Chapter 8: Securing Switched LANs · 2 8: Securing Switched LANs 3 Chapter Roadmap Securing...

17
1 8: Securing Switched LANs 1 Securing Networks Guy Leduc Chapter 8: Securing Switched Ethernet LANs To probe further: LAN Switch Security, Eric Vyncke, Christopher Paggen Cisco Press, 2008 (chapters 2 to 6) 8: Securing Switched LANs 2 Chapter 8: Securing Switched LANs Chapter goals: Understand security vulnerabilities in switched LANs Learn how to secure switches Understand VLANs (Virtual LANs) and their security

Transcript of Chapter 8: Securing Switched LANs · 2 8: Securing Switched LANs 3 Chapter Roadmap Securing...

Page 1: Chapter 8: Securing Switched LANs · 2 8: Securing Switched LANs 3 Chapter Roadmap Securing Switched Ethernet LANs Securing the MAC self-learning process Securing DHCP and ARP Securing

1

8: Securing Switched LANs 1

Securing Networks

Guy Leduc

Chapter 8:Securing Switched Ethernet LANs

To probe further:

LAN Switch Security,Eric Vyncke, Christopher PaggenCisco Press, 2008 (chapters 2 to 6)

8: Securing Switched LANs 2

Chapter 8: Securing Switched LANs

Chapter goals: ❒ Understand security vulnerabilities in switched

LANs❒  Learn how to secure switches❒ Understand VLANs (Virtual LANs) and their

security

Page 2: Chapter 8: Securing Switched LANs · 2 8: Securing Switched LANs 3 Chapter Roadmap Securing Switched Ethernet LANs Securing the MAC self-learning process Securing DHCP and ARP Securing

2

8: Securing Switched LANs 3

Chapter Roadmap

❒  Securing Switched Ethernet LANs❍ Securing the MAC self-learning process❍ Securing DHCP and ARP❍ Securing the spanning tree protocol

❒  VLANs❍ Securing VLANs

8: Securing Switched LANs 4

Switched Ethernet – Reminder❒  Switches build a spanning tree to avoid loops

❍  Root bridge, root ports, forwarding/blocking ports ❒  Switches self-learn mapping between MAC addresses and

ports, by looking at MAC source addresses❍  They build a CAM (Content Addressable Memory) forwarding table❍  When a MAC address is not in the table, the switch floods the

received frame❒  Switches are transparent to routers and hosts

❍  A set of interconnected switches form a LAN❍  For IP, this LAN is a subnet

❒  IP addresses are mapped on MAC addresses by the ARP protocol

❒  Don’t confuse MAC forwarding tables and ARP tables!❍  In which devices do we find them?❍  What do they contain?

Page 3: Chapter 8: Securing Switched LANs · 2 8: Securing Switched LANs 3 Chapter Roadmap Securing Switched Ethernet LANs Securing the MAC self-learning process Securing DHCP and ARP Securing

3

8: Securing Switched LANs 5

Chapter Roadmap

❒  Securing Switched Ethernet LANs❍ Securing the MAC self-learning process❍ Securing DHCP and ARP❍ Securing the spanning tree protocol

❒  VLANs❍ Securing VLANs

8: Securing Switched LANs 6

MAC spoofing attack

❒  MAC spoofing❍  B sends a frame with

source MAC address C❒  Switch « learns » that C

is reachable via interface 2!❍  B can now see the

frames destined for C❒  Some switches will

overwrite C’s entry❍  C cannot see frames

any longer!❍  DoS attack!

A

B

C

12

3

A C

Spoofed source MAC:

CDest MAC: A

Page 4: Chapter 8: Securing Switched LANs · 2 8: Securing Switched LANs 3 Chapter Roadmap Securing Switched Ethernet LANs Securing the MAC self-learning process Securing DHCP and ARP Securing

4

8: Securing Switched LANs 7

MAC flooding attack❒  B generates a large number

of frames with spoofed MAC addresses (X, Y, …)

❒  Switch (CAM) table will overflow❍  Capacity of table may vary

from a few thousands to more than 100,000 entries

❒  Older entries will be removed from table❍  Switch now floods frames

on all interfaces for removed (unknown) MAC addresses

❒  Usually one table per switch, not one per VLAN❍  All VLANs impacted

A

B

C

12

3

? X? Y

Spoofed sourcesAny

destination

8: Securing Switched LANs 8

Detecting/preventing MAC spoofing and flooding attacks❒  MAC address activity

notification❍  Many switches can be

configured to warn about frequent MAC address changes

❒  Port security❍  Associate a few MAC

addresses with every port (Why not just 1?)

❍  Only for access ports, not inter-switch (trunk) ports

❍  Can be static or dynamic❍  Violations are notified

❒  Unicast flooding protection❍  Limited flooding is normal❍  But continuous flooding

is not!•  Alert!

❒  DHCP snooping❍  See next slides

Page 5: Chapter 8: Securing Switched LANs · 2 8: Securing Switched LANs 3 Chapter Roadmap Securing Switched Ethernet LANs Securing the MAC self-learning process Securing DHCP and ARP Securing

5

8: Securing Switched LANs 9

Chapter Roadmap

❒  Securing Switched Ethernet LANs❍ Securing the MAC self-learning process❍ Securing DHCP and ARP❍ Securing the spanning tree protocol

❒  VLANs❍ Securing VLANs

8: Securing Switched LANs 10

Attack against DHCP❒  DHCP is not a datalink protocol

(it runs over UDP), but solutions to DHCP attacks are also useful to thwart layer 2 attacks

❒  DHCP reminder:❍  Client discovers server(s):

broadcast packet❍  DHCP server broadcasts an

offer❍  Client broadcasts interest in

(one) offer❍  DHCP server acks

❒  Client gets IP address and mask, but also default router and DNS servers!❍  A (quick) rogue DHCP server

can easily redirect client to a fake router and/or fake DNS server

❒  Solution: DHCP snooping❍  Monitor and restrict DHCP

operations on a (V)LAN❍  A host has no reason to

send DHCP offers (nor ACKs)!

❍  Don’t let DHCP offers enter the switch on “untrusted” ports!  Need access control above

layer 2!❒  In addition:

❍  DHCP snooping allows to learn IP-to-MAC bindings!  Switch learns IP address

assigned to client and knows client MAC address (present in request)

Page 6: Chapter 8: Securing Switched LANs · 2 8: Securing Switched LANs 3 Chapter Roadmap Securing Switched Ethernet LANs Securing the MAC self-learning process Securing DHCP and ARP Securing

6

8: Securing Switched LANs 11

DHCP snooping to thwart IP/MAC spoofing attacks

❒  DHCP snooping: discard frames with invalid <IP, MAC> source address pairs

AC: victim

Source: B

Dest: A

A B IP packet

Spoofed source IPis IPC

B: attacker

IP spoofing

AC: victim

Spoofed MAC source: C

Dest: A

A C IP packet

Source IPis IPB

B: attacker

MAC spoofing

8: Securing Switched LANs 12

ARP spoofing/poisoning❒  ARP reminder:

❍  ARP request: MAC broadcast frame searching for an IP address

❍  ARP reply: unicast❍  Gratuitous ARP:

•  Reply sent without prior request•  Useful when MAC address

changes❒  ARP spoofing/poisoning

❍  Sends gratuitous ARP with wrong IP-to-MAC mapping: attacker’s MAC address (MACB) mapped to victim’s IP address (IPC)

❍  All traffic to C is actually sent to B. Then B can silently forward it to C after sniffing: Man-in-the-Middle attack

❍  Note: B needs a second ARP spoofing attack to also sniff the return traffic

A

B: attacker

C: victim

Source: B

Dest: A

A B gratuitous ARP

Telling that IPC is at MACB

❒  Solutions:❍  Ignore gratuitous ARP❍  Use an IDS to track changes in

IP-to-MAC mappings❍  Rely on DHCP snooping

Page 7: Chapter 8: Securing Switched LANs · 2 8: Securing Switched LANs 3 Chapter Roadmap Securing Switched Ethernet LANs Securing the MAC self-learning process Securing DHCP and ARP Securing

7

8: Securing Switched LANs 13

Chapter Roadmap

❒  Securing Switched Ethernet LANs❍ Securing the MAC self-learning process❍ Securing DHCP and ARP❍ Securing the spanning tree protocol

❒  VLANs❍ Securing VLANs

8: Securing Switched LANs 14

Attacking the Spanning Tree Protocol❒  Taking over the root

bridge❍  Attacker sends BPDUs

with smallest switch id❍  Becomes root bridge❍  If attacker is dual-homed

some traffic can be redirected to cross attacker’s device

❒  BPDU flooding❍  DoS attack

❒  Solution:❍  Distinguish trunk ports

from access ports❍  Discard BPDUs on

access ports•  End stations are not

supposed to send BPDUs!

Page 8: Chapter 8: Securing Switched LANs · 2 8: Securing Switched LANs 3 Chapter Roadmap Securing Switched Ethernet LANs Securing the MAC self-learning process Securing DHCP and ARP Securing

8

8: Securing Switched LANs 15

Chapter Roadmap

❒  Securing Switched Ethernet LANs❍ Securing the MAC self-learning process❍ Securing DHCP and ARP❍ Securing the spanning tree protocol

❒  VLANs❍ Securing VLANs

8: Securing Switched LANs

VLANs

❒  Switches have been extended by adding virtualization (VLAN switch)

❒  A VLAN switch emulates multiple, independent switches

❒  We will review❍  The motivation for VLANs❍  Their technology❍  VLANs spanning multiple physical switches❍  The need for an extra field in the frame (VLAN tag)❍  Security in VLANs

16

Page 9: Chapter 8: Securing Switched LANs · 2 8: Securing Switched LANs 3 Chapter Roadmap Securing Switched Ethernet LANs Securing the MAC self-learning process Securing DHCP and ARP Securing

9

8: Securing Switched LANs

VLANs: motivationHuman resource management:❒  CS user moves office to EE area,

while staying in the CS department. How to keep user connected to CS switch?

❒  CS user becomes part of EE department, but wants to keep his/her office. How to connect user to EE switch?

Performance/security issues:❒  LAN = single broadcast domain❒  Issue: all layer-2 broadcast traffic

crosses entire LAN (e.g., ARP, DHCP, flooding due to unknown destination MAC address)

Cost:❒  Many lowest level switches may

have only few ports in use

Computer Science Electrical

EngineeringComputerEngineering

17

LAN

8: Securing Switched LANs

VLANs Port-based VLAN: switch ports grouped (by switch management software) so that single physical switch …

Switch(es) supporting VLAN capabilities can be configured to define multiple virtual LANs over single physical LAN infrastructure

Virtual Local Area Network

1

8

9

16102

7

Electrical Engineering(VLAN ports 1-8)

Computer Science(VLAN ports 9-15)

15

Electrical Engineering(VLAN ports 1-8)

1

82

7 9

1610

15

Computer Science(VLAN ports 9-16)

… operates as multiple virtual switches

18© From Computer Networking, by Kurose&Ross

Page 10: Chapter 8: Securing Switched LANs · 2 8: Securing Switched LANs 3 Chapter Roadmap Securing Switched Ethernet LANs Securing the MAC self-learning process Securing DHCP and ARP Securing

10

8: Securing Switched LANs

Port-based VLAN

1

8

9

16102

7

Electrical Engineering(VLAN ports 1-8)

Computer Science(VLAN ports 9-15)

15

❒  traffic isolation: o  frames to/from ports 1-8

can only reach ports 1-8o  broadcast traffic remains on

its VLAN

❒  dynamic membership: ports can be dynamically assigned among VLANso  update done by software

when user changes location

19© From Computer Networking, by Kurose&Ross

8: Securing Switched LANs

Address-based VLAN

1

8

9

16102

7

Electrical Engineering(VLAN ports 1-8)

Computer Science(VLAN ports 9-15)

15

❒  easier management: o  VLANs are based on MAC

addresses of endpoints, rather than switch port

o  user (i.e. MAC address) can move from one port to another without changing VLAN

❒  dynamic membership:o  MAC addresses can be

reassigned among VLANs

20

❒  VLANs can also be based on IP addresses of endpoints (e.g. IP prefix/subnet defining a VLAN)

© From Computer Networking, by Kurose&Ross

Page 11: Chapter 8: Securing Switched LANs · 2 8: Securing Switched LANs 3 Chapter Roadmap Securing Switched Ethernet LANs Securing the MAC self-learning process Securing DHCP and ARP Securing

11

8: Securing Switched LANs

VLANs: motivation❒  VLANs address issues such as scalability, security, and network

management❒  Network architects set up VLANs to provide network segmentation over

a shared physical infrastructure❍  Traffic cannot jump from one VLAN to another, and broadcast LAN frames

stay on their VLAN❒  VLANs can be used to partition a network into several distinctive

segments, e.g.:❍  Voice over IP❍  Network management❍  Storage area network (SAN)❍  Guest Internet access❍  Demilitarized zone (DMZ)

❒  A common infrastructure shared by VLANs can provide a measure of security with great flexibility for a comparatively low cost

❒  Quality of service schemes can optimize traffic on inter-switch (trunk) links for real-time (e.g. VoIP) or low-latency requirements (e.g. SAN)

21

8: Securing Switched LANs

Forwarding between VLANs

1

8

9

16102

7

Electrical Engineering(VLAN ports 1-8)

Computer Science(VLAN ports 9-15)

15

router

❒  forwarding between VLANs always done via routing (just as with separate switches)❍  figure shows interconnection

through a separate router

"  in practice vendors sell combined switches plus routers (so-called layer 3 switches)

22© From Computer Networking, by Kurose&Ross

Page 12: Chapter 8: Securing Switched LANs · 2 8: Securing Switched LANs 3 Chapter Roadmap Securing Switched Ethernet LANs Securing the MAC self-learning process Securing DHCP and ARP Securing

12

8: Securing Switched LANs

VLANs spanning multiple switches

❒  how to interconnect multiple physical switches with devices on several VLANs?

❒  could connect the devices from the same VLAN through a dedicated link between the 2 switches❒  but would require one inter-switch link per VLAN!

1

8

9

102

7

Electrical Engineering(VLAN ports 1-8)

Computer Science(VLAN ports 9-15)

73

Ports 2,3,5 belong to EE VLANPorts 4,6,7,8 belong to CS VLAN

5

4 6 8

23

15 1

16 2

8: Securing Switched LANs

VLANs spanning multiple switches

❒  trunk link/port: carries frames in VLANs defined over multiple physical switches❍  frames forwarded within VLAN between switches can’t be vanilla

802.1 frames (must carry VLAN ID info)❍  802.1Q protocol adds/removes additional header fields for frames

forwarded between trunk ports

1

8

9

102

7

Electrical Engineering(VLAN ports 1-8)

Computer Science(VLAN ports 9-15)

15

2

73

Ports 2,3,5 belong to EE VLANPorts 4,6,7,8 belong to CS VLAN

5

4 6 8

24

16

1trunk link

trunk ports

© From Computer Networking, by Kurose&Ross

Page 13: Chapter 8: Securing Switched LANs · 2 8: Securing Switched LANs 3 Chapter Roadmap Securing Switched Ethernet LANs Securing the MAC self-learning process Securing DHCP and ARP Securing

13

8: Securing Switched LANs

Type

2-byte Tag Protocol Identifier (value: 81-00)

Tag Control Information (12-bit VLAN ID field, 3-bit priority field like IP TOS)

Recomputed CRC

IEEE 802.1Q VLAN frame format

802.1 frame

802.1Q frame

"  When the field following the 2 MAC addresses is 0x8100 (> 1500), it’s a 802.1Q frame

"  3-bit priority field is used to provide QoS

"  When a frame has no tag on a trunk link, there is a native/default VLAN id (= 1) which the frame is considered to be associated with

25© From Computer Networking, by Kurose&Ross

Assigning a VLAN id to a host❒  If a host NIC sends an untagged frame, the frame

will be associated with the VLAN corresponding to the incoming port (in port-based VLAN) or to the source MAC address (in address-based VLAN)❍  If the frame crosses a trunk link, the tag is added

•  unless the frame is associated with the native/default VLAN and the trunk port is configured to support the native VLAN

❒  A host NIC could also send tagged frames❍  e.g., an IP phone sending frames on the “VoIP VLAN”❍ VLAN ids can be assigned manually to hosts or assigned

dynamically (e.g. thanks to IEEE 802.1x after host authentication with an AAA server)

8: Securing Switched LANs 26

Page 14: Chapter 8: Securing Switched LANs · 2 8: Securing Switched LANs 3 Chapter Roadmap Securing Switched Ethernet LANs Securing the MAC self-learning process Securing DHCP and ARP Securing

14

VLAN stacking

❒  Consider a Layer-2 VPN scenario❍  Provider’s network creates one VLAN per customer

❒  Customer may still define multiple VLANs within customer’s multi-site network

❒  Customers’ VLAN frames carried through provider’s VLAN:❍  802.1Q frames will be double tagged in the provider’s network❍  Outer VLAN id = Provider’s VLAN id❍  Inner VLAN id = Customer’s VLAN id

8: Securing Switched LANs 27

Provider’s VLAN for this customer

Provider’s network company’s headquarters

company’s branch office

Switch 1 Switch 2

VLANs and spanning trees❒ When several VLANs are deployed, it is possible

to build one or several spanning trees:❍ Per-VLAN spanning tree (PVST)❍ Multiple spanning tree protocol (MSTP):

•  one spanning tree per group of VLANs

8: Securing Switched LANs 28

Serverracks

TORswitches

Tier-1switches

Tier-2switches

1 2 3 4 5 6 7 8© From Computer Networking, by Kurose&Ross

Page 15: Chapter 8: Securing Switched LANs · 2 8: Securing Switched LANs 3 Chapter Roadmap Securing Switched Ethernet LANs Securing the MAC self-learning process Securing DHCP and ARP Securing

15

8: Securing Switched LANs 29

Chapter Roadmap

❒  Securing Switched Ethernet LANs❍ Securing the MAC self-learning process❍ Securing DHCP and ARP❍ Securing the spanning tree protocol

❒  VLANs❍ Securing VLANs

VLANs – A security plus

❒  Layer-2 broadcast frames remain on their VLAN❍ ARP, DHCP, …

❒  Frames cannot jump from one VLAN to another without passing through a layer-3 device❍  and high-end layer-3 switches can even perform firewall

functions without using an external firewall device

❒  This traffic isolation is a security plus, unless there are misconfigurations and incorrect cabling

8: Securing Switched LANs 30

Page 16: Chapter 8: Securing Switched LANs · 2 8: Securing Switched LANs 3 Chapter Roadmap Securing Switched Ethernet LANs Securing the MAC self-learning process Securing DHCP and ARP Securing

16

VLANs and firewalls

❒  The same physical switch could be used for the internal network and the DMZ, with a dedicated DMZ VLAN

❒  But usually considered preferable to keep devices at different security levels isolated on physically separate switches

8: Securing Switched LANs 31

Web server FTP

server

DNS server

Internet

Demilitarized zone (DMZ)

firewall

internal network

© From Computer Networking, by Kurose&Ross

VLANs – Trunk versus access ports❒ Non trunk ports should be configured as access

ports to avoid switch spoofing attacks❍  In a switch spoofing attack, an attacking host imitates a

trunking switch❒ On access ports the switch will discard

❍  tagging and trunking protocols used to manage VLANs•  e.g., CISCO’s Dynamic Trunking Protocol (DTP) used to negotiate

trunking on a link and to configure the VLANs in a multi-switch network❍  but also BPDUs for example

❒  Also: ❍  disable unused switch ports and create a VLAN to

collect disabled switch ports8: Securing Switched LANs 32

Page 17: Chapter 8: Securing Switched LANs · 2 8: Securing Switched LANs 3 Chapter Roadmap Securing Switched Ethernet LANs Securing the MAC self-learning process Securing DHCP and ARP Securing

17

8: Securing Switched LANs 33

VLAN hopping - Attacking the VLAN tag stack

❒  VLAN hopping❍  Frame hops from VLAN 1 to

VLAN 2!❍  Victim on VLAN 2 can receive

killer packets from an attacker on VLAN 1 without crossing any router (and possible filter)!

Victim A: is on VLAN 2 Attacker being on native VLAN 1

Trunk ports configured to support native VLAN = 1.

Frames on VLAN 1 travel untagged

Inner VLANOuter VLAN = native

A B 2

Switch strips off outer tag

(equal to native)

A B 1 2

❒  Solutions❍  Don’t assign native VLAN to any

access port❍  Force all traffic on trunk to always

carry a tag, even the native one❍  Assign another unused number to the

native VLAN

Only one VLAN tag

left

8: Securing Switched LANs 34

Summary❒  Securing Switched LANs

❍  Securing the MAC self-learning process

•  MAC spoofing•  MAC flooding

❍  Securing DHCP and ARP•  Rogue DHCP server•  ARP spoofing/poisoning

❍  Securing the spanning tree protocol

❍  IEEE 802.1x can also be used with Switched LANs

•  was initially designed in this context

❒  VLANs❍  VLAN as a network

segmentation mechanism

❍  A security plus❒  Securing VLANs

❍  Switch spoofing❍  VLAN hopping