Tecn
Páginas: 12 (2910 palabras)
Publicado: 4 de julio de 2010
Understanding and Preventing Layer 2 and 3 Attacks Julio Andrés Valenzuela Cofré
Mayo 18, 2010 Santiago, Chile
Agenda
Types of Attacks on a Switched Network MAC-Based Attacks (Mac Address Flooding) VLAN-Based Attacks (Switch Spoofing, VLAN Hopping, Attacks against devices on the same VLAN) Spoofing Attacks (DHCP Spoofing, MAC Spoofing, ARP Spoofing) Attacks against the switch (CDPmanipulation, telnet attacks, SSH attacks) Protecting Cisco IOS
FBI/CSI Risk Assessment*
Many enterprises network ports are open. Usually any laptop can plug into the network and gain access to the network. Endpoint security client software is 32%. 23% said they had no idea how many times or if they were attacked. Yet, 23% said they never had an attack on the inside. 50% of allattacks are from the inside (down from over 75% several years ago)
*CIS/FBI Computer Crime and Security Survey - 2008 http://www.gocsi.com/
Mac Address Flooding Attack
Mac Address Flooding Attack
Mac Address Flooding Attack
Mac Address Flooding Attack
Mac Address Flooding Attack
Mac Address Flooding Attack
The attacker fills the switch CAM table with invalid source MACAddress. When the CAM table is full, all traffic without a CAM entry is flooded out every port on that VLAN. This will turn a VLAN on a switch basically into a hub. This means more traffic on the LAN and more CPU usage. The attacker can use a sniffer on a switched network. When the attack stops, CAM entries age out. To mitigate this king of attack: Port Security Port BasedAuthentication
Port Security Configuration
ALS1(config)#int fa0/1 ALS1(config-if)#switchport port-security Command rejected: Fa0/1 is not an access port. ALS1(config-if)#switchport mode access ALS1(config-if)#switchport port-security ALS1(config-if)#switchport port-security maximum ? Maximum addresses ALS1(config-if)#switchport port-security mac-address ? H.H.H 48 bit mac address sticky Configuredynamic secure addresses as sticky ALS1(config-if)#switchport port-security violation ? protect Security violation protect mode restrict Security violation restrict mode shutdown Security violation shutdown mode ALS1(config-if)#switchport port-security aging ? time Port-security aging time type Port-security aging type
Port Security Configuration
ALS1#sh port-security interface fa0/7 PortSecurity : Disabled Port Status : Secure-down Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses :0 Configured MAC Addresses : 0 Sticky MAC Addresses :0 Last Source Address : 0000.0000.0000 Security Violation Count : 0 ALS1#sh interfaces status err-disabled ALS1#sh port-security Secure Port MaxSecureAddrCurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------Fa0/1 1 0 0 Shutdown --------------------------------------------------------------------------Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024 DSL2#sh int status Port Name StatusVlan Duplex Speed Type Fa0/1 err-disable 1 auto auto 10/100BaseTX Fa0/2 notconnect 1 auto auto 10/100BaseTX DSL2(config)#errdisable recovery ? cause Enable error disable recovery for appli
Port Security
Limits the number of MAC Address per port. The MAC address can be learned or static configured. The action if a violation is detected: Shutdown: err-disable state. Restrict: Theport is up, all packets from violating MAC address are dropped. Can send an SNMP trap and syslog message. Protect: The port is up, all packets from violating MAC address are dropped. Doesn’t send SNMP trap or syslog message. Caution with Access Point.
Port Based Authentication
Requires a computer to be authenticated before it’s allowed to the LAN (also known as 802.1x authentication). ...
Mayo 18, 2010 Santiago, Chile
Agenda
Types of Attacks on a Switched Network MAC-Based Attacks (Mac Address Flooding) VLAN-Based Attacks (Switch Spoofing, VLAN Hopping, Attacks against devices on the same VLAN) Spoofing Attacks (DHCP Spoofing, MAC Spoofing, ARP Spoofing) Attacks against the switch (CDPmanipulation, telnet attacks, SSH attacks) Protecting Cisco IOS
FBI/CSI Risk Assessment*
Many enterprises network ports are open. Usually any laptop can plug into the network and gain access to the network. Endpoint security client software is 32%. 23% said they had no idea how many times or if they were attacked. Yet, 23% said they never had an attack on the inside. 50% of allattacks are from the inside (down from over 75% several years ago)
*CIS/FBI Computer Crime and Security Survey - 2008 http://www.gocsi.com/
Mac Address Flooding Attack
Mac Address Flooding Attack
Mac Address Flooding Attack
Mac Address Flooding Attack
Mac Address Flooding Attack
Mac Address Flooding Attack
The attacker fills the switch CAM table with invalid source MACAddress. When the CAM table is full, all traffic without a CAM entry is flooded out every port on that VLAN. This will turn a VLAN on a switch basically into a hub. This means more traffic on the LAN and more CPU usage. The attacker can use a sniffer on a switched network. When the attack stops, CAM entries age out. To mitigate this king of attack: Port Security Port BasedAuthentication
Port Security Configuration
ALS1(config)#int fa0/1 ALS1(config-if)#switchport port-security Command rejected: Fa0/1 is not an access port. ALS1(config-if)#switchport mode access ALS1(config-if)#switchport port-security ALS1(config-if)#switchport port-security maximum ? Maximum addresses ALS1(config-if)#switchport port-security mac-address ? H.H.H 48 bit mac address sticky Configuredynamic secure addresses as sticky ALS1(config-if)#switchport port-security violation ? protect Security violation protect mode restrict Security violation restrict mode shutdown Security violation shutdown mode ALS1(config-if)#switchport port-security aging ? time Port-security aging time type Port-security aging type
Port Security Configuration
ALS1#sh port-security interface fa0/7 PortSecurity : Disabled Port Status : Secure-down Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses :0 Configured MAC Addresses : 0 Sticky MAC Addresses :0 Last Source Address : 0000.0000.0000 Security Violation Count : 0 ALS1#sh interfaces status err-disabled ALS1#sh port-security Secure Port MaxSecureAddrCurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------Fa0/1 1 0 0 Shutdown --------------------------------------------------------------------------Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024 DSL2#sh int status Port Name StatusVlan Duplex Speed Type Fa0/1 err-disable 1 auto auto 10/100BaseTX Fa0/2 notconnect 1 auto auto 10/100BaseTX DSL2(config)#errdisable recovery ? cause Enable error disable recovery for appli
Port Security
Limits the number of MAC Address per port. The MAC address can be learned or static configured. The action if a violation is detected: Shutdown: err-disable state. Restrict: Theport is up, all packets from violating MAC address are dropped. Can send an SNMP trap and syslog message. Protect: The port is up, all packets from violating MAC address are dropped. Doesn’t send SNMP trap or syslog message. Caution with Access Point.
Port Based Authentication
Requires a computer to be authenticated before it’s allowed to the LAN (also known as 802.1x authentication). ...
Leer documento completo
Regístrate para leer el documento completo.