PVLAN attacks DHCP attacks
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v CAM Table Overflow Attack AB CD VLAN 10 Attacker sees traffic to servers B and D 3/25 3/25 MAC X 3/25 MAC Y 3/25 MAC Z XYZ B D
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Port Security MAC A MAC D MAC E MAC F Attacker
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Secure MAC Addresses Static Dynamic Sticky
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Default Settings Feature Port security Maximum MAC addresses Violation mode Sticky address learning Port security aging Default Setting Disabled 1 Shutdown Disabled Disabled. Aging time is 0. When enabled, the default type is absolute.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuration Guidelines Only on static access ports Not on trunk or dynamic access ports Not on SPAN port Not on EtherChannel port Voice VLAN assigned dynamic secure addresses On port with voice VLAN, set maximum MAC addresses to two plus maximum number of MAC addresses Dynamic port security enabled on voice VLAN when security enables on access VLAN Not configurable on per-VLAN basis No aging of sticky addresses No simultaneous enabling of protect and restrict options
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuring Port Security switchport mode access switch(config-if)# Set the interface mode as access switchport port-security switch(config-if)# Enable port security on the interface switchport port-security maximum value switch(config-if)# Set the maximum number of secure MAC addresses for the interface (optional)
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuring Port Security (Cont.) switchport port-security mac-address sticky switch(config-if)# Enable sticky learning on the interface (optional) switchport port-security violation {protect | restrict | shutdown} switch(config-if)# Set the violation mode (optional) switchport port-security mac-address mac-address switch(config-if)# Enter a static secure MAC address for the interface (optional)
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuring Port Security Aging switchport port-security aging {static | time time | type {absolute | inactivity}} switch(config-if)# Enable or disable static aging for the secure port, or set the aging time or type
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v sw-class# show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) Fa0/ Shutdown Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024 Verifying Port Security
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Verifying Port Security (Cont.) sw-class# show port-security interface fa0/12 Port Security : Enabled Port Status : Secure-down Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Last Source Address : Security Violation Count : 0
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Verifying Port Security (Cont.) sw-class# show port-security address Secure Mac Address Table Vlan Mac Address Type Ports Remaining Age (mins) ffff.aaaa SecureConfigured Fa0/ Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v VLAN Hopping 802.1Q Server Attacker sees traffic to servers Server Trunk VLA N 20 VLAN 10
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Mitigating VLAN Hopping switchport mode access switch(config-if)# Configure port as an access port
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Spanning Tree Manipulation Root Bridge FF F F FB STP BPDU FB F F FF
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Mitigating Spanning Tree Manipulation switch(config)# spanning-tree portfast bpduguard default Globally enable BPDU guard on all ports switch(config-if)# spanning-tree guard root Enable root guard on an interface
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v MAC SpoofingMan-in-the-Middle Attacks A B C ABC Switch Port 123 MAC A A B C ABC Switch Port 123 Attacker Port 1 Port 2 Port 3
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v PVLAN Proxy Attack Isolated Port Promiscuous Port Source Dest IP:AC MAC:AB A B C /24
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Mitigating PVLAN Proxy Attacks Build ACL for subnet and apply ACL to interface router(config)# access-list 101 deny ip router(config)# access-list 101 permit ip any any router(config-if)# ip access-group 101 in
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Summary Switches, and Layer 2 of the OSI model in general, are subject to network attacks in unique ways. The CAM table overflow attack is an attempt to exploit the fixed hardware limitations of the switch's CAM table. The port security feature restricts input to an interface by limiting and identifying the MAC addresses of the stations allowed to access the port. Several commands are available to verify port security configuration and operation. VLAN hopping exploits the use of 802.1Q. Spanning tree manipulation allows the attacker to change the root bridge of a network. MAC spoofing attacks involve the use of a known MAC address of another host. PVLAN proxy attacks use a wrong destination MAC address.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v