brksec-2202 layer-2 security for ipv4 and ipv6...

BRKSEC-2202

Understanding and Preventing Layer-2 Attacks in IPv4 and IPv6 networks

Follow us on Twitter for real time updates of the event:

@ciscoliveeurope, #CLEUR

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 2

Housekeeping

We value your feedback- don't forget to complete your online session evaluations after each session & the Overall Conference Evaluation which will be available online from Thursday

Visit the World of Solutions and Meet the Engineer

Visit the Cisco Store to purchase your recommended readings

Please switch off your mobile phones

After the event don’t forget to visit Cisco Live Virtual: www.ciscolivevirtual.com

Follow us on Twitter for real time updates of the event: @ciscoliveeurope, #CLEUR

http://www.ciscolivevirtual.com/

http://www.ciscolivevirtual.com/


Session Abstract

This session focuses on the network security issues surrounding Layer-2, the data link layer. Because many network attacks originate from inside the corporate firewall, exploring this soft underbelly of data networking is critical for any secure network design. Issues including MAC flooding, IPv4 ARP spoofing, IPv6 Neighbor Discovery Protocol (NDP) spoofing, VLAN hopping, Dynamic Host Configuration Protocol (DHCP) attacks, DTP, Spanning Tree Protocol (STP) and First-Hop Security Protocols (HSRP and VRRP) are discussed.

Common myths about Ethernet switch security are addressed and specific security lockdown recommendations are provided. Attack mitigation options presented include the DHCP snooping and Dynamic ARP Inspection (DAI) functionality and the new IPv6 First-Hop Security. Attendees can expect to learn Layer-2 design considerations from a security perspective and mitigation techniques for Layer-2 attacks.

Virtualization environment challenges and Layer-2 attack Mitigation using Firewall and IPS technologies are being discussed as well.

This intermediate session is suited for network designers, administrators, and engineers in all areas of data networking.

BRKSEC-3003 is the advanced version of the IPv6 part of this session.

BRKSEC-2202

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 4 4

Agenda

Introduction to Layer-2 Security

Layer-2 Security – Fundamental Mechanisms

- MAC, STP, VTP, CDP, LLDP and FHRP attacks

- Securing Segmentation against VLAN and DTP attacks.

- Achieving Layer 2 Confidentiality with 802.1AE MACSec

Layer-2 Security specific to IPv4 Networks: Attacks and Countermeasures

- Securing Integrity and Availability of DHCPv4 and ARP


- IPv6 FHS: First-Hop Security Mechanisms

Layer-2 Security in the Era of Virtualization and Cloud

- VM Hypervisor Layer-2 Security (N1kV)

Layer-2 advanced attack mitigation using security appliances

- Firewall Layer-2 attack mitigation

- IPS Layer-2 attack mitigation

Summary


Why Worry About Layer-2 Security?

Host B Host A

Physical Links

MAC Addresses

IP Addresses

Protocols/Ports

Application Stream Application

Presentation

Session

Transport

Network

Data Link

Physical

Application

Presentation

Session

Transport

Network

Data Link

Physical

OSI Model Was Built to Allow Different Layers to Work Without the Knowledge of Each Other

For Your

Reference


Lower OSI Layers Affect Higher Layers

If one layer is hacked, communications are compromised without the other layers being aware of the problem

Security is only as strong as the weakest link

When it comes to networking, Layer-2 can be a very weak link

POP3, IMAP, IM, SSL, SSH

Physical Links

IP Addresses

Protocols/Ports

Initial Compromise

Application Stream C

om

pro

mis

ed

Application

Presentation

Session

Transport

Network

Data Link

Physical

Application

Presentation

Session

Transport

Network

Data Link

Physical


Approaching Network Security The Systemic Way.

vs


Layer-2 Security and Link Operations

Operations contained within the link

boundaries, necessary for a node

to communicate with its neighbors,

including the link exit points.

It encompasses:

- Address configuration parameters

- Address initialization

- Address resolution

- Default gateway discovery

- Local network configuration

- Neighbor reachability tracking

Attacks at Layer-2:

Address and Local Network configuration:

Trickery on configuration parameters

Address initialization: Denial of address

insertion

Address resolution: Address stealing

Default gateway discovery: Rogue routers

Neighbor reachability tracking: Trickery on

neighbor status

Link-operations disruption – Denial of Service

Neighbor cache poisoning

Attacking on-link or off-link victims

Key role highjacking: router or DHCP server

„A link‖


Agenda















Summary


A Quick Review: MAC Address And CAM Table

CAM table stands for Content Addressable Memory

The CAM table stores information such as MAC addresses available on physical ports with their associated VLAN parameters

CAM table has a limited, platform-dependent size

0000.0cXX.XXXX

48-Bit Hexadecimal Number Creates Unique Layer Two Address

1234.5678.9ABC

First 24-Bits = Manufacturer Code

(OUI) Assigned by IEEE

Second 24-Bits = Specific Interface,

Assigned by Manufacturer

0000.0cXX.XXXX

All Fs = Broadcast

FFFF.FFFF.FFFF

For Your

Reference


Normal CAM Behavior (1/2)

MAC A

Port 1

Port 2

Port 3

A Is on Port 1 Learn:

B Is on Port 2

MAC Port

A 1

C 3

B 2

MAC B

MAC C


Normal CAM Behavior (2/2)

MAC A

MAC B

MAC C

Port 1

Port 2

Port 3

Traffic A B

B Is on Port 2

Does Not See Traffic to B

MAC Port

A 1

B 2

C 3


CAM Overflow Attack

MAC A

MAC B

MAC C

Port 1

Port 2

Port 3

MAC Port

C 3 Y Is on Port 3

Z Is on Port 3

Y 3

Z 3

Traffic A B

I Can See Traffic to B

Assumes CAM Table Now Full


It is trivial to overflow CAM table with invalid MAC addresses.

Classic tool – macof developed in 1999

- About 100 lines of perl. Included in dsniff package.

- macof sends random source MAC and IP addresses

- Much more aggressive if you run the command

Common tools are capable of generating 100,000+ spoofed MAC Adresses per Minute. YMMV.

~# macof –i eth1 36:a1:48:63:81:70 15:26:8d:4d:28:f8 0.0.0.0.26413 > 0.0.0.0.49492: S 1094191437:1094191437(0) win 512 16:e8:8:0:4d:9c da:4d:bc:7c:ef:be 0.0.0.0.61376 > 0.0.0.0.47523: S 446486755:446486755(0) win 512 18:2a:de:56:38:71 33:af:9b:5:a6:97 0.0.0.0.20086 > 0.0.0.0.6728: S 105051945:105051945(0) win 512 e7:5c:97:42:ec:1 83:73:1a:32:20:93 0.0.0.0.45282 > 0.0.0.0.24898: S 1838062028:1838062028(0) win 512 62:69:d3:1c:79:ef 80:13:35:4:cb:d0 0.0.0.0.11587 > 0.0.0.0.7723: S 1792413296:1792413296(0) win 512 c5:a:b7:3e:3c:7a 3a:ee:c0:23:4a:fe 0.0.0.0.19784 > 0.0.0.0.57433: S 1018924173:1018924173(0) win 512 88:43:ee:51:c7:68 b4:8d:ec:3e:14:bb 0.0.0.0.283 > 0.0.0.0.11466: S 727776406:727776406(0) win 512 b8:7a:7a:2d:2c:ae c2:fa:2d:7d:e7:bf 0.0.0.0.32650 > 0.0.0.0.11324: S 605528173:605528173(0) win 512 e0:d8:1e:74:1:e 57:98:b6:5a:fa:de 0.0.0.0.36346 > 0.0.0.0.55700: S 2128143986:2128143986(0) win 512

MAC Flooding with macof

~# macof -i eth1 2> /dev/null


CAM Table Full

Once the CAM table on the switch is full, traffic without a CAM entry is flooded out every port on that VLAN

This will turn a switch into a hub in the VLAN (broadcast domain) to which the attacker belongs

This attack will also fill the CAM tables of adjacent switches

10.1.1.22 -> (broadcast) ARP C Who is 10.1.1.1, 10.1.1.1 ? 10.1.1.22 -> (broadcast) ARP C Who is 10.1.1.19, 10.1.1.19 ? 10.1.1.26 -> 10.1.1.25 ICMP Echo request (ID: 256 Sequence number: 7424) OOPS 10.1.1.25 -> 10.1.1.26 ICMP Echo reply (ID: 256 Sequence number: 7424) OOPS


MAC Flood Attacks – Countermeasures

Solution

Port security limits MAC flooding attack, locks down port and sends an SNMP trap

137,000

Bogus MACs

Only One MAC

Addresses

Allowed on the

Port: Shutdown

Port Security Limits the Amount of MACs on an Interface

00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb


Configuring Port Security

Per port per VLAN maximum MAC addresses

Restrict will let you know something has happened —you will get an SNMP trap

(config-if)# switchport port-security switchport port-security maximum 1 vlan voice switchport port-security maximum 1 vlan access switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity snmp-server enable traps port-security trap-rate 5


Port Security: What to Expect

The performance hit seen with multiple attacks happening at one time is up to 99% CPU utilization

Because the process is a low priority, on all switches packets were not dropped

Telnet and management were still available

Would want to limit the SNMP message, don’t want 1000s

Voice MOS scores under attack were very good, as long as QoS was configured

Designed to protect the switch and limit MAC addresses, has no authentication; look at 802.1X for that

Minimum settings for phones are two usually, higher numbers should be considered

Notice: When Using the Restrict Feature of Port Security, if the Switch Is Under Attack, You Will See a Performance Hit on the CPU

For Your

Reference


Spanning Tree Basics

STP purpose: to maintain loop-free topologies in a redundant Layer 2 infrastructure

STP is very simple; messages are sent using Bridge Protocol Data Units (BPDUs); basic messages include: configuration, topology change notification/acknowledgment (TCN/TCA); most have no ―payload‖

Avoiding loops ensures broadcast traffic does not become storms

A ‗Tree-Like‘,

Loop-Free Topology

Is Established from

the Perspective of

the Root Bridge

A Switch Is

Elected as Root

Root Selection Is

Based on the Lowest

Configured Priority

of Any Switch 0–65535

X

Root

For Your

Reference


Attacker sends superior BPDU messages to become root bridge

Now, The attacker then sees frames he shouldn’t. MITM, DoS, all possible

Any attack is very sensitive to the original topology, trunking, PVST

Although STP takes link speed into consideration, it is always done from the perspective of the root bridge;

Taking a 10Gbps backbone to half-duplex 10Mbps was verified

Requires attacker is dual homed to two different switches (with a hub, it can be done with just one interface on the

attacking host)

Access Switches Root Root

Root

X Blocked

Attacking Spanning Tree Protocol


Traditional Layer-2 Access Design

Mature, 10+ year old design

Redundant design with sub-optimal topology

and complex operation.

Stabilize network topology with several L2 :

- STP Primary and Backup Root Bridge

- Rootguard

- Loopguard or Bridge Assurance

- STP Edge Protection

Protocol restricted forwarding topology –

- STP FWD/ALT/BLK Port

- Single Active FHRP Gateway

- Asymmetric forwarding

- Unicast Flood

Protocol dependent driven network recovery

- PVST/RPVST+

- FHRP Tunings

SiSiSiSiHSRP Active

Rootguard

Loopguard or

Bridge Assurance

Bridge

Assurance

STP Root

BPDU Guard or

PortFast

Port Security

For Your

Reference


Layer-2 Security with Routed Access

Simplified Operation with single control-plane – Routing Protocols

Improved Network Design – No FHRP, STP, Trunk, VTP etc.

Optimized Forwarding Topology – Layer 3 ECMP

Improved convergence with fewer protocols

EIGRP/OSPF

Layer 3

Layer 2

SiSiSiSiHSRP Active

Rootguard

Loopguard or

Bridge Assurance

Bridge Assurance

STP Root

BPDU Guard or

PortFast

Port Security


VTP – VLAN Trunking Protocol

VTP is a Cisco-proprietary protocol available on most switches

Works on ISL and 802.1Q trunks to propagate VLAN information

Periodic advertisements to a multicast address 01-00-0c-cc-cc-cc (same as CDP)

802.1Q frames have Ethertype of 0x8100

LLC code 0xaaaa, which represents Subnetwork Access Protocol.

SNAP type of 0x2003.

Modes of operation: server, client, transparent and off

VTP pruning blocks unneeded flooded traffic

For Your

Reference


Attacking VLAN Trunking Protocol

Active attack: Inserting a VTP Client or Server with a higher Config Revision Number into the network

An attacker can prepare and insert a hostile switch or

Use tools like yersinia to:

- Send raw VTP packets

- Delete ALL VLANs

- Delete selected VLAN

- Add one VLAN

- Try to crash the switch

All of these can lead to catastrophic DoS condition.

- Deleted VLANs become inactive.

VLAN

10,20,30,40

Server

Client

Client VLAN

10,20,30,40

VLAN 77,99

VTP

VLAN 77,99 VLAN 77,99


VTP version 1 and 2 Attack Countermeasures

Configure the VTP domains appropriately.

Turn off VTP altogether if you want to limit or prevent possible undesirable protocol interactions with regard to network-wide VLAN configuration.

Authenticate VTP with MD5 HMAC. The MD5 digest of the VTP configuration is created.

If VLANs other than VLAN 1 or the management VLAN represent a security concern, then automatic or manual pruning should be applied as well.

Configuring VTP transparent or OFF mode and doing manual pruning of VLANs is commonly considered the most effective method to exert a more strict level of control over a VLAN-based network.

Configure static access ports. VTP is disabled by default on nontrunk ports.

(Changing pruning and version on the VTP server changes the MD5 digest).


VTP version 3 security enhancements

VTPv3 supports a superset of VTPv1 and v2

Extended range VLANs (1006 to 4094)

Enhanced authentication (hidden or secret)

Private VLAN support.

Primary and Secondary VTP Servers. Only VTPv3 primary server is able to update the domain.

Ability to turn VTP on or off on a per-trunk / per-port basis.

VTPv3 provides antireplay protection with MD5 HMAC.

Note: VTPv3 has been historically available on high-end platforms only. Since 12.2(52)SE available on access Catalyst switches (2k, 3K) as well.


Cisco Discovery Protocol (CDP)

CDP is a Cisco proprietary Layer-2 protocol known for ages (since 1994)

Runs on all media supporting Subnetwork Access Protocol (SNAP) including FR and ATM. On Ethernet, protocol ID 0x2000 is used

Device sends periodic advertisements to a multicast address 01-00-0c-cc-cc-cc

Type-Length-Value fields (TLVs) are blocks of information embedded in CDP advertisements. A way for Cisco to expand the protocol.

CDP Version-2 (CDPv2) is the most recent release of the protocol

- Provides more intelligent device tracking features

- Error messages can be sent to the console or to a logging server

- Covers instances of unmatching native VLAN IDs (IEEE 802.1Q) – Native VLAN TLV

- Detects unmatching port duplex states between connecting devices – Full/Half Duplex TLV

CDP CDP

For Your

Reference


Attacking Cisco Discovery Protocol

No Authentication is built into CDP.

Passive Attack. Listening to CDP messages

- Getting extensive information about neighbor device

Active Attack. An attacker can craft CDP messages to:

- Test the protocol implementation resiliency on the switch

- Pollute and Overflow the CDP Cache

- Advertise himself as a PoE device - Switch Power Budget Exhaustion.

Defense against CDP attacks can be performed by:

- Disabling CDP globally

- Disabling CDP per interface

However, Some applications, like IP Telephony VLAN negotiation, Network Inventory and Topology, Power Negotiation, Energency Services, Device Profiling make extensive use of CDP.

(config)# no cdp run (config-if)# no cdp enable


CDP Security with IP Telephony

On some hardware platforms, a triple check: CDP, line power and duplex to allow Cisco IP Phone in the voice VLAN is available.

If the conditions are not satisfied, the port gets err-disabled.

Denying access to a port when power was NOT granted?

VLAN 10

VLAN 20 VLAN 20

(config-if)# switchport voice detect cisco-phone Line Power and CDP switchport voice detect cisco-phone full-duplex and only Full-Duplex

%CPDE-6-DETECT: Device detected on GigabitEthernet0/1 violating configuration %PM-4-ERR_DISABLE: security-violation error detected on Gi0/1, putting Gi0/1 in err-disable state


Link-Layer Discovery Protocol (LLDP)

LLDP is an IEEE 802.1AB standard. Comparable Layer-2 protocol principle as CDP.

Multicast address 01-80-c2-00-00-0e. Dedicated Ethertype of 0x88cc

Supports a set of TLVs to discover neighbor devices

Extension: Link Layer Discovery Protocol-Media Endpoint Discovery (LLDP-MED)

LLDP-MED provides support for media endpoints and provides additional TLVs:

- LLDP-MED capabilities TLV

- Network policy TLV

- Power management TLV

- Inventory management TLV

- Location TLV

By default, a network device sends only LLDP packets until it receives LLDP-MED packets from an endpoint device.

For Your

Reference


LLDP and LLDP-MED security considerations

Similar attack and defense approach as with CDP.

However, LLDP can be utilized by Wired Location Service, to track connected devices and endpoints and send them to Mobility Services Engine (MSE) using Network Mobility Services Protocol (NMSP).

LLDP provides more granularity – transmit and receive can be controlled separately, as well as specific TLVs that are being propagated

LLDP LLDP

(config)# no lldp run (config-if)# no lldp transmit (config-if)# no lldp receive (config-if)# lldp med-tlv-select [tlv]


Hot Standby Router Protocol (HSRP)

HSRP is a Cisco-proprietary FHRP (First-Hop Redundancy Protocol).

Defined in RFC 2281, known since 1998.

Designed to achieve almost-100% availability of first-hop.

L3 switches and routers running HSRP work in sets known as groups.

State-machine driven: Initial, Learn, Listen, Speak, Standby, Active.

For IPv4, group source MAC 00-00-0c-07-ac-NN for HSRPv1 and 00-00-0c-9f-fN-NN for HSRPv2 . HSRP hello packets use UDP port 1985 and IP multicast 224.0.0.2 with TTL=1.

For IPv6, group MAC is 00-05-73-a0-0N-NN, UDP 2029. Link-local or nonlink local Virtual IPv6 address can be used.

Advanced features exist: Preemption, Interface tracking, Use of a BIA, Multiple HSRP groups, BVI, Syslog support, Enhanced debugging, Strong Authentication, SNMP MIB, VRF-awareness.

For Your

Reference


Attacking HSRP - Information Leakage

The RFC 2281 clearly states that HSRP is not secure by default.

„This protocol does not provide security. The authentication field found within the message is useful for preventing misconfiguration. The protocol is easily subverted by an active intruder on the LAN. This can result in a packet black hole and a denial-of-service attack. It is difficult to subvert the protocol from outside the LAN as most routers will not forward packets addressed to the all-routers multicast address (224.0.0.2)”

Passive Attack. Traffic sniffing can lead to HSRP Information leakage

- Neither a breach, nor service disruption.

- The attacker will learn Virtual IP Address (all-routers IP address) and a clear-text password in the Authentication Data HSRP Field

- As HSRP is Cisco-proprietary, the attacker will probably launch Cisco-specific attacks and exploits.


Attacking HSRP - Denial of Service

Active Attack. The attacker sends fake HSRP packets with maximum priority of 255 and a proper clear-text password.

Attacker claims the Active Virtual Router role and becomes the Default Gateway for hosts in a given VLAN.

Attacker drops the traffic, effectively creating a DoS condition.

Countermeasure: use HSRP strong authentication

HSRP group 1 10.10.10.254

00-00-0c07-ac-01


Active Attack. The same as DoS attack, but the attacker does not drop the traffic after claiming the Active Router role.

The attacker is now man-in-the-middle – intercepts and forwards all the traffic leaving the local subnet, leading to catastrophic consequences, including data theft and modification.

Internet

Attacking HSRP – Man in The Middle (MiTM)

HSRP group 1 10.10.10.254

00-00-0c07-ac-01


Attacking HSRP – Countermeasures

Attack tools exist, like yersinia and hsrp, a part of Phenoelit IRPAS (Internetwork Routing Protocol Attack Suite).

Typical use:

The most important countermeasure is MD5 HMAC Strong Authentication combined with key rollover (accept lifetime and send lifetime).

~# hsrp –d 224.0.0.2 –v 10.10.10.254 –a cisco –g 1 –i eth0 –S 10.10.10.17

(config)# key chain hsrp1 key 1 key-string 54321098452103ab (config-if)# standby 1 ip 10.10.10.254 standby 1 priority 110 standby 1 preempt standby 1 authentication md5 key-chain hsrp1


Attacking HSRP – Even More Countermeasures

HSRP Strong Authentication is critical, but it does not stop a replay attack.

By listening and sending exact the same packet, the attacker becomes Active and will be able sustain his state later on

But, this attack can be avoided by using port-security.

A complementary and effective approach is to utilize ACL filter potential HSRP messages from hosts at the access-layer.

(config)# access-list 195 permit udp host 10.10.10.5 host 224.0.0.2 eq 1985 access-list 195 permit udp host 10.10.10.6 host 224.0.0.2 eq 1985 access-list 195 deny udp any any eq 1985 access-list 195 permit ip any any (config-if)# ip access-group 195 in


Virtual Router Redundancy Protocol (VRRP)

IETF Standard, defined in RFC 2338 and 3768.

Uses IP Protocol 112

Multicast address 224.0.0.18 with TTL=255

Router uses its actual IP address as the source address, not the virtual IP address.

Virtual MAC address 00-00-5e-00-01-NN

Master router sends periodic VRRP packets with the virtual MAC

VRRP Virtual IP can be the router interface address (with HSRP, the virtual address is always different)

For Your

Reference


Virtual Router Redundancy Protocol (VRRP) Security

VRRP is slightly more secure than HSRP:

- Router rejects VRRP packets with TTL<255

- Router with virtual IP assigned to its interface has always highest priority

Denial of Service or MiTM after collecting the authentication data and becoming the Master Router is possible.

Countermeasures:

- MD5 HMAC authentication (Cisco extension) with key-string or key chain

- Use ACLs to prevent VRRP spoofing. VRRP utilizes IP protocol 112.

(config-if)# vrrp 7 authentication md5 key-string s3cr3tly1337

(config)# access-list 170 permit 112 host 10.10.10.5 host 224.0.0.18 access-list 170 permit 112 host 10.10.10.6 host 224.0.0.18 access-list 170 deny 112 any any access-list 170 permit ip any any (config-if)# ip access-group 170 in


Basic Trunk Port Defined

Trunk ports have access to all VLANs by default

Used to route traffic for multiple VLANs across the same physical link (generally between switches or phones)

Encapsulation 802.1Q

VLAN 10

VLAN 20 VLAN 10

VLAN 20

Trunk with: Native VLAN

VLAN 10 VLAN 20

For Your

Reference


Dynamic Trunk Protocol (DTP)

What is DTP?

- Automates 802.1Q trunk setup

- Operates between switches (Cisco IP phone is a switch)

- Does not operate on routers

- Support varies, check your device

DTP synchronizes the trunking mode on end links

DTP state on 802.1Q trunking port can be set to ―Auto,‖ ―On,‖ ―Off,‖ ―Desirable,‖ or ―Non-Negotiate‖

Dynamic Trunk

Protocol

For Your

Reference


Attacker sends DTP messages and establishes 802.1Q trunk

Attacker station becomes a member of all VLANs

Countermeasures:

VLAN 10

VLAN 20 VLAN 10

Trunk with: Native VLAN

VLAN 10 VLAN 20

Trunk Native VLAN

VLAN 10 VLAN 20

Basic VLAN Hopping Attack

(config-if)# switchport mode access switchport nonegotiate


Double 802.1Q Encapsulation VLAN Hopping Attack

Send 802.1Q double encapsulated frames

Switch performs only one level of decapsulation

Unidirectional attack only

Works even if trunk ports are set to off

Strip Off First,

and Send

Back Out

802.1q Frame

Note: Only works if trunk has the same VLAN as the attacker

src mac dst mac 8100 0800 5 8100 96 data

1st tag 2nd tag

(config-if)# switchport mode access switchport nonegotiate


Voice VLAN Access: Attack

Attacker sends 802.1Q tagged

frames from the PC to the phone.

Traffic from the PC is now in the

voice VLAN.

Countermeasure: Disable PC

voice VLAN access on CUCM.

Tagged traffic will be stopped at

the PC port on the phone.

VLAN 10 Has PC Traffic

Attacker Sends VLAN 10 Frames

VLAN 10

VLAN 20


Security Best Practices for VLANs and Trunking

Always use a dedicated VLAN ID for all trunk ports

Disable unused ports and put them in an unused VLAN

Be paranoid: do not use VLAN 1 for anything

Disable auto-trunking on user facing ports (DTP off)

Explicitly configure trunking on infrastructure ports

Use all tagged mode for the native VLAN on trunks

Use PC voice VLAN access on phones that support it

Use 802.1Q tag all on the trunk port


Agenda















Summary


MACSec - Achieving Confidentiality at Layer-2

MACSec is IEEE Layer 2 encryption mechanism (since 2006)

- 802.1AE defines AES-GCM-128 encryption (AES-GCM-256 future)

802.1X EAP is used to derive the 802.1AE session key for encryption

Authenticated Encryption with Associated Data (AEAD)

Hardware implementations are very efficient:

- 1Gbps and 10Gbps line rate crypto

MACSec can be used switch-to-switch or endpoint-to-switch

BRKSEC-2046 Deploying Security Group Tagging and MACSec

MACSec MACSec

Decrypt Encrypt Encrypt Decrypt Encrypt ―Downlink‖ ―Uplink‖

AC3


MACSec Importance for Layer-2 Security

Client-side encryption can be done in software (AC3.0) and in hardware.

802.1X NEAT can be used to defend against bogus switch insertion

Physical MiTM in the access link is a feasible attack using small factor PC (DreamPlug).

Attacks have been demonstrated (DEFCON19 – A Bridge Too Far).

AC3


Putting it together: 802.1AE with SGT

Cisco Meta Data

DMAC SMAC

802.1AE Header

802.1Q

CMD

ETYPE

PAYLOAD

ICV

CRC

Version

Length

CMD EtherType

SGT Opt Type

SGT Value

Other CMD Options

Encrypted

Authenticated

are the L2 802.1AE + TrustSec overhead

Frame is always tagged at ingress port of SGT capable device

Tagging process prior to other L2 service such as QoS

No impact IP MTU/Fragmentation

L2 Frame MTU Impact: ~ 40 bytes = less than baby giant frame (~1600 bytes

with 1552 bytes MTU)

802.1AE Header

CMD

ICV

Ethernet Frame field

BRKSEC-2046 Deploying Security Group Tagging and MACSec

For Your

Reference


Cisco‘s MACsec Capable Product Portfolio

Client Cat 3K Cat 4K Cat 6K N7K

Software AnyConnect 3.0 IOS 15.0(1)-SE IOS-XE 3.3.0 SG IOS 12.2.50-SY NXOS 5.2.1

Hardware Intel 82567LM

Intel 82579LM

Catalyst 3750X

Catalyst 3560X

C3KX-SM-10G

WS-C3560CPD-8PT-

S *

WS-C3560CG-8TC-

S *

WS-C3560CG-8PC-S

Catalyst 45xx-E

WS-X45-Sup7-E

WS-X4712-

SFP+E

WS-X4748-

UPOE+E

WS-X4748-

RJ45V+E

WS-X4748-RJ45-

E

Catalyst 65xx-E

VS-S2T-10G

VS-S2T-10G-XL

WS-X6908-10G-2T

WS-X6908-10G-

2TXL

N7K-C70xx

N7K-SUP1

N7K-M108X2-12L

N7K-M132XP-12

N7K-M132XP-12L

N7K-M148GT-11

N7K-M148GT-11L

N7K-M148GS-11

N7K-M148GS-11L

Key

Agreement

MKA (802.1X-

2010)

MKA (802.1X-2010)

Host Access /

Security Association

Protocol (SAP)

Switch-to-Switch

* MKA / Downlink

Only

MKA (802.1X-

2010) Host

Access /

Security

Association

Protocol (SAP)

Switch-to-Switch

Security Association

Protocol (SAP)

Switch-to-Switch

Security

Association

Protocol (SAP)

Switch-to-Switch

Availability Available Now Host access

Switch-to-Switch

Available Now

Host access:

Q1CY12

Switch-to-Switch:

Q1CY12

Switch-to-Switch:

Available Now

Switch-to-Switch

(DC to DC):

Avaialble Now

For Your

Reference


Agenda















Summary


DHCPv4 Function: High Level

Server dynamically assigns IP address on demand

Administrator creates pools of addresses available for assignment

Address is assigned with lease time

DHCP delivers other configuration information in options

Similar functionality in IPv6 for DHCP

Send My Configuration Information Client

IP Address: 10.10.10.101

Subnet Mask: 255.255.255.0

Default Routers: 10.10.10.1

DNS Servers: 192.168.10.4, 192.168.10.5

Lease Time: 10 days

Here Is Your Configuration

DHCP Server


DHCP Function: Lower Level

DHCP is defined by RFC 2131

DHCP Server

Client

DHCP Discover (Broadcast)

DHCP Offer (Unicast)

DHCP Request (Broadcast)

DHCP Ack (Unicast)

For Your

Reference


Gobbler/DHCPx looks at the entire DHCP scope and tries to lease all of the DHCP addresses available in the DHCP scope

This is a Denial of Service attack using DHCP leases

DHCP Discovery (Broadcast) x (Size of Scope)

DHCP Offer (Unicast) x (Size of DHCPScope)

DHCP Request (Broadcast) x (Size of Scope)

DHCP Ack (Unicast) x (Size of Scope)

Client

Gobbler DHCP Server

DHCP Starvation Attack


Countermeasures for DHCP Attacks DHCP Starvation Attack = Port Security

Gobbler uses a new MAC address to request a new DHCP lease

Restrict the number of MAC addresses on a port

Attacker will not be able to lease more IP address than MAC addresses allowed on the port

In the example the attacker would get one IP address from the DHCP server

Client

Gobbler DHCP Server

(config-if)# switchport port-security switchport port-security maximum 1 switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity


Rogue DHCP Server Attack

Client

DHCP Server Rogue Server or

Unapproved

DHCP Discovery (Broadcast)

DHCP Offer (Unicast) from Rogue Server

DHCP Request (Broadcast)

DHCP Ack (Unicast) from Rogue Server


Rogue DHCP Server Attack

What can the attacker do if he is the DHCP server?

IP Address: 10.10.10.101

Subnet Mask: 255.255.255.0

Default Routers: 10.10.10.1

DNS Servers: 192.168.10.4, 192.168.10.5

Lease Time: 10 days

Here Is Your Configuration

What do you see as a potential problem with incorrect information?

Wrong default gateway—Attacker is the gateway

Wrong DNS server—Attacker is DNS server

Wrong IP address—Attacker does DOS with incorrect IP

For Your

Reference


Mitigating the Rogue Server Attack – DHCP Snooping

Client

DHCP Server Rogue Server

Trusted

Untrusted

Untrusted

DHCP Snooping-Enabled

BAD DHCP

Responses:

OFFER, ACK, NAK

OK DHCP

Responses:

OFFER, ACK, NAK

(config)# ip dhcp snooping vlan 4,104 no ip dhcp snooping information option ip dhcp snooping (config-if)# Client interface no ip dhcp snooping trust (Default) ip dhcp snooping limit rate 10 (pps) (config-if)# DHCP Server Interface ip dhcp snooping trust


Table is built by ―snooping‖ the DHCP reply to the client

Entries stay in table until DHCP lease time expires

Client

DHCP Server Rogue Server

Trusted

Untrusted

Untrusted

DHCP Snooping-Enabled

BAD DHCP

Responses:

OFFER, ACK, NAK

OK DHCP

Responses:

OFFER, ACK, NAK

# sh ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18

DHCP Snooping Binding Table


DHCP Snooping Binding Persistence and Capacity

Not all operating systems (Linux) reinitiate DHCP on link down/up

In the event of switch failure, the DHCP snooping binding table can be written to bootflash, ftp, rcp, slot0, and tftp

Also, all DHCP snooping binding tables have limits

All entries stay in the binding table until the lease runs out

If you have a mobile work environment, reduce the lease time to make sure the binding entries will be removed

ip dhcp snooping database tftp://192.168.17.15/tftpboot/gawel/c6500-1-dhcpdb ip dhcp snooping database write-delay 60

sh ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- ---------------- 00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18


DHCP Snooping Advanced Considerations

Gobbler uses a unique MAC for each DHCP request and port security prevents Gobbler

What if the attack used the same interface MAC address, but changed the client hardware address in the request?

Port security would not work for that attack

The switches check the CHADDR field of the request to make sure it matches the hardware MAC in the DHCP snooping binding table

If there is not a match, the request is dropped at the interface

Transaction ID (XID)

OP Code Hardware

Type

Hardware

Length HOPS

Your IP Address (YIADDR)

Seconds

Client IP Address (CIADDR)

Server IP Address (SIADDR)

Gateway IP Address (GIADDR)

Flags

Server Name (SNAME)—64 Bytes

Filename—128 Bytes

DHCP Options

Client Hardware Address (CHADDR)—16 Bytes

Note: Some switches have this on by default, and other’s don’t;

please check the documentation for settings

For Your

Reference


Summary of DHCP Attacks

DHCP starvation attacks can be mitigated by port security

Rogue DHCP servers can be mitigated by DHCP snooping features

When configured with DHCP snooping, all ports in the VLAN will be ―untrusted‖ for DHCP replies

Check default settings to see if the CHADDR field is being checked during the DHCP request

ACLs to block UDP port 68 for partial attack mitigation (will not prevent the CHADDR DHCP starvation)


ARP Function Review

Before a station can talk to another station it must do an ARP request to map the IP address to the MAC address

- This ARP request is broadcast using protocol 0x0806

All computers on the subnet will receive and process the ARP request; the station that matches the IP address in the request will send an ARP reply

Who Is 10.1.1.4?

I Am 10.1.1.4 MAC A

For Your

Reference


ARP Function Review

According to the ARP RFC, a client is allowed to send an unsolicited ARP reply; this is called a gratuitous ARP

Other hosts on the same subnet can store this information in their ARP tables

Anyone can claim to be the owner of any IP/MAC address ARP attacks use this to redirect traffic

You Are 10.1.1.1 MAC A

I Am 10.1.1.1 MAC A




ARP Attack Tools

Many tools on the net for ARP man-in-the-middle attacks

- Dsniff, Cain, ettercap, Yersinia.

ettercap: http://ettercap.sourceforge.net/

- Most have a very nice GUI, point and click

- Packet insertion, many to many ARP attack

All of them capture the traffic/passwords of applications

- FTP, Telnet, SMTP, HTTP, POP, NNTP, IMAP, SNMP, LDAP, RIP, OSPF, PPTP, MS-CHAP, SOCKS, X11, IRC, ICQ, AIM, SMB, Microsoft SQL, and more.

SSL/SSH MiTM Tools available, capable of presenting bogus certificate.

http://ettercap.sourceforge.net/


ARP Spoofing Attack in Action

Attacker poisons the ARP tables

10.1.1.1 MAC A

10.1.1.2 MAC B

10.1.1.3 MAC C

10.1.1.2 Is Now MAC C


ARP 10.1.1.1 Saying

10.1.1.2 Is MAC C

ARP 10.1.1.2 Saying

10.1.1.1 Is MAC C


ARP Spoofing Attack in Action

All traffic flows through the attacker

Cleanup after the attack.

Transmit/Receive Traffic to

10.1.1.1 MAC C

Transmit/Receive Traffic to

10.1.1.2 MAC C

10.1.1.2 MAC B

10.1.1.3 MAC C



10.1.1.1 MAC A


10.1.1.2 Is Now MAC B

ARP Spoofing Attack Clean Up

Attacker corrects ARP tables entries

Traffic flows return to normal

10.1.1.1 Is Now MAC A

ARP 10.1.1.1 Saying

10.1.1.2 Is MAC B

ARP 10.1.1.2 Saying

10.1.1.1 Is MAC A

10.1.1.2 MAC B

10.1.1.3 MAC C

10.1.1.1 MAC A

For Your

Reference


Countermeasures to ARP Spoofing: Dynamic ARP Inspection (DAI)

DAI utilizes the DHCP snooping binding table information.

Is This Is My Binding Table? NO

None Matching

ARPs in the Bit Bucket

10.1.1.1 MAC A

10.1.1.2 MAC B

10.1.1.3 MAC C

ARP 10.1.1.1 Saying

10.1.1.2 Is MAC C

ARP 10.1.1.2 Saying

10.1.1.1 Is MAC C

DHCP Snooping- Enabled Dynamic ARP Inspection- Enabled

IP Phones are able to Ignore Gratuitous ARPs (GARPs)


Countermeasures to ARP Attacks: Dynamic ARP Inspection (DAI)

Uses the information from the DHCP snooping binding table

Looks at the MacAddress and IpAddress fields to see if the ARP from the interface is in the binding; if not, traffic is blocked

DAI is configured by VLAN

You can trust an interface like DHCP snooping

Be careful with rate limiting.

- Large amounts of ARP replies in environments utilizing Simple Service Discovery Protocol (SSDP), a part of Universal Plug and Play (UPnP) protocol stack

# sh ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ ------------- ---------- ------------- ---- ---------------- 00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18


Configuring Dynamic ARP Inspection

(config)# ip dhcp snooping vlan 4,104 DHCP Snooping no ip dhcp snooping information option ip dhcp snooping ip arp inspection vlan 4,104 Dynamic ARP Inspection ip arp inspection log-buffer entries 1024 ip arp inspection log-buffer logs 1024 interval 10 (config-if)# Trusted Interface ip dhcp snooping trust ip arp inspection trust (config-if)# Untrusted Interface no ip arp inspection trust (Default) ip arp inspection limit rate 15 (pps)

The first step should be to enable DHCP Snooping

The second step – configuring DAI per VLAN and per interface


Configuring Additional DAI Checks

Checking for both destination or source MAC and IP addresses

- Destination MAC: Checks the destination MAC address in the Ethernet header against the target MAC address in ARP body

- Source MAC: Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body

- IP address: Checks the ARP body for invalid and unexpected IP addresses; addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses

Each check can be enabled independently, or any combination of three

The last command overwrites the earlier command

(config)# ip arp inspection validate dst-mac ip arp inspection validate src-mac ip arp inspection validate ip (config)# Enable all DAI validations ip arp inspection validate src-mac dst-mac ip


Static Dynamic ARP Inspection Binding Table

Static (manual) bindings in the DHCP snooping binding table

Show static and dynamic entries in the DHCP snooping binding table is different

No entry in the binding table—no traffic allowed

Wait until all devices have new leases before turning on DAI

Entries stay in table until the lease runs out

All hardware platforms have a binding size limit (in range of thousands)

(config)# ip source binding 0000.0000.0001 vlan 4 10.0.10.200 interface fastethernet 3/1

# show ip source binding Show static DHCP Snooping bindings


Dynamic ARP Inspection – Logging Messages

sh log: 4w6d: %SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 296 milliseconds on Gi3/2. 4w6d: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi3/2, putting Gi3/2 in err-disable state 4w6d: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi3/2, vlan 183.([0003.472d.8b0f/10.10.10.62/0000.0000.0000/10.10.10.2/12:19:27 UTC Wed Apr 19 2000]) 4w6d: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi3/2, vlan 183.([0003.472d.8b0f/10.10.10.62/0000.0000.0000/10.10.10.3/12:19:27 UTC Wed Apr 19 2000])

For Your

Reference


More ARP Attack Information

ARPWatch is a free tool to track IP/MAC address pairings and detect ARP spoofing attacks. But it works.

- Caution—you will need an ARPWatch server on every VLAN

- Hard to manage and scale.

Installing ARPWatch on a Linux machine:

For Your

Reference

~# wget ftp://ftp.ee.lbl.gov/arpwatch.tar.gz ~# tar -xzvf arpwatch.tar.gz ~# cd arpwatch-2.1a13 ~#./configure –prefix=/usr/local/arpwatch ~# mkdir /usr/local/arpwatch/ ~# make ~# make install ~# cp arp.dat /usr/local/arpwatch/sbin/ ~# vi /etc/arpwatch.conf eth0 -a -n 192.168.1.0/24 –m [email protected] ~# /etc/init.d/arpwatch restart ~# ps -u root| grep arpwatch 2408 ? 00:00:00 arpwatch

ftp://ftp.ee.lbl.gov/arpwatch.tar.gz





Agenda















Summary


IPv6 Neighbor Discovery Fundamentals

RFC 4861, Neighbor Discovery for IP Version 6 (IPv6)

RFC 4862, IPv6 Stateless Address Autoconfiguration

Used for: - Router discovery

- IPv6 Stateless Address Auto Configuration (SLAAC)

- IPv6 address resolution (replaces ARP)

- Neighbor Unreachability Detection (NUD)

- Duplicate Address Detection (DAD)

- Redirection

Operates above ICMPv6 - Relies heavily on multicast (including L2-multicast)

Works with ICMP messages and messages ―options‖

For Your

Reference


DHCP

server

Router

Assign addresses

Announces default router

Announces link parameters

IPv4 link model is

DHCP-centric

„An IPv4 link‖

Announces default router

Announces link parameters

– Assign addresses Assign addresses

IPv6 link model is essentially

distributed, with DHCP playing a

minor role

„An IPv6 link‖

IPv4 to IPv6 – Link model shift

DHCP

server

For Your

Reference


IPv6 is becoming pervasive.

IPsec is a mandatory component for IPv6, but it does not mean that encrypting all the IPv6 traffic is mandatory.

IPv4 ARP replaced by ICMPv6 Neighbor Discovery Protocol.

ARP Spoofing is now NDP Spoofing.

While ICMPv6 is not a Layer-2 protocol, we will focus on it.

Multiple attack tools exist - The Hacker’s Choice THC-IPV6 Attack Toolkit - parasite6, fake_router6, redir6 and 40+ more.

Your IPv4 network can be vulnerable to IPv6 attacks today.

Layer-2 Security in IPv6 Networks – Problem Definition

BRKSEC-2003 IPv6 Security Threats and Mitigations


A and B can now exchange packets on this link

IPv6 Address Resolution – comparing with IPv4 ARP

Creates neighbor cache entry, resolving IPv6 address into MAC address.

Messages: Neighbor Solicitation (NS), Neighbor Advertisement (NA)

A B C

NS

ICMP type = 135 (Neighbor Solicitation)

Src = A

Dst = Solicited-node multicast address of B

Data = B

Option = link-layer address of A

Query = what is B‘s link-layer address?

NA

ICMP type = 136 (Neighbor Advertisement) Src = one B‘s IF address Dst = A Data = B

Option = link-layer address of B


Dst = Solicited-node multicast address of B

Query = what is B‘s link-layer address? NS

Attacking IPv6 Address Resolution

Attacker can claim victim's IPv6 address.

Src = B or any C‘s IF address Dst = A

Data = B Option = link-layer address of C

NA

A B C

Countermeasures: Static Cache Entries, Address GLEAN, SeND (CGA), Address-Watch.


IPv6 Address GLEAN

Binding table

NS [IP source=A1, LLA=MACH1]

DHCP-

server

REQUEST [XID, SMAC = MACH2]

REPLY[XID, IPA21, IPA22]

data [IP source=A3, SMAC=MACH3]

DAD NS [IP source=UNSPEC, target = A3]

NA [IP source=A1, LLA=MACH3]

IPv6 MAC VLAN IF

A1 MACH1 100 P1

A21 MACH2 100 P2

A22 MACH2 100 P2

A3 MACH3 100 P3

DHCP LEASEQUERY

DHCP LEASEQUERY_REPLY

H1 H2 H3

„Gleaning‖ means extracting addresses from NA, ND and DHCP messages.


ICMP Type = 133 (Router Solicitation)

Src = UNSPEC (or Host link-local address)

Dst = All-routers multicast address (FF02::2)

Query = please send RA

RS

ICMP Type = 134 (Router Advertisement)

Src = Router link-local address

Dst = All-nodes multicast address (FF02::1)

Data = router lifetime, retranstime, autoconfig flag

Option = Prefix, lifetime

RA

Use B as default gateway

Find default/first-hop routers

Discover on-link prefixes => which destinations are neighbors

Messages: Router Advertisements (RA), Router Solicitations (RS)

B

IPv6 Router Discovery

A

Internet


Attacking IPv6 Router Discovery

Attacker tricks victim into accepting him as default router

Based on rogue Router Advertisements

The most frequent threat by non-malicious user

Src = C‘s link-local address

Dst = All-nodes

Data = router lifetime, autoconfig flag

Options = subnet prefix, slla

RA

Node A sending off-link traffic to C

B

C A

Src = B‘s link-local address

Dst = All-nodes

Data = router lifetime=0

RA

Internet


IPv6 RA-Guard – Securing Router Discovery

Verification succeeded?

Forward RA

Switch selectively accepts or rejects RAs based on various criteria – ACL (configuration) based, learning-based or challenge (SeND) based. Hosts see only allowed RAs, and RAs with allowed content. More countermeasures: static routing, SeND, VLAN segmentation, PACL.

A C

―I am the default gateway‖ Router Advertisement Option: prefix(s)

RA


Stateless, based on prefix information delivered in Router Advertisements.

Messages: Router Advertisements, Router Solicitations

ICMP Type = 133 (Router Solicitation)

Src = UNSPEC (or Host link-local address)

Dst = All-routers multicast address (FF02::2)

Query = please send RA

RS

ICMP Type = 134 (Router Advertisement)

Src = Router link-local address

Dst = All-nodes multicast address (FF02::1)

Data = router lifetime, retranstime, autoconfig flag

Options = Prefix X,Y,Z, lifetime

RA

Source traffic with X::x, Y::y, Z::z

Computes X::x, Y::y, Z::z and DADs them NS

IPv6 Stateless Address Auto-Configuration (SLAAC)

A B

Internet


IPv6 Duplicate Address Detection (DAD)

Verify IPv6 address uniqueness

Probe neighbors to verify nobody claims the address

Messages: Neighbor Solicitation, Neighbor Advertisement

ICMP type = 135 (Neighbor Solicitation)

Src = UNSPEC = 0::0

Dst = Solicited-node multicast address of A

Data = A

Query = Does anybody use A already?

NS

Node A starts using the address

A B C


Attacking IPv6 Stateless Address Auto-Configuration

Attacker spoofs Router Advertisement with false on-link prefix

Victim generates IP address with this prefix

Access router drops outgoing packets from victim (ingress filtering)

Incoming packets can't reach victim

B

Router B filters out BAD::A

Computes BAD::A and DAD it

RA Src = B‘s link-local address

Dst = All-nodes

Options = prefix X Preferred lifetime = 0

Src = B‘s link-local address

Dst = All-nodes

Options = prefix BAD, Preferred lifetime

RA Deprecates X::A

Node A sourcing off-link traffic to B with BAD::A

A C

Internet


Features in IPv6 First-Hop Security

Switches do/will integrate a set of monitoring, inspection and guard features for a variety of security-centric purposes:

1. RA-guard

2. NDP address glean/inspection

3. Address watch/ownership enforcement

4. Device Tracking

5. Address GLEAN (NDP + DHCP + data)

6. DHCP-guard

7. DAD/Resolution proxy

8. Source-guard (SAVI)

9. Destination-guard

10. DHCP L2 relay

Feature set and platform availability have been staged into phases.

BRKSEC-3003 Advanced IPv6 First-Hop Security


Configuring IPv6 FHS

IPv6 Configuration Examples at http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.html

Configuring the IPv6 Binding Table Content

Configuring IPv6 Device Tracking

Configuring IPv6 ND Inspection

Configuring IPv6 RA Guard

Configuring SeND for IPv6

Configuring IPv6 PACL

For Your

Reference

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.html




Agenda















Summary


Server Virtualization – Network Security Concerns

VMNIC #1

vEth vEth

Virtualization

Security

V-Motion (Memory)

V-Storage (VMDK)

VM Segmentation

Hypervisor Security

Role Based Access

Physical Security

VM OS Hardening

Patch Management

VM Sprawl

VMNIC #2

Real case: [...] „It looks the O&M firewall is not filtering the ARP traffic

the right way. This allows a VM to connect to any other VM through the

O&M network after injecting malicious ARP traffic. This happens even

if the destination VM belongs to a different tenant VDC” [...]


vSwitch lacks ―advanced‖ network functions

No visibility into VM-to-VM traffic on a port

group

No visibility into VM-to-Hypervisor calls

No SNMP and Netflow instrumentation to monitor flows between VMs

No ACLs and PVLAN to limit inter-VM traffic

No SPAN to enable forensic analysis of inter-VM traffic

DMZ

Web

Server

Application

Server

Database

Server

!! !! !!

A look inside the VM environment


Moving Layer-2 Security boundary to the Virtual Switch

480

481

48 veth125

53 veth327

98 veth42

104 veth56

19 eth7/2

20 eth7/3

304 po3

107

145

174

288

VLAN 18

VLAN 10

Most virtual ports are Access Ports. Most physical ports are Trunk Ports.

VMKernel

VLAN 17


Virtual Access Layer-2 attacks and Countermeasures

Virtual Access Layer should offer at least the

same L2 Security measures as within

Campus:

Access Lists, Dynamic ARP Inspection, DHCP

Snooping, IP Source Guard, Port Security,

Private VLANs, STP extensions,

Layer-2 storm control, Rate-Limiters

With no such mechanisms in place, the

consequences of exploitation are disastrous,

taking the scale into the account (hundreds

of VMs).

Layer-2 flow visibility can be provided by:

NetFlow Collection

SPAN, RSPAN or ERSPAN

1/

7

BRKSEC-2205 Security and Virtualization in the Data Center


Packet Forwarding Features

Inside the VEM: Features

Ingress

Features

L2Lookup

Features

Egress

Features

DHCP Snooping

Access Control Lists

QoS Marking

vPATH

NetFlow

DHCP Snooping

ACL, QoS, vPath

NetFlow

Port Security

Private VLANs

Multicast Groups

For Your

Reference


VM LAN Security vSwitch Port Groups

› Use of Virtual Switch Tagging (VST)

› Use Port-Groups to segment vSwitch & VMs

› Assign VLAN to Port-Group based upon security affinity i.e. Web = Blue VLAN

› Map existing physical affinities to VMs, i.e. Web Blue VLAN HR Port-Group

› Port-Groups also simplify policies that are applied to a VM i.e. Web = VLAN101 (Blue)

› Use static MAC addresses per VM to simplify troubleshooting

› Intra-Tenant traffic between application tiers is controlled via firewall instance

vNIC

pNIC

Port Group:

Web: Blue VLAN

vSwitch

Appl’n: Red VLAN

802.1q Trunk

Trunkfast Enabled

DMZ

Web Server

Application

Server

Database

Server

DB: Green VLAN

For Your

Reference


Agenda















Summary


Transparent Firewall Definition

Firewall acts as a bump-in-the-wire

Firewall must have an IP assigned in the same network

Firewall may also have an IP assigned to Management interface for OOB management

Firewall populates CAM table via learning, or soliciting a response. It will not flood.

If packet is received, and DMAC not present in CAM, packet is dropped.

outside inside


Transparent Firewall – Directly Connected

10.1.5.0/24 10.1.5.0/24

10.1.5.254 10.1.5.1 10.1.5.2

Inside Outside

DST: 10.1.5.9, DMAC: 0002.a22d.183b

ARP: Where is 10.1.5.9 ARP: Where is 10.1.5.9

ciscoasa# show mac-address-table interface mac address type Age(min) ------------------------------------------------------------------ Outside 0024.c4b3.c6e1 dynamic 3 Inside 0050.56b2.1351 dynamic 2

X

10.1.5.9 is at 0002.a22d.183b

ciscoasa# show mac-address-table interface mac address type Age(min) ------------------------------------------------------------------ Outside 0024.c4b3.c6e1 dynamic 3 Outside 0002.a22d.183b dynamic 5 Inside 0050.56b2.1351 dynamic 2

For Your

Reference


Transparent Firewall – Not Directly Connected

10.1.5.0/24 10.1.5.0/24

10.1.5.254 10.1.5.1 10.1.5.2

Inside Outside

DST: 10.2.2.3, DMAC: 0004.daad.4491 ICMP Echo-Req: 10.2.2.3, TTL=1

ciscoasa# show mac-address-table interface mac address type Age(min) ------------------------------------------------------------------ Inside 0050.56b2.1351 dynamic 2

X Time Exceeded from 10.1.5.2

SRC MAC: 0004.daad.4491

ciscoasa# show mac-address-table interface mac address type Age(min) ------------------------------------------------------------------ Outside 0004.daad.4491 dynamic 5 Inside 0050.56b2.1351 dynamic 2

10.2.2.0/24

DST: 10.2.2.3, DMAC: 0004.daad.4491 DST: 10.2.2.3, DMAC: 0004.daad.4491

For Your

Reference


De

fau

lt

Ga

tew

ay

Transparent Firewall – Deployment Scenario

Web Server’s Default Gateway points to internal router

What issues does this design cause?

Example of Bad Deployment Scenario

Internet

10.1.5.254

10.1.5.1

10.1.5.2

www.example.com

10.1.5.5

SYN+ACK

SYN

SYN+ACK

For Your

Reference

http://www.example.com/


Transparent Firewall – Deployment Scenario

Firewall is inserted directly between two L3 routers

Firewall is inserted between end-hosts and default gateway

Internet

www.example.com

SYN

SYN+ACK

IPS hardware module can be used with transparent firewall for additional Layer-2 security

http://www.example.com/


Transparent firewalling for L2 Security

ASA in Transparent mode passes the following by default, unless specifically filtered by an EtherType ACL:

- BPDUs 01-00-0c-cc-cc-cd

- IPv4 multicast MACs 01-00-5e-00-00-00 to 01-00-5e-fe-ff-ff

- IPv6 multicast MACs 33-33-00-00-00-00 to 33-33-ff-f-ff-ff

- AppleTalk 09-00-07-00-00-00 to 09-00-07-ff-f-ff

- True broadcast destination MAC ff-ff-ff-ff-ff-ff

Transparent mode ASA does not pass CDP packets, or any packets that do not have a valid EtherType greater than or equal to 0x600. For example, it does not pass IS-IS packets.

ARP inspection compares the MAC address, IP address, and source interface in all ARP packets to static entries in the ARP table.

# arp-inspection outside enable [flood | no-flood] allow or restrict unknown ARPs

BRKSEC-3020 and TECSEC-2020 cover ASA in depth.

BRKSEC-3020 Advanced ASA Firewalls


Intrusion Prevention for L2 Security

The IPS Sensor can pass or drop CDP traffic.

Preventing ARP Spoofing with IPS Atomic.ARP engine.

Thousands of higher OSI layers Attack Signatures exist for both IPv4 and IPv6.


Intrusion Prevention for L2 Security in IPv6 Networks

ICMPv6 Signatures for Attack mitigation and visibility, including NA, NS, RA, RS.


ERSPAN

IPS with Encapsulated RSPAN (ERSPAN) in virtualized environments

Extends the Local SPAN to send packets outside local host (VEM)

Can be used to monitor the traffic on the Virtual Switch remotely

One or more sources:

Type: Ethernet, Vethernet, Port-Channel, VLAN

Direction: Ingress / Egress / Both

IP based destination

ERSPAN ID provides segmentation

Protocol type header 0x88be for ERSPAN GRE

Management

Console

NAM

ERSPAN DST

ID:1 ID:2

VMkernel

NEXUS 1000v

ESXi VM VM VM VM

BRKSEC-3030 covers Advanced IPS


Use multiple, overlapping security mechanisms.

Utilize well-known Cisco Integrated Security Features (CISF).

Secure the Control Plane, Management Plane and Data Plane.

Develop a security strategy for your virtualized environment.

Explore the available IPv6 First-Hop Security Features (FHS).

Defense in depth is the right approach.

Layer-2 Security Summary

BRKSEC-2202

Recommended Reading


Q&A

Recommended Reading

Please visit the Cisco Store for suitable reading.


Please complete your Session Survey

Don't forget to complete your online session evaluations after each session.

Complete 4 session evaluations & the Overall Conference Evaluation

(available from Thursday) to receive your Cisco Live T-shirt

Surveys can be found on the Attendee Website at www.ciscolivelondon.com/onsite

which can also be accessed through the screens at the Communication Stations

Or use the Cisco Live Mobile App to complete the

surveys from your phone, download the app at

www.ciscolivelondon.com/connect/mobile/app.html

We value your feedback

http://m.cisco.com/mat/cleu12/

1. Scan the QR code

(Go to http://tinyurl.com/qrmelist for QR code reader

software, alternatively type in the access URL above)

2. Download the app or access the mobile site

3. Log in to complete and submit the evaluations

http://www.ciscolivelondon.com/onsite

http://www.ciscolivelondon.com/connect/mobile/app.html

http://tinyurl.com/qrmelist


Thank you.

brksec-2202 layer-2 security for ipv4 and ipv6...

Documents