Ethernet: Layer 2 Security
Eric Vyncke
Cisco Systems
Distinguished Engineer
Evyncke@cisco.com
Vyncke ethernet security
© 2003, Cisco Systems, Inc. All rights reserved.
1
The Domino Effect
• Unfortunately this means if one layer is hacked, communications are
compromised without the other layers being aware of the problem
• Security is only as strong as your weakest link
• When it comes to networking, layer 2 can be a VERY weak link
Application Stream
Presentation
Session
Transport
Network
Data Link
Physical
Vyncke ethernet layer 2 security
Compromised
Application
Application
Presentation
Session
Protocols/Ports
Transport
IP Addresses
Network
Initial
MACCompromise
Addresses
Physical Links
© 2003, Cisco Systems, Inc. All rights reserved.
Data Link
Physical
2
MAC Attacks
Vyncke ethernet security
© 2003, Cisco Systems, Inc. All rights reserved.
3
CAM Overflow 1/2
MAC
A
X
B
Y
C
port
1
3
2
3
3
MAC B
Port 2
Port 1
MAC A
Port 3
Y->?
X is on port 3
Y is on port 3
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
MAC C
4
CAM Overflow 2/2
MAC
X
Y
C
port
3
3
3
MAC B
Port 2
Port 1
MAC A
Port 3
I see traffic
to B !
B unknown…
flood the frame
MAC C
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
5
MAC Flooding Attack Mitigation
• Port Security
Allows you to specify MAC addresses for each port, or to
learn a certain number of MAC addresses per port
Upon detection of an invalid MAC block only the
offending MAC or just shut down the port
• Smart CAM table
Never overwrite existing entries
Only time-out inactive entries
Active hosts will never be overwritten
• Speak first
Deviation from learning bridge: never flood
Requires a hosts to send traffic first before receiving
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
6
ARP Attacks
Vyncke ethernet security
© 2003, Cisco Systems, Inc. All rights reserved.
7
ARP Spoofing
IP a
MAC A
IP b
MAC B
• C is sending faked gratuitous
ARP reply to A
IP c
MAC C
• C sees traffic from IP a to IP b
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
8
Mitigating ARP Spoofing
• ARP spoofing works only within one VLAN
• static ARP table on critical stations (but dynamic
ARP override static ARP on most hosts!)
• ARP ACL: checking ARP packets within a VLAN
Either by static definition
Or by snooping DHCP for dynamic leases
• No direct communication among a VLAN: private
VLAN
Spoofed ARP packet cannot reach other hosts
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
9
ARP Spoof Mitigation: Private VLANs
Promiscuous
Port
Promiscuous
Port
Primary VLAN
Isolated VLAN
x
x
Isolated
Ports
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
10
VLAN “Hopping” Attacks
Vyncke ethernet security
© 2003, Cisco Systems, Inc. All rights reserved.
11
Trunk Port Refresher
Trunk Port
• Trunk ports have access to all VLANs by default
• Used to route traffic for multiple VLANs across the
same physical link (generally used between switches)
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
12
Basic VLAN Hopping Attack
Trunk Port
Trunk Port
• A station can spoof as a switch with 802.1Q signaling
• The station is then member of all VLANs
• Requires a trunking favorable setting on the port (the SANS
paper is three years old)
http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
13
Double Encapsulated 802.1Q VLAN
Hopping Attack
Strip off First,
and Send
Back out
Attacker
802.1q, Frame
Note: Only Works if Trunk Has the
Same Native VLAN as the Attacker
Victim
• Send double encapsulated 802.1Q frames
• Switch performs only one level of decapsulation
• Unidirectional traffic only
• Works even if trunk ports are set to off
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
14
Mitigation
• Use recent switches
• Disable auto-trunking
• Never put host in the trunk native VLAN
• Put unused ports in an unused VLAN
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
15
Spanning Tree Attacks
Vyncke ethernet security
© 2003, Cisco Systems, Inc. All rights reserved.
16
Spanning Tree Basics
A
F
F
F
F
Root
A Switch Is
Elected as Root
A ‘Tree-Like’
Loop-Free Topology
Is Established
F
B
X
F
F
B
Loop-Free Connectivity
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
17
Spanning Tree Attack Example 1/2
• Send BPDU messages from
attacker to force spanning tree
recalculations
Access Switches
Root
F
F
Impact likely to be DoS
• Send BPDU messages to become
root bridge
F
F
X
F
B
Attacker
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
18
Spanning Tree Attack Example 2/2
• Send BPDU messages from
attacker to force spanning tree
recalculations
Access Switches
Root
F
F
B
X
Impact likely to be DoS
• Send BPDU messages to become
root bridge
F
F
The hacker then sees frames he
shouldn’t
MITM, DoS, etc. all possible
Any attack is very sensitive to
the original topology, trunking,
PVST, etc.
Requires attacker to be dual homed
to two different switches
F
F
B
Root
Attacker
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
19
STP Attack Mitigation
• Disable STP
(It is not needed in loop free topologies)
• BPDU Guard
Disables ports upon detection of a BPDU message
on the port
• Root Guard
Disables ports who would become the root bridge
due to their BPDU advertisement
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
20
Other Attacks
Vyncke ethernet security
© 2003, Cisco Systems, Inc. All rights reserved.
21
DHCP Rogue Server Attack
• Simply the installation of an unknown DHCP
Server in the local subnet
• Other attack: exhaustion of DHCP pools
• RFC 3118 “Authentication for DHCP Messages”
will help, but has yet to be implemented
• Mitigation:
Consider using multiple DHCP servers for the different
security zones of your network
Use intra VLAN ACL to block DHCP traffic from unknown
server
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
22
ProActive Defense
Vyncke ethernet security
© 2003, Cisco Systems, Inc. All rights reserved.
23
Wire-Speed Access Control Lists
• Many current switches offer wire-speed ACLs to
control traffic flows (with or without a router
port)
• Allows implementation of edge filtering that
might otherwise not be deployed due to
performance concerns
• VLAN ACLs and Router ACLs are typically the
two implementation methods
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
24
Network Intrusion Detection System
• Network IDS are now able to
Understand trunking protocols
Fast enough to handle 1 Gbps
Including management of alerts !
Understand layer 2 attacks
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
25
802.1x
• 802.1x is an IEEE Standard for Port Based
Network Access Control
EAP based
Improved user authentication: username and
password
Can work on plain 802.3 or 802.11
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
26
IEEE 802.1X Terminology
Semi-Public Network /
Enterprise Edge
Enterprise Network
R
A
D
I
U
S
Authentication
Server
Authenticator
(e.g. Switch,
Access Point)
Supplicant
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
27
What Does it Do?
• Transport authentication information in the form of
Extensible Authentication Protocol (EAP) payloads.
• The authenticator (switch) becomes the middleman for
relaying EAP received in 802.1x packets to an authentication
server by using RADIUS to carry the EAP information.
• Three forms of EAP are specified in the standard
EAP-MD5 – MD5 Hashed Username/Password
EAP-OTP – One-Time Passwords
EAP-TLS – Strong PKI Authenticated Transport Layer
Security (SSL) - Preferred Method Of Authentication
802.1x Header
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
EAP Payload
28
Example Solution “A”—Access Control
and User Policy Enforcement
Switch Applies Policies
and Enables Port
User Has Access to
Network, with
Applicable VLAN
• Set port VLAN to 5
Login Request
Credentials
Login Good!
Apply Policies
Check with Policy DB
This Is John Doe!
He Goes into VLAN 5
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
29
Example Solution “B” – Access For Guest
Users
Switch applies policies and
enables port.
User has access to DMZ or
“Quarantine” network.
Login Request
•Set port VLAN to 100 - DMZ
•Set port QoS Tagging to 7
•Set QoS rate limit for 2Mbps
Authentication timeout.
Retries expired.
Client is not 802.1x capable.
Put them in the quarantine zone!
Login Request
Login Request
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
30
Summary
Vyncke ethernet security
© 2003, Cisco Systems, Inc. All rights reserved.
31
Layer 2 Security Best Practices 1/2
• Manage switches in as secure a manner as possible
(SSH, OOB, permit lists, etc.)
• Always use a dedicated VLAN ID for all trunk ports
• Be paranoid: do not use VLAN 1 for anything
• Set all user ports to non trunking
• Deploy port-security where possible for user ports
• Selectively use SNMP and treat community strings
like root passwords
• Have a plan for the ARP security issues in your
network
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
32
Layer 2 Security Best Practices 2/2
• Enable STP attack mitigation (BPDU Guard,
Root Guard)
• Use private VLANs where appropriate to
further divide L2 networks
• Disable all unused ports and put them in an
unused VLAN
• Consider 802.1X for middle term
All of the Preceding Features Are Dependant on
Your Own Security Policy
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
33
Final Word
• Switches were not designed for security
• Now, switches are designed with security
in mind
• In most cases, with good configuration,
they can even enhance your network
security
Vyncke ethernet layer 2 security
© 2003, Cisco Systems, Inc. All rights reserved.
34
