{"id":1133,"date":"2009-12-14T01:08:44","date_gmt":"2009-12-14T07:08:44","guid":{"rendered":"http:\/\/gregsowell.com\/?p=1133"},"modified":"2014-03-31T08:08:16","modified_gmt":"2014-03-31T14:08:16","slug":"layer-2-security-protect-you-and-your-users-from-attack","status":"publish","type":"post","link":"https:\/\/gregsowell.com\/?p=1133","title":{"rendered":"Layer 2 Security &#8211; Protect You and Your Users From Attack"},"content":{"rendered":"<p>Before your access lists or firewall rules comes layer 2(L2).  This is the Data link layer where your MAC addressing lives.  Why do we need to protect L2&#8230;?<\/p>\n<li>Man in the middle attacks happen via L2<\/li>\n<li>Rogue DHCP on a single segment<\/li>\n<li>DHCP server starvation attack<\/li>\n<li>ARP attacks against your switches<\/li>\n<p>Lets hit these guys one at a time:<\/p>\n<p><strong>Man in the middle attack<\/strong><br \/>\nWhat is a man in the middle attack?  <a href=\"http:\/\/en.wikipedia.org\/wiki\/Man-in-the-middle_attack\">Here&#8217;s<\/a> what wikipedia says about it.  In a nutshell I tell the router that I am you, and I tell you that I am the router.  What happens is that all your traffic passes through me&#8230;while I intercept everything possible about what you are doing.  I wait for you to attempt a bank transaction and hand you a bunk site certificate and steal your monies \ud83d\ude42  I do this by sending gratuitous ARPs.  These are unprovoked ARP announcements.  I send ARPs over and over to the router saying I&#8217;m you.  I then send you ARPs over and over saying that I am the router.<br \/>\n<figure id=\"attachment_1137\" aria-describedby=\"caption-attachment-1137\" style=\"width: 584px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/gregsowell.com\/wp-content\/uploads\/2009\/11\/man-in-the-middle.JPG\" alt=\"Man in the middle...you are Bob and all your base are belong to us\" title=\"man-in-the-middle\" width=\"584\" height=\"387\" class=\"size-full wp-image-1137\" srcset=\"https:\/\/gregsowell.com\/wp-content\/uploads\/2009\/11\/man-in-the-middle.JPG 584w, https:\/\/gregsowell.com\/wp-content\/uploads\/2009\/11\/man-in-the-middle-300x198.jpg 300w\" sizes=\"auto, (max-width: 584px) 100vw, 584px\" \/><figcaption id=\"caption-attachment-1137\" class=\"wp-caption-text\">Man in the middle...you are Bob and all your base are belong to us<\/figcaption><\/figure><br \/>\nSo as you can imagine, if you manage a hotel or apartment complex, this could be a HUGE problem.  This could be a problem for enterprises also, but for more or less shared public infrastructure, this is scary.<\/p>\n<p><strong>Rogue DHCP on a segment<\/strong><br \/>\nWhat is a rouge DHCP server?  This is when you have an unauthorized DHCP server handing out IP addresses on your network.  Why is this a problem?  A DHCP request fulfillment is really a foot race.  You can have many DHCP servers on a single LAN segment, but whichever gets it&#8217;s answer back to the requesting host, wins.  So, if your legitimate DHCP server is 20 milliseconds away and the rogue is 5 milliseconds away, guess who will win the race?  This is a problem because rogues will generally give you a false path to the internet.  They could create a man in the middle attack as above.  They can hand you an IP address and say that they are the router to the internet.  You will pass all your traffic to them and they will relay it on.  Most often we see rogues in apartment complex networks.  This is due to the fact that users will plug their wireless routers in backwards and start handing out IP addresses.  There is no malicious intent in this second scenario, but they can take out large portions of your apartment users!<br \/>\n<figure id=\"attachment_1142\" aria-describedby=\"caption-attachment-1142\" style=\"width: 630px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/gregsowell.com\/wp-content\/uploads\/2009\/11\/rogue-dhcp.JPG\" alt=\"Improperly connected wireless router is closer, and responds faster...so now you are getting a junk IP and Default Route\" title=\"rogue-dhcp\" width=\"630\" height=\"377\" class=\"size-full wp-image-1142\" srcset=\"https:\/\/gregsowell.com\/wp-content\/uploads\/2009\/11\/rogue-dhcp.JPG 630w, https:\/\/gregsowell.com\/wp-content\/uploads\/2009\/11\/rogue-dhcp-300x179.jpg 300w\" sizes=\"auto, (max-width: 630px) 100vw, 630px\" \/><figcaption id=\"caption-attachment-1142\" class=\"wp-caption-text\">Improperly connected wireless router is closer, and responds faster...so now you are getting a junk IP and Default Route<\/figcaption><\/figure><\/p>\n<p><strong>DHCP starvation attack<\/strong><br \/>\nA starvation attack is when a user spoofs tons of MAC addresses and requests a DHCP address from each MAC.  This means that a single attacker can accept and hold all of your DHCP addresses, thus not allowing your legitimate users to pull an address.<br \/>\n<figure id=\"attachment_1150\" aria-describedby=\"caption-attachment-1150\" style=\"width: 629px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/gregsowell.com\/wp-content\/uploads\/2009\/11\/dhcp-starvation.JPG\" alt=\"I&#039;ve taken all the DHCP IPs...now you can&#039;t pull an IP\" title=\"dhcp-starvation\" width=\"629\" height=\"453\" class=\"size-full wp-image-1150\" srcset=\"https:\/\/gregsowell.com\/wp-content\/uploads\/2009\/11\/dhcp-starvation.JPG 629w, https:\/\/gregsowell.com\/wp-content\/uploads\/2009\/11\/dhcp-starvation-300x216.jpg 300w\" sizes=\"auto, (max-width: 629px) 100vw, 629px\" \/><figcaption id=\"caption-attachment-1150\" class=\"wp-caption-text\">I've taken all the DHCP IPs...now you can't pull an IP<\/figcaption><\/figure><\/p>\n<p><strong>ARP attacks against our switches<\/strong><br \/>\nI&#8217;ve got a 6509, why should I bother with one little guy ARP attacking me?  Because even a Cisco 6500 will only hold about 120K MAC addresses in its MAC-Address table(per VLAN) before it gets overrun.  Once your fancy switch is overrun and the MAC table is full, it turns into a fancy hub!  So, all of your super secret traffic you don&#8217;t want anyone else to see is now getting broadcast out every port configured for that access VLAN or untagged for that VLAN.  I just got you again.  You know what&#8217;s even better is that my ARP will propagate through your fancy 6500 and down to your not so fancy edge switches that can handle even less traffic&#8230;snap&#8230;I just got you again.  You also realize that this attack can reach maturity in around 10-20 seconds?<br \/>\n<figure id=\"attachment_1140\" aria-describedby=\"caption-attachment-1140\" style=\"width: 639px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/gregsowell.com\/wp-content\/uploads\/2009\/11\/switch-arp-attack.JPG\" alt=\"ARP attacking a switch to overrun the MAC Address table\" title=\"switch-arp-attack\" width=\"639\" height=\"499\" class=\"size-full wp-image-1140\" srcset=\"https:\/\/gregsowell.com\/wp-content\/uploads\/2009\/11\/switch-arp-attack.JPG 639w, https:\/\/gregsowell.com\/wp-content\/uploads\/2009\/11\/switch-arp-attack-300x234.jpg 300w\" sizes=\"auto, (max-width: 639px) 100vw, 639px\" \/><figcaption id=\"caption-attachment-1140\" class=\"wp-caption-text\">ARP attacking a switch to overrun the MAC Address table - again, all your traffic are come to me<\/figcaption><\/figure><\/p>\n<p><strong>Configuration<\/strong><br \/>\nSo, now we have a few compelling reasons why we need L2 security, how do we do it?  The first thing you do is get yourself some Cisco switches&#8230;:)  I have no idea how to do it with anything else.  I know Juniper\/Procurve will do it, but exactly how is a mystery to me.  So now that I&#8217;ve told you get Cisco, I must tell you which models support our features.  As far as the 1U switching line, you will need at least a 3550 or above.  This covers 3560s and 3750s.  If you are going with say a 6500 series switch, you will need at minimum a Sup32.  A 3550 24 port will run you around $150.  A 3550 48 port will run you around $190.<\/p>\n<p><strong>Port security<\/strong><br \/>\nTime to get to the real configuration.  What we are going to kick on 1st is port security.  This sets a limit on the number of MAC addresses that can be learned via a single switch port.  Setting port security will help to protect our DHCP server from a starvation attack.  I generally like to set the number of allowed MAC addresses to 10.  You have to remember that if you are using Cisco phones and you are piggy backing your PC off of it, you will be required to allow at least 2 MAC addresses.  Some switches will see the initial CDP message come from the phone and consider this a separate MAC, so on these switches you would need 3 MAC allowances.  The easiest thing I have found is to simply allow 10 MACs.  Port security is configured on a per port basis.<\/p>\n<pre class=\"gs-code\"><code class=\"language-plaintext\">interface FastEthernet0\/1\r\n switchport port-security maximum 10 !sets max MACs to 10\r\n switchport port-security !enables port security\r\n switchport port-security aging time 30 ! sets the time in minutes that MAC addresses will timeout\r\n switchport port-security violation restrict !sets the violate action to restrict - default is err disable port\r\n switchport port-security aging type inactivity !sets the aging type to only start when there is no activity on the port<\/code><\/pre>\n<p><a href=\"http:\/\/www.cisco.com\/en\/US\/docs\/switches\/lan\/catalyst6500\/ios\/12.1E\/native\/configuration\/guide\/port_sec.html\">Here&#8217;s <\/a>the Cisco docs on it.<br \/>\nAnother quick note is that we don&#8217;t enable port security on trunk ports.  Now that we have that covered, lets move on.<\/p>\n<p><strong>DHCP Snooping<\/strong><br \/>\nWe are next going to enable DHCP snooping(DS).  DS will prevent our rogue DHCP servers.  It only allows DHCP servers to respond on interfaces marked as trusted.  Everything past this point builds off of DHCP snooping, so it&#8217;s quite a critical step.  How DS works is to monitor DHCP requests coming from a port and to record the responses into a table on the switch called the&#8230;get ready for it, deep breath&#8230;DHCP snooping binding table(DSBT).  I know what you are thinking&#8230;&#8221;We don&#8217;t have everything set for DHCP, like some printers and machines.&#8221;    To this I say, almost anything can be set for DHCP.  If you use dynamic DNS like Microsoft Active Directory(AD), you can simply reference the DNS name of the device.  Or, if you setup reservation in your DHCP server for these devices, they will technically make the DHCP request, but they will pull the same IP every time.<br \/>\nDS is configured globally on a VLAN and not locally per interface.  <\/p>\n<pre class=\"gs-code\"><code class=\"language-plaintext\">ip dhcp snooping vlan 10 !set your VLANs that should be snooped\r\nip dhcp snooping database tftp:\/\/10.1.1.1\/the-file !this will offload your DSBT to an TFTP server - We generally use Mikrotik&#039;s TFTP server\r\nip dhcp snooping database write-delay 60 !setup a write delay if an entry changes in the DSBT\r\nip dhcp snooping verify mac-address !ensures that the MAC learned on the port matches that in the DHCP request\r\nip dhcp snooping !enable DS on the switch<\/code><\/pre>\n<p>In the above example you see that I upload the DSBT to an TFTP server.  I do this so that when a switch looses power it will repopulate its DSBT.  This doesn&#8217;t seem like that big a deal because windows hosts and Mac hosts will pull DHCP when an interfaces loses connectivity, so they will be ok.  A lot of Linux hosts, however, won&#8217;t reDHCP when their interfaces lose connectivity.<br \/>\nBy default, when you turn on DS all ports are considered untrusted.  You will need to mark the to specify trusted interface.  A trusted interface is an interface where the DHCP server should be coming from.  <em>If you are on an edge switch and you don&#8217;t physically have the DHCP server plugged into it, you will need to set the trunk ports as trusted ports!<\/em><\/p>\n<pre class=\"gs-code\"><code class=\"language-plaintext\">interface GigabitEthernet0\/1\r\n switchport trunk encapsulation dot1q\r\n switchport trunk allowed vlan 10\r\n switchport mode trunk\r\n ip dhcp snooping trust !set this trunk port as a trusted port<\/code><\/pre>\n<p>You can also set a packet per second rate limit per port.<\/p>\n<pre class=\"gs-code\"><code class=\"language-plaintext\">interface FastEthernet0\/1\r\n ip dhcp snooping limit rate 50 !50 PPS<\/code><\/pre>\n<p><a href=\"http:\/\/www.cisco.com\/en\/US\/docs\/switches\/lan\/catalyst6500\/ios\/12.2SXF\/native\/configuration\/guide\/snoodhcp.html\">Here&#8217;s <\/a>what Cisco says about DS.<\/p>\n<p><strong>Dynamic ARP inspection<\/strong><br \/>\nNow we will turn on some dynamic ARP inspection(DAI).  So, what does our friend DAI do?  He inspects every ARP packet that flows on untrusted ports and makes sure they conform to the DHCP snooping binding table.  So this kills the man in the middle attacks that leverage false gratuitous ARPs.<br \/>\nDIA configures globally also:<\/p>\n<pre class=\"gs-code\"><code class=\"language-plaintext\">ip arp inspection vlan 10 !specify which VLANs to scan\r\nip arp inspection validate src-mac ip !checks for bad IPs and ensures that it is sourced from interface MAC\r\nip arp inspection log-buffer entries 1024 !by default 32 entries max will be held non violates\r\nip arp inspection log-buffer logs 1024 interval 10 !by default will only hold them for 5 seconds, this ups to 10<\/code><\/pre>\n<p>We also have to mark which ports are trusted ports.  These are ports we don&#8217;t inspect on.  Your trunk ports will always need to be trusted&#8230;unless you want to black hole your traffic?<\/p>\n<pre class=\"gs-code\"><code class=\"language-plaintext\">interface GigabitEthernet0\/1\r\n switchport trunk encapsulation dot1q\r\n switchport trunk allowed vlan 10\r\n switchport mode trunk\r\n ip arp inspection trust !marked as trusted<\/code><\/pre>\n<p>Also, by default he does an ARP packet per second limiting.  The default is 15 PPS, I generally up this to 50.<\/p>\n<pre class=\"gs-code\"><code class=\"language-plaintext\">interface FastEthernet0\/1\r\n ip arp inspection limit rate 50<\/code><\/pre>\n<p>When the PPS rate limit is violated, the switch port will err disable.  I recommend doing error recovery for this reason:<\/p>\n<pre class=\"gs-code\"><code class=\"language-plaintext\">errdisable recovery cause arp-inspection !enables recovery for arp-inspection PPS events\r\nerrdisable recovery interval 14400 ! this value is in seconds.  I have this set to 4 hours<\/code><\/pre>\n<p>Cisco&#8217;s docs can be found <a href=\"http:\/\/www.cisco.com\/en\/US\/docs\/switches\/lan\/catalyst3560\/software\/release\/12.2_20_se\/configuration\/guide\/swdynarp.html\">here <\/a>on DAI.<\/p>\n<p>So this will protect you from attacks on L2, but it won&#8217;t provide any authentication.  If you want to do some L2 authentication, you need to check out 802.1X.  Is 802.1X a replacement for L2 security, NO!  Just because someone can authenticate doesn&#8217;t mean they don&#8217;t have a virus on their machine that will attack your network in some way&#8230;trust no one \ud83d\ude09<\/p>\n<p>If you enjoyed this article and wouldn&#8217;t mind seeing more, drop me a line and tell me about it.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Before your access lists or firewall rules comes layer 2(L2). This is the Data link layer where your MAC addressing lives. Why do we\u2026<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16,6,8,24],"tags":[],"class_list":["post-1133","post","type-post","status-publish","format-standard","hentry","category-cisco","category-mikrotik","category-networking","category-security"],"_links":{"self":[{"href":"https:\/\/gregsowell.com\/index.php?rest_route=\/wp\/v2\/posts\/1133","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gregsowell.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gregsowell.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gregsowell.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/gregsowell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1133"}],"version-history":[{"count":32,"href":"https:\/\/gregsowell.com\/index.php?rest_route=\/wp\/v2\/posts\/1133\/revisions"}],"predecessor-version":[{"id":4792,"href":"https:\/\/gregsowell.com\/index.php?rest_route=\/wp\/v2\/posts\/1133\/revisions\/4792"}],"wp:attachment":[{"href":"https:\/\/gregsowell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1133"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gregsowell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1133"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gregsowell.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1133"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}