CCNA Security Study Notes – Securing Layer 2
Securing layer 2 is an important fundamental aspect which must be covered as there are many different possible attack vectors in the layer 2 realm. Below I’ll be detailing some of the more common attack vectors and how to mitigate them.
Port Security
Attack type: CAM/MAC table overflow
Mitigation method: Port Security
CAM overflow attacks are caused by a client connected to a switch sending out thousands of frames, each with a different MAC address. The the MAC address table storage depletes and floods all new traffic out every port within that VLAN. A malicious user could use this method to sniff traffic not destined to him.
Port Security is used by access layer switches to mitigate an administratively defined limit on the amount of MAC addresses which can be sent to a switch port.
Port security is enabled on an interface by interface basis and is not globally enabled.
To enable port security, enter switchport port-security on the interface
To limit the amount of MAC addresses through the port: switchport port-security maximum <num> (Default is one address)
The default violation of a port is to shut the port down, which requires an administrator to shut the port down, and bring it back online with no shutdown.
There is three violation modes; Shutdown, Protect and Restrict.
Shutdown was already covered, protect allows the original mac address (up to its defined limit) to be transmitted without restriction. Restrict is the same as protect, with only change is that a SNMP trap is sent each time a violation is detected, whereas protect will not alert.
If you don’t want to statically assign which MAC addresses are allowed on a switchport, you can enable the switch to dynamically learn the maximum addresses with sticky mac addresses.
This is configured with switchport mac-address sticky.
Source: Port Security
DHCP Snooping
Attack type: Rouge DHCP Server
Mitigation method: DHCP Snooping
An attacker could set up their own DHCP server and start sending clients on the network segment invalid network information causing a DoS situation, or could route all traffic to itself and perform a man in the middle attack.
DHCP Snooping acts like a firewall for DHCP requests to verify legitimate DHCP messages and to filter non-legitimate traffic.
DHCP Snooping:
- Validates DHCP messages that are received from untrusted sources, and filters invalid messages.
- Rate limits DHCP traffic from trusted and untrusted sources
- Builds and maintains the DHCP Snooping binding database, which contains information about untrusted hosts with leased IP addresses
- Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.
All ports are untrusted by default and all trusted ports must be configured individually. It is important to note that DHCP Snooping is enabled globally, and will ignore all DHCP requests if the trusted ports are not configured first.
Enabling a trusted interface to the DHCP Snooping binding database is done by the adding ‘ip dhcp snooping trust’ to the interface.
Source: DHCP Snooping
ARP Inspection
Attack type: Man in the Middle (MITM)
Mitigation method: ARP Inspection
ARP is a layer 2 protocol used to discover the layer 2 address of a host and map it to its layer 3 address. This can be exploited by a malicious user by sending out ARP messages as the layer 3 IP gateway, but using their own MAC address in the frames.
In a typical network configuration, you configure all switch ports connected to host ports as untrusted and configure all switch ports connected to switches as trusted.
You configure the trust setting by using the ip arp inspection trust interface configuration command.
Source: ARP Inspection
Root Guard
Attack type: Spanning Tree MITM
Mitigation method: Root Guard
If you connect your switch network to an untrusted network, you may not want them to be able to become the root bridge. You would enable root guard on the interface(s) towards the unmanaged switches to ensure this doesn’t occur. This same method can be used on access ports where no switches should exist, stopping a user from advertising a lower root bridge ID than your current root bridge.
Root guard is enabled on an interface basis, and is done so by entering the interface you wish to protect, and configuring spanning-tree root guard.
Source: Root Guard
BPDU Guard
Attack type: Spanning Tree MITM
Mitigation method: BPDU Guard
BPDU Guard stops ports from being allowed to send BPDU’s into the switch network. A user could send a BPDU with the bridge ID lower than the current root bridge and impact the STP toplogy.
BPDU Guard will by default, shut the port down if a BPDU is detected on a port with BPDU guard enabled.
To enable BPDU Guard, enter spanning-tree portfast bpduguard in global configuration mode.
To have the port recover automatically, enter errdisable recovery cause bpduguard followed by errdisable recovery interval <time in seconds>.
Source: BPDU Guard
Switchport nonegotiate
Attack type: Trunk port negotiation
Mitigation method: Disable trunk negotiations
A user connected to a switchport not assigned as an access port may negotiate it’s port status to a trunk, sending information for all VLAN traffic to the malicious user
This is a simple one:
- Configure ports towards users as access ports with switchport mode access.
- Configure ports towards other switches with switchport mode trunk.
- Disable automatic trunk negotiation with switchport nonegotiate
Best Practices
Change the default VLAN, and place unused ports into this VLAN.
Avoid using VLAN 1 anywhere.
Configure access ports so users cannot negotiate trunks.
Disable dynamic trunking protocol.
Limit the amount of MAC addresses on an access port.
Enable root guard to stop other switches from becoming the root.
Turn off CDP on access ports.
Shut down all ports not in use.