Friday, January 2, 2015

CCNP Security: SENSS Part 1-2

1.2 Implement Layer 2 Security

1.2.a Configure DHCP snooping
DHCP snooping protects the LAN from rogue DHCP servers, which could be used to mount a MitM or DoS attack.  DHCP snooping drops messages from untrusted DHCP servers.  This is performed by maintaining a DHCP snooping binding table, which contains the MAC address, IP address, lease time, binding type, vlan number, and interface information as related to the untrusted interfaces on the switch.  Stored as a flat configuration file in flash.  Untrusted interfaces are used for hosts, trusted interfaces are used for upstream switches and networking devices, and DHCP servers.

Enable DHCP snooping globally on the switch
Switch(config)# ip dhcp snooping

 Enable DHCP snooping per vlan
Switch(config)# ip dhcp snooping vlan number | vlan range

 Configure errdisable recovery timer
Switch(config)# errdisable recovery cause dhcp-rate-limit interval interval

 Per-vlan errdisable detection enabled with a violation occuring in shutdown by default
Switch(config)# errdisable detect cause dhcp-rate-limit action shutdown vlan

 Configure the interface as trusted or untrusted.  By default, interfaces are untrusted
Switch(config-if)# ip dhcp snooping trust

 Verification
Switch# show ip dhcp snooping

 Rate limiting function can be used to prevent a DoS attack.  When the threshold is breached, the port is placed in an errdisabled state.
Switch(config-if)# ip dhcp snooping limit rate 100

 Recommended to store the database configuration file off of the switch and on a remote server.
Swtich(config)# ip dhcp snooping database tftp://x.x.x.x/directory/file
Switch# show ip dhcp snooping database detail

 May be necessary to manually read database entries in from a tftp file.  To do so and to show verification:
switch# show ip dhcp snooping database
switch# renew ip dhcp snoop data url
switch# show ip dhcp snoop data
switch# show ip dhcp snoop bind
1.2.b Describe dynamic ARP inspection
DAI is used to help prevent MitM attacks conducted via ARP poisoning. Inspects the arp entries passing through the switch in real time.  Source information used to verify legitimate ARP traffic is pulled from the DHCP snooping table.  If DHCP snooping is not configured, all ARP traffic will be dropped.  By default, ports are placed in the untrusted state for DAI.  After configuring DHCP snooping, configure the trusted ports using the command ip arp inspection trust at the interface level.  After this is configured, enable DAI on the desired vlan(s) ip arp inspection vlan number

 Devices assigned static IPs will be need to either be added to an ARP ACL entry, or have their port placed in the trusted status, as their MAC and IP will never be seen by DHCP snooping.

 DAI has two blocking mechanisms-rate limiting of ARP entries (default value is 15/s), and dropping ARP messages which do not match the DHCP snooping table (example, ARP poisoning attacks directed at the gateway and a host on the network, by abusing the gratuitous ARP reply function).


1.2.c Describe storm control
Storm control feature is used to prevent traffic disruption to ports experiencing a broadcast, multicast, or unicast traffic storm.  Monitors traffic levels over a one second interval and compares traffic rate with the configured storm control level.  This configured value is a percentage of the total bandwidth of the port.  If the threshold is exceeded during the one second interval, the broadcast suppression will be engaged.  Whether this feature operates in hardware or software depends on the switch model.
switch(config-if)# storm-control broadcast level level
switch(config-if)# storm-control action shutdown | trap 
switch# show storm-control
1.2.d Configure port security
Used to control traffic from both static and dynamically learned mac addresses on a switch's access ports.  Can also be used to limit the number of hosts allowed to send traffic across an access port.

Violation modes
Protect- Drops packets from unknown source addresses (ex hosts over the limit)
Restrict- Drops packets and causes securityviolation counter to increase
Shutdown- Interface placed into err-disabled state and sends SNMP trap

switch(config-if)# switchport port-security
switch(config-if)# switchport port-security max number
switch(config-if)# switchport port-security mac-address xxxx.xxxx.xxxx
OR
switch(config-if)# switchport port-security mac-address sticky
switch(config-if)# switchport port-security aging time minutes
switch(config-if)# switchport port-security aging type interval | inactivity
switch(config)# errdisable recovery cause psecure-violation
switch(config)# errdisable recovery interval seconds
1.2.e Describe common Layer 2 threats and attacks and mitigation

VLAN Hopping
1.  Attacker crafts packets to negotiate a trunk to come up on an access port across ISL or 802.1q
2,  Attacker can craft packets to twice encapsulate packets with a VLAN ID

Mitigation:
Disable DTP on user facing ports (switchport mode access, switchport nonegotiate).
Do not use VLAN 1.
Use a dedicated VLAN for trunk ports.
Explicitly configure trunking on trusted ports.
Use tagged mode for native vlan on trunks.  Disable unused ports

CAM table overflow
Attacker sends thousands of packets using bogus source mac addresses per second, causing the switch's cam table to overflow.  Traffic then must be broadcast across all ports, turning the switch effectively into a hub

Mitigation:
Use port security to limit the amount of learned MAC addresses per interface

DHCP starvation attack
Attacker tries to lease all of the available DHCP addresses within a DHCP scope.

Mitigation:
Use port security to limit the amount of L2 addresses which can transit a port.

Rogue DHCP server attack
Attacker stands up a DHCP server, can then affect users default gateway, IP addressing, and DNS server.  Commonly used for DoS and MitM attacks

Mitigation: Use DHCP snooping

ARP Poisoning
Attacker abuses the gratitious ARP request feature to claim to be the owner of a target host(s) IP address.  Commonly used to poison the gateway and target host(s) and perform a MitM attack.  Attack can furthermore be refined to use tools such as SSLstrip to decrypt SSH/SSL traffic.

Mitigation: Use DAI

MAC Spoofing attack
Attacker spoofs mac address to impersonate other hosts on the LAN

Mitigation
DHCP snooping, DAI, IPSG

STP Attacks
Attacker can impersonate the root bridge and force a STP election to occur.  Can then execute a MitM, DoS attack

Mitigation
BPDU filter and rootguard

CDP Attacks
Attacker can crash IOS devices by spamming CDP advertisements and consuming too much memory

Mitigation
Disable CDP unless it is required.

1.2.f Describe MACSec
IEEE 802.1AE standard.  Used in conjunction with 802.1x.  802.1x provides authentication mechanism.
Ensures data confidentiality by providing symmetric encryption at layer 2
Provides integrity by ensuring data cannot be modified in transit
MACSec encrypts packets hop by hop at layer 2
Anyconnect can be used as a supplicant.


1.2.g Configure IP source verification
DHCP snooping must be configured.  Used to prevent hosts from spoofing IP addresses of other hosts in the network.  Enabled per interface.  Switch blocks all IP traffic received on the interface except for packets permitted via DHCP snooping table.  Can also filter mac source addresses

switch(config-if)# ip verify source
switch(config-if)# ip verify source port-security
switch# show ip verify source
Posted by at
Labels: ,

3 comments:

  1. Programacion Orientada a ObjetosJanuary 9, 2016 at 4:54 PM

    Excelente post!

    ReplyDelete
  2. UnknownMarch 31, 2016 at 6:25 AM

    Great post! I have been studying for the 300-208 and looking for material for the 300-206, have you made it through the exam yet?

    ReplyDelete
  3. Birla Navya GurugramJune 3, 2016 at 1:12 AM

    I have done my CCNP from Horizon computers, now I am thinking to do CCNP certification.is doing certification important or just doing the course is fine??

    ReplyDelete

Subscribe to: Post Comments (Atom)