Chapter 8: Securing Switched LANs · 2 8: Securing Switched LANs 3 Chapter Roadmap Securing...
Transcript of Chapter 8: Securing Switched LANs · 2 8: Securing Switched LANs 3 Chapter Roadmap Securing...
1
8: Securing Switched LANs 1
Securing Networks
Guy Leduc
Chapter 8:Securing Switched Ethernet LANs
To probe further:
LAN Switch Security,Eric Vyncke, Christopher PaggenCisco Press, 2008 (chapters 2 to 6)
8: Securing Switched LANs 2
Chapter 8: Securing Switched LANs
Chapter goals: ❒ Understand security vulnerabilities in switched
LANs❒ Learn how to secure switches❒ Understand VLANs (Virtual LANs) and their
security
2
8: Securing Switched LANs 3
Chapter Roadmap
❒ Securing Switched Ethernet LANs❍ Securing the MAC self-learning process❍ Securing DHCP and ARP❍ Securing the spanning tree protocol
❒ VLANs❍ Securing VLANs
8: Securing Switched LANs 4
Switched Ethernet – Reminder❒ Switches build a spanning tree to avoid loops
❍ Root bridge, root ports, forwarding/blocking ports ❒ Switches self-learn mapping between MAC addresses and
ports, by looking at MAC source addresses❍ They build a CAM (Content Addressable Memory) forwarding table❍ When a MAC address is not in the table, the switch floods the
received frame❒ Switches are transparent to routers and hosts
❍ A set of interconnected switches form a LAN❍ For IP, this LAN is a subnet
❒ IP addresses are mapped on MAC addresses by the ARP protocol
❒ Don’t confuse MAC forwarding tables and ARP tables!❍ In which devices do we find them?❍ What do they contain?
3
8: Securing Switched LANs 5
Chapter Roadmap
❒ Securing Switched Ethernet LANs❍ Securing the MAC self-learning process❍ Securing DHCP and ARP❍ Securing the spanning tree protocol
❒ VLANs❍ Securing VLANs
8: Securing Switched LANs 6
MAC spoofing attack
❒ MAC spoofing❍ B sends a frame with
source MAC address C❒ Switch « learns » that C
is reachable via interface 2!❍ B can now see the
frames destined for C❒ Some switches will
overwrite C’s entry❍ C cannot see frames
any longer!❍ DoS attack!
A
B
C
12
3
A C
Spoofed source MAC:
CDest MAC: A
4
8: Securing Switched LANs 7
MAC flooding attack❒ B generates a large number
of frames with spoofed MAC addresses (X, Y, …)
❒ Switch (CAM) table will overflow❍ Capacity of table may vary
from a few thousands to more than 100,000 entries
❒ Older entries will be removed from table❍ Switch now floods frames
on all interfaces for removed (unknown) MAC addresses
❒ Usually one table per switch, not one per VLAN❍ All VLANs impacted
A
B
C
12
3
? X? Y
Spoofed sourcesAny
destination
8: Securing Switched LANs 8
Detecting/preventing MAC spoofing and flooding attacks❒ MAC address activity
notification❍ Many switches can be
configured to warn about frequent MAC address changes
❒ Port security❍ Associate a few MAC
addresses with every port (Why not just 1?)
❍ Only for access ports, not inter-switch (trunk) ports
❍ Can be static or dynamic❍ Violations are notified
❒ Unicast flooding protection❍ Limited flooding is normal❍ But continuous flooding
is not!• Alert!
❒ DHCP snooping❍ See next slides
5
8: Securing Switched LANs 9
Chapter Roadmap
❒ Securing Switched Ethernet LANs❍ Securing the MAC self-learning process❍ Securing DHCP and ARP❍ Securing the spanning tree protocol
❒ VLANs❍ Securing VLANs
8: Securing Switched LANs 10
Attack against DHCP❒ DHCP is not a datalink protocol
(it runs over UDP), but solutions to DHCP attacks are also useful to thwart layer 2 attacks
❒ DHCP reminder:❍ Client discovers server(s):
broadcast packet❍ DHCP server broadcasts an
offer❍ Client broadcasts interest in
(one) offer❍ DHCP server acks
❒ Client gets IP address and mask, but also default router and DNS servers!❍ A (quick) rogue DHCP server
can easily redirect client to a fake router and/or fake DNS server
❒ Solution: DHCP snooping❍ Monitor and restrict DHCP
operations on a (V)LAN❍ A host has no reason to
send DHCP offers (nor ACKs)!
❍ Don’t let DHCP offers enter the switch on “untrusted” ports! Need access control above
layer 2!❒ In addition:
❍ DHCP snooping allows to learn IP-to-MAC bindings! Switch learns IP address
assigned to client and knows client MAC address (present in request)
6
8: Securing Switched LANs 11
DHCP snooping to thwart IP/MAC spoofing attacks
❒ DHCP snooping: discard frames with invalid <IP, MAC> source address pairs
AC: victim
Source: B
Dest: A
A B IP packet
Spoofed source IPis IPC
B: attacker
IP spoofing
AC: victim
Spoofed MAC source: C
Dest: A
A C IP packet
Source IPis IPB
B: attacker
MAC spoofing
8: Securing Switched LANs 12
ARP spoofing/poisoning❒ ARP reminder:
❍ ARP request: MAC broadcast frame searching for an IP address
❍ ARP reply: unicast❍ Gratuitous ARP:
• Reply sent without prior request• Useful when MAC address
changes❒ ARP spoofing/poisoning
❍ Sends gratuitous ARP with wrong IP-to-MAC mapping: attacker’s MAC address (MACB) mapped to victim’s IP address (IPC)
❍ All traffic to C is actually sent to B. Then B can silently forward it to C after sniffing: Man-in-the-Middle attack
❍ Note: B needs a second ARP spoofing attack to also sniff the return traffic
A
B: attacker
C: victim
Source: B
Dest: A
A B gratuitous ARP
Telling that IPC is at MACB
❒ Solutions:❍ Ignore gratuitous ARP❍ Use an IDS to track changes in
IP-to-MAC mappings❍ Rely on DHCP snooping
7
8: Securing Switched LANs 13
Chapter Roadmap
❒ Securing Switched Ethernet LANs❍ Securing the MAC self-learning process❍ Securing DHCP and ARP❍ Securing the spanning tree protocol
❒ VLANs❍ Securing VLANs
8: Securing Switched LANs 14
Attacking the Spanning Tree Protocol❒ Taking over the root
bridge❍ Attacker sends BPDUs
with smallest switch id❍ Becomes root bridge❍ If attacker is dual-homed
some traffic can be redirected to cross attacker’s device
❒ BPDU flooding❍ DoS attack
❒ Solution:❍ Distinguish trunk ports
from access ports❍ Discard BPDUs on
access ports• End stations are not
supposed to send BPDUs!
8
8: Securing Switched LANs 15
Chapter Roadmap
❒ Securing Switched Ethernet LANs❍ Securing the MAC self-learning process❍ Securing DHCP and ARP❍ Securing the spanning tree protocol
❒ VLANs❍ Securing VLANs
8: Securing Switched LANs
VLANs
❒ Switches have been extended by adding virtualization (VLAN switch)
❒ A VLAN switch emulates multiple, independent switches
❒ We will review❍ The motivation for VLANs❍ Their technology❍ VLANs spanning multiple physical switches❍ The need for an extra field in the frame (VLAN tag)❍ Security in VLANs
16
9
8: Securing Switched LANs
VLANs: motivationHuman resource management:❒ CS user moves office to EE area,
while staying in the CS department. How to keep user connected to CS switch?
❒ CS user becomes part of EE department, but wants to keep his/her office. How to connect user to EE switch?
Performance/security issues:❒ LAN = single broadcast domain❒ Issue: all layer-2 broadcast traffic
crosses entire LAN (e.g., ARP, DHCP, flooding due to unknown destination MAC address)
Cost:❒ Many lowest level switches may
have only few ports in use
Computer Science Electrical
EngineeringComputerEngineering
17
LAN
8: Securing Switched LANs
VLANs Port-based VLAN: switch ports grouped (by switch management software) so that single physical switch …
Switch(es) supporting VLAN capabilities can be configured to define multiple virtual LANs over single physical LAN infrastructure
Virtual Local Area Network
1
8
9
16102
7
…
Electrical Engineering(VLAN ports 1-8)
Computer Science(VLAN ports 9-15)
15
…
Electrical Engineering(VLAN ports 1-8)
…
1
82
7 9
1610
15
…
Computer Science(VLAN ports 9-16)
… operates as multiple virtual switches
18© From Computer Networking, by Kurose&Ross
10
8: Securing Switched LANs
Port-based VLAN
1
8
9
16102
7
…
Electrical Engineering(VLAN ports 1-8)
Computer Science(VLAN ports 9-15)
15
…
❒ traffic isolation: o frames to/from ports 1-8
can only reach ports 1-8o broadcast traffic remains on
its VLAN
❒ dynamic membership: ports can be dynamically assigned among VLANso update done by software
when user changes location
19© From Computer Networking, by Kurose&Ross
8: Securing Switched LANs
Address-based VLAN
1
8
9
16102
7
…
Electrical Engineering(VLAN ports 1-8)
Computer Science(VLAN ports 9-15)
15
…
❒ easier management: o VLANs are based on MAC
addresses of endpoints, rather than switch port
o user (i.e. MAC address) can move from one port to another without changing VLAN
❒ dynamic membership:o MAC addresses can be
reassigned among VLANs
20
❒ VLANs can also be based on IP addresses of endpoints (e.g. IP prefix/subnet defining a VLAN)
© From Computer Networking, by Kurose&Ross
11
8: Securing Switched LANs
VLANs: motivation❒ VLANs address issues such as scalability, security, and network
management❒ Network architects set up VLANs to provide network segmentation over
a shared physical infrastructure❍ Traffic cannot jump from one VLAN to another, and broadcast LAN frames
stay on their VLAN❒ VLANs can be used to partition a network into several distinctive
segments, e.g.:❍ Voice over IP❍ Network management❍ Storage area network (SAN)❍ Guest Internet access❍ Demilitarized zone (DMZ)
❒ A common infrastructure shared by VLANs can provide a measure of security with great flexibility for a comparatively low cost
❒ Quality of service schemes can optimize traffic on inter-switch (trunk) links for real-time (e.g. VoIP) or low-latency requirements (e.g. SAN)
21
8: Securing Switched LANs
Forwarding between VLANs
1
8
9
16102
7
…
Electrical Engineering(VLAN ports 1-8)
Computer Science(VLAN ports 9-15)
15
…
router
❒ forwarding between VLANs always done via routing (just as with separate switches)❍ figure shows interconnection
through a separate router
" in practice vendors sell combined switches plus routers (so-called layer 3 switches)
22© From Computer Networking, by Kurose&Ross
12
8: Securing Switched LANs
VLANs spanning multiple switches
❒ how to interconnect multiple physical switches with devices on several VLANs?
❒ could connect the devices from the same VLAN through a dedicated link between the 2 switches❒ but would require one inter-switch link per VLAN!
1
8
9
102
7
…
Electrical Engineering(VLAN ports 1-8)
Computer Science(VLAN ports 9-15)
…
73
Ports 2,3,5 belong to EE VLANPorts 4,6,7,8 belong to CS VLAN
5
4 6 8
23
15 1
16 2
8: Securing Switched LANs
VLANs spanning multiple switches
❒ trunk link/port: carries frames in VLANs defined over multiple physical switches❍ frames forwarded within VLAN between switches can’t be vanilla
802.1 frames (must carry VLAN ID info)❍ 802.1Q protocol adds/removes additional header fields for frames
forwarded between trunk ports
1
8
9
102
7
…
Electrical Engineering(VLAN ports 1-8)
Computer Science(VLAN ports 9-15)
15
…
2
73
Ports 2,3,5 belong to EE VLANPorts 4,6,7,8 belong to CS VLAN
5
4 6 8
24
16
1trunk link
trunk ports
© From Computer Networking, by Kurose&Ross
13
8: Securing Switched LANs
Type
2-byte Tag Protocol Identifier (value: 81-00)
Tag Control Information (12-bit VLAN ID field, 3-bit priority field like IP TOS)
Recomputed CRC
IEEE 802.1Q VLAN frame format
802.1 frame
802.1Q frame
" When the field following the 2 MAC addresses is 0x8100 (> 1500), it’s a 802.1Q frame
" 3-bit priority field is used to provide QoS
" When a frame has no tag on a trunk link, there is a native/default VLAN id (= 1) which the frame is considered to be associated with
25© From Computer Networking, by Kurose&Ross
Assigning a VLAN id to a host❒ If a host NIC sends an untagged frame, the frame
will be associated with the VLAN corresponding to the incoming port (in port-based VLAN) or to the source MAC address (in address-based VLAN)❍ If the frame crosses a trunk link, the tag is added
• unless the frame is associated with the native/default VLAN and the trunk port is configured to support the native VLAN
❒ A host NIC could also send tagged frames❍ e.g., an IP phone sending frames on the “VoIP VLAN”❍ VLAN ids can be assigned manually to hosts or assigned
dynamically (e.g. thanks to IEEE 802.1x after host authentication with an AAA server)
8: Securing Switched LANs 26
14
VLAN stacking
❒ Consider a Layer-2 VPN scenario❍ Provider’s network creates one VLAN per customer
❒ Customer may still define multiple VLANs within customer’s multi-site network
❒ Customers’ VLAN frames carried through provider’s VLAN:❍ 802.1Q frames will be double tagged in the provider’s network❍ Outer VLAN id = Provider’s VLAN id❍ Inner VLAN id = Customer’s VLAN id
8: Securing Switched LANs 27
Provider’s VLAN for this customer
Provider’s network company’s headquarters
company’s branch office
Switch 1 Switch 2
VLANs and spanning trees❒ When several VLANs are deployed, it is possible
to build one or several spanning trees:❍ Per-VLAN spanning tree (PVST)❍ Multiple spanning tree protocol (MSTP):
• one spanning tree per group of VLANs
8: Securing Switched LANs 28
Serverracks
TORswitches
Tier-1switches
Tier-2switches
1 2 3 4 5 6 7 8© From Computer Networking, by Kurose&Ross
15
8: Securing Switched LANs 29
Chapter Roadmap
❒ Securing Switched Ethernet LANs❍ Securing the MAC self-learning process❍ Securing DHCP and ARP❍ Securing the spanning tree protocol
❒ VLANs❍ Securing VLANs
VLANs – A security plus
❒ Layer-2 broadcast frames remain on their VLAN❍ ARP, DHCP, …
❒ Frames cannot jump from one VLAN to another without passing through a layer-3 device❍ and high-end layer-3 switches can even perform firewall
functions without using an external firewall device
❒ This traffic isolation is a security plus, unless there are misconfigurations and incorrect cabling
8: Securing Switched LANs 30
16
VLANs and firewalls
❒ The same physical switch could be used for the internal network and the DMZ, with a dedicated DMZ VLAN
❒ But usually considered preferable to keep devices at different security levels isolated on physically separate switches
8: Securing Switched LANs 31
Web server FTP
server
DNS server
Internet
Demilitarized zone (DMZ)
firewall
internal network
© From Computer Networking, by Kurose&Ross
VLANs – Trunk versus access ports❒ Non trunk ports should be configured as access
ports to avoid switch spoofing attacks❍ In a switch spoofing attack, an attacking host imitates a
trunking switch❒ On access ports the switch will discard
❍ tagging and trunking protocols used to manage VLANs• e.g., CISCO’s Dynamic Trunking Protocol (DTP) used to negotiate
trunking on a link and to configure the VLANs in a multi-switch network❍ but also BPDUs for example
❒ Also: ❍ disable unused switch ports and create a VLAN to
collect disabled switch ports8: Securing Switched LANs 32
17
8: Securing Switched LANs 33
VLAN hopping - Attacking the VLAN tag stack
❒ VLAN hopping❍ Frame hops from VLAN 1 to
VLAN 2!❍ Victim on VLAN 2 can receive
killer packets from an attacker on VLAN 1 without crossing any router (and possible filter)!
Victim A: is on VLAN 2 Attacker being on native VLAN 1
Trunk ports configured to support native VLAN = 1.
Frames on VLAN 1 travel untagged
Inner VLANOuter VLAN = native
A B 2
Switch strips off outer tag
(equal to native)
A B 1 2
❒ Solutions❍ Don’t assign native VLAN to any
access port❍ Force all traffic on trunk to always
carry a tag, even the native one❍ Assign another unused number to the
native VLAN
Only one VLAN tag
left
8: Securing Switched LANs 34
Summary❒ Securing Switched LANs
❍ Securing the MAC self-learning process
• MAC spoofing• MAC flooding
❍ Securing DHCP and ARP• Rogue DHCP server• ARP spoofing/poisoning
❍ Securing the spanning tree protocol
❍ IEEE 802.1x can also be used with Switched LANs
• was initially designed in this context
❒ VLANs❍ VLAN as a network
segmentation mechanism
❍ A security plus❒ Securing VLANs
❍ Switch spoofing❍ VLAN hopping