LAN Security - Threats and Prevention

MAC Flooding and Spoofing Attacks

MAC Flooding: In a typical MAC flooding attack, a switch is fed many Ethernet frames, each containing different source MAC addresses, by the attacker. The intention is to consume the limited memory set aside in the switch to store the MAC address table. Once the mac address table is full with the spurious mac addresses, the switch will start to broadcast the frames including for the genuine MAC address if it has no entry for the destination MAC address in it's Mac address table. After launching a successful MAC flooding attack, a malicious user could then use a packet analyzer to capture sensitive data being transmitted between other computers. 

MAC Spoofing: A MAC spoofing attack consists of generating a frame from a malicious
host borrowing a legitimate source MAC address already in use on the VLAN. This causes
the switch to forward frames out the incorrect port.
The switch updates its mac-address-table based on the most recently seen frame. Because of this behavior of switches, these type of attacks have the potential to cause an immediate denial of service (DoS) to the spoofed host. Traffic to genuine host can resume if-and only if, the genuine host sources a frame, thereby again updating the switch's mac-address-table. The default ageing time for mac-address-table is 300 seconds (5 minutes).

Preventing MAC Flooding and Spoofing Attacks

To start with , many switches can be configured to warn the administrator about frequent MAC address moves. Following command is used to enable this in Cisco IOS
SW(config)# mac-address-table notification mac-move
Although it is not going to stop an attack from occurring, MAC notification provides a pointer to a potentially suspicious activity.

To stop an attacker in his tracks, a mechanism called port security comes to the rescue. In its most basic form, port security ties a given MAC address to a port by not allowing any other MAC address than the preconfigured one to show up on a secured port.

Port Security
To stop an attacker in his tracks, a mechanism called port security comes to the rescue. Port security ties a given MAC address to a port not allowing any other MAC address than the preconfigured one to show up in the secured port. A violation occurs when the source MAC address of a frame differs from the list of secure addresses. Its configuration is given below followed by the explanation of commands and requirements for port security.
SW(config)# interface interface_id
SW(config-if)# switchport mode access

SW(config-if)# switchport port-security

SW(config-if)# switchport port-security maximum value
SW(config-if)# switchport port-security violation {restrict | protect | shutdown}

SW(config-if)# switchport port-security mac-address {mac_address | sticky}

port-security command is configured in interface configuration mode.
• The interface mode must be access to make it a secure port. An interface in default mode (dynamic desirable) cannot be configured as a secure port.
• Enable the port security feature using the command switchport port-security.
• Port security maximum value sets the maximum number of secure MAC addresses for the interface. The range is 1 to 3072; the default is 1.
• A violation occurs when the source MAC address of a frame differs from the list of secure addresses.
• Port security has three violation modes namely protect, restrict and shutdown
  • Protect: The port drops frame from unknown addresses.
  • Restrict: When a violation occurs in this mode, the port drops frame from unknown addresses and increments a violation counter. A SNMP trap is generated indicating that a violation has occurred.
  • Shutdown: The port is error-disabled when a security violation occurs.
•  When using port security, secure MAC addresses can be specified using three methods. These are:
  • Static: Static secure MAC addresses are statically configured on each switchport and stored in the address table. The configuration for a static secure MAC address is retained after the switch reboot.
  • Dynamic: Dynamic secure MAC addresses are learned from the device (or devices) connected to the switchport. These addresses are stored in the address table only and will be lost when the switchport state goes down or when the switch reboots.
  • Sticky: They are learned dynamically from the devices connected to the switchport, and are stored into the running configuration of the switch. Operation of this mode is similar to Static mode with an added benefit that network administrator doesn't have to manually add the MAC address to the switch.
NOTE: For IP Telephony configurations where a Cisco IP phone connects to the port and a PC
connects to the IP phone, three MAC addresses should be allowed per secure port. The
phone itself uses one MAC address, and so does the PC. This makes two addresses. Where
does the third one come from?
The IP phone actually contains a processor connected to an internal switch. That processor
uses a MAC address when it sends traffic. Shortly after booting, the IP phone attempts to
discover (through the Cisco Discovery Protocol [CDP]) the voice and data VLAN
mappings. To do so, the phone generates frames by using its MAC in the data VLAN, which
is, at this point, the only VLAN of which the phone is aware. Therefore, the switch
temporarily sees three MAC addresses on the port.

Attacking the Spanning Tree Protocol

Most common STP attack is root ownership attack. In this type of attack, an attacker claims to be a root bridge by sending forged BPDUs with lower Bridge ID than the existing root switch.
These are STP attacks:
• Sending RAW Configuration BPDU
• Sending RAW TCN BPDU
• DoS sending RAW Configuration BPDU
• DoS Sending RAW TCN BPDU
• Claiming Root Role
• Claiming Other Role
• Claiming Root Role Dual-Home (Man in The Middle)

Preventing STP Attacks

Protected Ports

The protected port is a feature that has only local significance to the switch. A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port in the same switch. Traffic cannot be forwarded between protected ports at L2, all traffic passing between protected ports must be forwarded through a Layer 3 (L3) device.
Protected ports have these features:
  • A protected port can not forward traffic to another protected port.
  • A protected port can forward traffic to an unprotected port.
  • An unprotected port can forward traffic to a protected port.
  • And obviously an unprotected port can forward to another unprotected port.


Popular posts from this blog

Anyconnect SSL-Client VPN with Self-signed Certificate on Cisco ASA

Filtering Routes in BGP using Route-maps and Prefix-list

Open Shortest Path First (OSPF)

IKEv2 IPsec Site-to-Site VPN configuration on Cisco ASA 8.4(x)

IPsec VPN as a Backup for Point-to-Point Link using IP SLA

Border Gateway Protocol (BGP)

Bypassing Proxy Server in Google Chrome

Cisco ASA Active/Active Failover Configuration

Cisco ASA Active/Standby Failover Configuration