2010.01_Secure Switching with Cisco Platforms_[Cisco].pdf

SECURITY

ADAM BLACK

Secure

Switching with

Cisco Platforms

Difficulty

This article provides a detailed account of the operation of three

highly effective abuses possible in a default-state switched

network and how to mitigate them with Cisco platforms. At the

end of the article a Top 10 security checklist is provided.

observed in corporations ranging from

banks who administer trillions of dollars

in client funds to mom and pop grocery stores.

An unfortunate reality about networking is that

the nature of switches and their role within an IT

infrastructure denies manufacturers the ability to

lock down a number of very serious vulnerabilities.

Although these vulnerabilities (typically) only

extend as far as the broadcast domain an

aggressor is in, they are numerous and the

technical complexity of their exploitations is often

quite low.

I have prepared on securing routed networks

using Cisco platforms, this article does not by any

means cover every vulnerability a malicious user

could leverage – there are simply too many for

that to be possible. Instead we will focus on a few

strategies that will mitigate the majority of abuses

possible and I will provide a checklist of other best

practices at the end.

of purposes, such as to facilitate a man in the

middle attack, a phishing attack, or simply to

create a Denial of Service (DoS) condition.

When performed in a VoIP environment, this

a rogue DHCP server can also result in the

ability to record or intrude on other employees'

conversations.

This type of attack is only useful against

hosts who receive an IP address via DHCP,

which excludes most production servers.

Do not underestimate it however – there

are boundless possibilities when one has

complete control of the network traffic of every

user PC in a subnet. Fortunately, Cisco has

provided us an elegant solution to mitigate the

issue.

How it Works

After a computer has started it must be assigned

an IP address before it can access the network.

Assuming that a company has not issued static IP

addresses to all stations, that means they will be

running through the following process to obtain an

address:

WHAT YOU SHOULD

KNOW...

You should have a basic

understanding of switching and

Cisco platforms.

Rogue DHCP Servers

One of the most basic vulnerabilities an attacker

can take advantage of in a layer 2 environment

is the DHCP process. It is so simple that many

users perform this type of attack every day

without even intending to, simply by plugging in

a small Linksys (now Linksys by Cisco) router

into their offices network port to accommodate

a laptop at their desk. Malicious users can

leverage this common feature for a number

• The users PC broadcasts a DHCPDISCOVER

message to all nodes in its subnet. This

message basically states I am <user PC's

MAC address> , respond if you are a DHCP

server , and can optionally request that it

be provided with a specific IP address if

available.

WHAT YOU WILL

LEARN...

How ARP poisoning, CAM

flooding, and Rogue DHCP

servers work

How to mitigate those threats

using Cisco platforms

72 CISCO 1/2009

E very issue presented here has been

SECURE SWITCHING WITH CISCO PLATFORMS

• The server hears the DHCPDISCOVER

and responds with a DHCPOFFER

packet addressed to the users PC

only. This message states I am a

DHCP server. You may use this IP

address and these parameters .

Parameters typically include items

such as DNS servers to use, default

gateway, and IP lease time.

• The users PC responds to the

DHCPOFFER with a DHCPREQUEST

addressed to the DHCP server who

has offered it parameters it finds

acceptable. This tells the DHCP server

that its offer has been accepted and

should not offer that IP to anyone else.

• The server acknowledges the

DHCPREQUEST with a DHCPACK to the

client, ending the transaction.

accept the first DHCPOFFER it receives,

regardless of who sends it and what

it contains. Using nothing more than

simple DHCP server software an

attacker can choose the parameters

offered to the client. Typically the

attacker would alter the default gateway

IP address to his own IP address (and

thus receive a copy of all off-segment

network traffic to forward or alter as he

will) or change options such as DNS

servers to his own external boxes to

redirect clients to malicious sites, though

it is also possible to simply create a

DoS condition by changing the default

gateway option to a non-gateway node

or unused IP address.

Although it may appear that this

attack only has a 50/50 success rate in

vulnerable environments (after all it is a

race between the attackers computer and

the dedicated DHCP server), the realized

success rate is more likely around 99.9%.

This is because for the most part DHCP

servers are not on the same network

segment as user PCs and thus legitimate

requests must be relayed to them through

one or more hops, while the attacker will

receive the message immediately.

Example

Conor, a student, knows that his teacher

Dan has administrative credentials

for a grade database – something

he would love to get his hands on. He

has discovered that his school has not

secured themselves against rogue DHCP

servers, so he downloads a free DHCP

server program and begins the service

(see Figure 1).

The vulnerability to this process is

that in a typical environment a PC will

Mitigation

Cisco offers a method to secure

the DHCP process known as DHCP

��

�

��

�

��

�

��

�

��

�

��

�

��

�

��

�

��

�

��

�

��

�

��

�

��

Figure 1. Mechanics of an attack based on a rogue DHCP server

1/2009

CISCO

SECURITY

snooping . This security feature provides

the ability for administrators to define a set

of trusted and untrusted interfaces, with

the effect that DHCP packets expected

from a server are filtered from being

sent from any interface configured as

untrusted . The idea is, therefore, that all

user access ports will be configured as

untrusted and any ports that could be

used to contact a legitimate DHCP server

will be considered trusted . Should an

untrusted port attempt to respond to a

DHCP client request it will be put into err-

disable mode by default.

It should also be noted that DHCP

snooping has a second benefit – it creates

a DHCP snooping binding table. This is a

mapping of MAC addresses to IP addresses,

interface, VLAN, binding type, and lease

times. Although this information is not taken

advantage of by the DHCP snooping feature

itself, other features such as Dynamic ARP

Inspection can make use of it.

Switch(conig)#ip dhcp snooping vlan

number

! Enable the switch to insert and

remove DHCP

relay information

(option 82)

! Necessary in some environments

Switch(conig)#ip dhcp snooping

information option

! Trust any interfaces that link

towards legitimate

DHCP servers

Switch(conig-if)#ip dhcp snooping

trust

Minimum configuration steps

! Enable DHCP snooping globally

Switch(conig)#ip dhcp snooping

! Enable DHCP snooping on VLANs

��

�

��

�

��

�

��

�

��

�

��

�

��

�

��

�

��

�

��

�

��

Figure 2. Mechanics of an ARP poisoning attack

74 1/2009

CISCO

SECURE SWITCHING WITH CISCO PLATFORMS

! Optionally limit the rate of DHCP

requests on an

interface

Switch(conig-if)#ip dhcp limit rate

rate

enabled and appropriately configured on

all switches in a given broadcast domain.

MAC addresses, not their destination

IP addresses. Thus the inherent

vulnerability is that a malicious user

could either respond to an ARP request

destined for another node with his or

her own MAC address or send what

is known as a Gratuitous ARP (an ARP

packet sent when none was requested)

and they will immediately begin to

receive any traffic meant for the host

whose ARP entry they have hijacked.

Realistically this attack has roughly the

same effect as statically assigning a

computer with an IP address currently

in use by another host, but additional

software to generate these gratuitous

ARPs is generally required to help

ensure it consistently receives any traffic

meant for the target PC.

How it Works

When a host prepares to send data to

another host using the TCP/IP protocol

suite it requires two things: a valid IP

address and a valid MAC address that

each uniquely describe that host. When a

host is aware of the IP address associated

with a resource it is attempting to reach

but not aware of the devices associated

MAC address it sends out an Address

Resolution Protocol (ARP) request, which

is flooded to all hosts in a broadcast

domain. Once the node who owns the IP

address in question sees the ARP request

it responds with an ARP reply, which

supplies the MAC address associated

with its IP.

At this point I would remind the

reader that switches work by forwarding

packets based on their destination

ARP Cache Poisoning

Address Resolution Protocol (ARP)

cache poisoning is another mechanism

available to attackers to produce a man

in the middle attack. Although ARP cache

poisoning attacks are effective against

any platform that does has not been

hardcoded with IP to MAC mappings,

the mitigation technique presented

here – when applied appropriately to

all switches in a broadcast domain

– should largely prevent it from being

a possibility to any attacker who does

not have access to the physical media

between devices.

A perquisite to the solution presented

for this attack is that DHCP snooping be

Example

Robert cannot stand his co-worker

Francis, and he would like nothing more

��

�

��

�

��

�

��

�

��

�

��

�

��

�

��

Figure 3. Mechanics of a CAM flooding attack

1/2009 CISCO

SECURITY

than to get his online passwords to lock

him out of his accounts. Because his

company does not deploy DHCP, Robert

has decided to try an ARP poisoning

attack (see Figure 2).

is that because DAI is processed in

software, all untrusted interfaces are

configured to allow a maximum of 15 ARP

packets per second before becoming err-

disabled while all trusted (not inspected)

interfaces are allowed unlimited ARPs.

The second item is that DAI can function

with hosts who have statically assigned IP

addresses via an access list, though that

configuration will not be covered in this

article.

of more technical attacks still available for

the moment there is still one glaring hole in

your armor that any script kiddy can exploit

to capture all the traffic in his broadcast

domain – your CAM table is open.

In network parlance, a CAM table

(Content Addressable Memory table) is

basically a large table that contains entries

for what MAC addresses are located off

of what ports and provides the basis for

what separates a switch from a hub. To boil

down the relevant points, when a switch

receives a packet it records the source

MAC address of the port in the CAM table

then forwards the packet appropriately

based on the destination MAC address.

If the destination MAC is held in the

CAM table the packet is pushed out the

corresponding port, and if it is not it is

flooded out all ports. This is not normally

a large security hole (one sniffed SYN

packet is hardly the largest worry), but this

magazine is not about normal behavior.

Mitigation

To mitigate this attack Cisco has brought

us a feature known as Dynamic ARP

Inspection (DAI). DAI leverages the DHCP

snooping binding table, which contains

(among other things) binding information

for MAC addresses, IP address, and

interfaces for all hosts who received IP

addresses via a DHCP server (which

should generally be any client PC). If

a host generates an ARP reply or ARP

announcement that does not pair up

exactly with the entries in the binding table

when DAI is enabled the ARP packet is

discarded and the offending port is put

into the err-disabled state.

Dynamic ARP Inspection is configured

similarly to DHCP snooping – interfaces

are configured as trusted and thus not

inspected (commonly used on switch

interconnections) or not trusted , meaning

their ARP packets will be inspected.

It should be noted that incorrectly

configuring a port such as a switch to

switch connection as untrusted may result

in a network outage, while incorrectly

configuring a port such as a user port as

trusted will enable this vulnerability.

Before we look at the configuration

there are a few things to note. The first

!--- DHCP snooping must be

enabled before

coniguration --!

! Enable ARP inspection per VLAN

Switch(conig)#ip arp inspection vlan

vlan-range

! Conigure the connections between

switches as

trusted

! By default, all

interfaces are

untrusted

Switch(conig)#interface Fa0/1

Switch(conig-if)#ip arp inspection

trust

How it Works

For a number of practical reasons a

CAM table is not of infinite size, and the

basic idea behind this exploit is to take

advantage of that fact. Once a CAM

table has been filled it has no more

space for legitimate entries, and so the

switch must fall back on its original logic

and broadcast all new packets out of

every port except the one it was received

on. To an attacker this is as good as

having a sniffer tapped directly into the

switch.

A number of freely available tools

are capable of continuously crafting

packets with a new, unused MAC

address and sending them towards

the switch. Assuming a minimum line

rate of 100Mb/s it does not take long

to fill a table. This attack does, however,

have a few points about it that make

detection fairly obvious in any network

with more than just one or two other hosts

– throughput drops dramatically on the

switch (it has effectively been turned into

a hub), and detection and location is fairly

straightforward.

CAM Table Flooding

By this point you have enabled DHCP

snooping on your network and configured

DAI. So now you can finally begin looking

into greater depth at the security of your

endpoints again because an attacker can’t

compromise the whole subnet all in one

go, right? Wrong. Leaving aside the world

Listing 1. Configuration (single port):

! Specify the interface to conigure with port security

Switch ( conig ) #interface Fa0/1

! Statically deine whether the interface is an access port or trunk

Switch ( conig - if ) #switchport mode {access | trunk}

! Enable port security on the interface

Switch ( conig - if ) #switchport port-security

! ( Optional ) Conigure the maximum number of secure addresses

! Default is 1.

Switch ( conig - if ) #switchport port-security [maximum-addresses]

! ( Optional ) Conigure the violation action . Default is "shutdown"

Switch ( conig - if ) #switchport port-security violation {protect | restrict | shutdown}

! ( Optional ) Conigure allowed MAC address on the port manually

Switch ( conig - if ) #switchport port-security [mac-address]

! ( Optional ) Enable sticky secure MAC learning on the port

Switch ( conig - if ) #switchport port-security mac-address-sticky

Example

Kate gets bored easily at work, so she

decides to have a little fun by seeing

76 1/2009

CISCO

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: