Secure Switch(Layer 2) : Data plane

Switch Basics

  • Trunk port carry all vlan info and use 802.1q for tagging a packet

Attack 1: Using Rouge DHCP Server to carry man-in-the-middle attack

  • As DHCP Server also hand out gateway and DNS info, a rogue DHCP server can pass on its ip address as default gateway to client requesting IP address
  • Rouge DHCP server will then act as gateway for all devices in networks can see all traffic and passing it on to actual gateway

Mitigation: Use switch’s DHCP snooping feature

  • Configure Switch to pay attention to DHCP messages in a vlan
  • The offer and acknowledgement (in DORA process) packets are blocked and are manually configured to allow on the port/interface where genuine DHCP server is connected

CONFIGURE

Rouge DHCP

  • enable dhcp snooping for a particular vlan
  • turn on dhcp snooping
  • on interface, where genuine DHCP server is connected – make it trustworthy
  • ip dhcp snooping vlan 999
  • ip dhcp snooping
  • int g 0/18
  • ip dhcp snooping trust
  • ###verify
  • shipdhcp snooping binding :showdhcp snooping table
    • interface, ip address, mac-address, vlan info
  • sh mac address-table
    • interfave, mac-address and vlan info
  • sh mac address-table count
  • sh mac address-table dynamic

Attack 2: Spoofing mac address and bombard with packets

If a PC can spoof mac-address and send frames with different mac-addresses then that will appear as request coming from a different machine

1. DHCP Starvation attack:. If these requests are DHCP request then it will eat all the ip address from DHCP poll leaving no more ip addresses to hand out.

2. CAM table over flow attack which leads to eavesdropping attack: Switch have limited space in CAM table and once it is filled then it sends traffic out from all interfaces.

Perform attack:

  • flood frames with different mac-address on backtrack
  • root@bt:~# macof -i eth0

Mitigation:

1. [tackling after attack]Once a port is shut down, all the addresses learned at that interface will be cleared. Thus creating more space in CAM table

  • SW#int g 0/7
  • shutdown
  • no shutdown

2. [prevention] Port Security

However, if rule define by port-security is violated at a particular port and port is moved to errdisabled  state then we can make switch smart to automatically turn it on after specific interval.

  • (config-if)#errdisable recovery cause psecure-violation
  • (config)# errdisable recovery interval 30

 Attack 3: Vlan Hoping

VLAN Hoping

PC1 can send messages to PC2 in different vlan, even bypassing any ACL applied by router, if:

  1. it can negotiate trunk with switch
  2. it can generate 802.1q tagged frame for vlan 888

Perform attack:

  • root@bt:~#yersinia-G [GUIofyersenia]
    • Indicator: Dynamic negotiation is on:DTP-Dynamic trunking protocol packet =1
      • can capture traffic via wireshark for DTP
      • On switch, sh int g 0/5switchport
        • [to see administrative mode type and trunk negotiation]
    • Launch attack > enable trunking
      • verify: On switch, sh int trunk g0/5 changed from none to (all vlans)
  • (learn backtrack for this)backtrack can create logical sub-interfaces and can generate a tagged packet for a particular vlan

Mitigation:

When a new switch is received:

  • Shutdown all the ports on the switch
  • when attaching a PC(client) to a Switch
    • make that port access port
    • turn off negotiation for trunk
    • assign port to correct  vlan.
      • (not covered yet????)Alternatively, can use 802.1X to
        • dynamically authenticate user and
        • assign vlan based on aaa configuration
  • In a homogenous environment (allcisco devices)
    • don’tusevlan 1 for anything,
      • move all ports to vlan 999 [which will effectively shut down all ports]
      • specify native vlan
  • NOTE: IF multiple STP per vlan is running or juniper/hp etc devices are used than we have to use vlan 1

configure

  • int range fa 0/1-23
  • shutdown
  • int g 0/5
  • switchport mode access
  • switchport no negotiate
  • switchport access vlan 3
  • #####verify
  • shintg0/5switchport
    • [to see administrative mode type and trunk negotiation]

Attack 4: Using Rouge SWITCH to carry man-in-the-middle attack

Rouge Switch

 Mitigation:

  • BPDU(bridge protocol data unit) Guard
    • can be implemented globally (on all access ports-including ports having portfast on) on switch or on a particular interface(access port)
    • It will shut the port down, if a BPDU packet is received
  • BPDU Filter
    • if a BPDU packet is received, it will drop that packet but will not shut the port down
  • Root Guard
    • configure on switch globally
    • It is Ok to receive BPDU but can define that certain ports cannot be root ports in spanning tree

Perform attack:

  • root@bt:~#yersinia-G [GUI ofyersenia]
  • launch an attack: STP: claim root role
    • will try to send BPDU to make PC as root

CONFIGURE

  • Wewillimplementportfast [dont have to wait for 30 sec rule]andBPDU guard globally
    • any portfast enabled port will get benefit of bpduguard, if they are access port
    • spanning-tree portfast default
    • spanning-tree portfast bpduguard default  [TURNING IT ON]
  • WewillimplementportfastandBPDU guard onaninetrface
    • int g 0/5
    • spanning-tree portfast
    • spanning-tree bpduguard enable
    • ####verify
    • sh spanning-tree summary
    • sh inerface status err-disabled

However, if port is shutdown by BPDU Guard then that port is moved to errdisabled state then we can make switch smart to automatically turn it on after specific interval.

  • (config-if)#errdisable recovery cause bpduguard
  • (config)# errdisable recovery interval 30

Attack 5: Using Gratuitous ARP concept : man in middle attack

Gratuitous ARP

Gratuitous ARP: No body is asking for a mac-address(ARP reply) but a device(PC) is sending information about it’s mac-address connected with a false IP address.

Mitigation:

  •  Use DHCP snooping
    • switch know layer 2 and layer 3 address associated with each port
  • UseDAI – Dynamic ARP Inspection
    • Any time ARP traffic goes to switch, switch inspects it and kill it if it appears to be bogus

Summary

1. DHCP Snooping: restrict DHCP server traffic (offer or acknowledgement frome of DORA process) to come from a port not connected to DHCP server.

2. Port security: max mac address allowed on a port and what mac-addresses are allowed

3. Don’t allow negotiation of trunk and make port access explicitly

4. BPDU guard(on all access ports) to identify somebody lying about being a switch

 

Leave a comment