LAN security concepts
Last updated
Was this helpful?
Last updated
Was this helpful?
DDoS
Data Breach
Malware
VPN-Enabled Router
NGFW (Next-generation firewall)
NAC (Network Access Control)
Device that monitor SMTP traffic to block threats and encrypt outgoing messages to prevent data loss
The WSA can perform blacklisting of URLs, URL-filtering, malware scanning, URL categorization, Web application filtering, and encryption and decryption of web traffic.
NAC device provides AAA services. (AAA = Authentication, Authorization, Accounting/Auditing)
The simplest method of remote access authentication is to configure a login and password combination on console, vty lines, and aux ports, as shown in the vty lines in the following example.
Weakest and least secure method because this method provides no accountability and the password is sent in plaintext. Anyone with the password can gain entry to the device.
SSH is a more secure form of remote access:
It requires a username and a password, both of which are encrypted during transmission.
The username and password can be authenticated by the local database method.
It provides more accountability because the username is recorded when a user logs in.
The following example illustrates SSH and local database methods of remote access.
Database method limitations :
User accounts must be configured locally on each device
The local database configuration provides no fallback authentication method
AAA stands for Authentication, Authorization, and Accounting.
AAA is a way to control who is permitted to access a network (authenticate), what they can do while they are there (authorize), and to audit what actions they performed while accessing the network (accounting).
Local AAA Authentication :
Server-Based AAA Authentication :
The router uses either the Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System (TACACS+) protocols to communicate with the AAA server
AAA authorization is automatic and does not require users to perform additional steps after authentication.
AAA accounting collects and reports usage data. This data can be used for such purposes as auditing or billing. The collected data might include the start and stop connection times, executed commands, number of packets, and number of bytes.
The IEEE 802.1X standard is a port-based access control and authentication protocol. This protocol restricts unauthorized workstations from connecting to a LAN through publicly accessible switch ports. The authentication server authenticates each workstation that is connected to a switch port before making available any services offered by the switch or the LAN.
Client (Supplicant) - This is a device running 802.1X-compliant client software, which is available for wired or wireless devices.
Switch (Authenticator) –The switch acts as an intermediary between the client and the authentication server. It requests identifying information from the client, verifies that information with the authentication server, and relays a response to the client. Another device that could act as authenticator is a wireless access point.
Authentication server –The server validates the identity of the client and notifies the switch or wireless access point that the client is or is not authorized to access the LAN and switch services.
Network administrators routinely implement security solutions to protect the elements in Layer 3 up through Layer 7. They use VPNs, firewalls, and IPS devices to protect these elements. However, if Layer 2 is compromised, then all the layers above it are also affected.
Category
Examples
MAC Table Attacks
Includes MAC address flooding attacks.
VLAN Attacks
Includes VLAN hopping and VLAN double-tagging attacks. It also includes attacks between devices on a common VLAN.
DHCP Attacks
Includes DHCP starvation and DHCP spoofing attacks.
ARP Attacks
Includes ARP spoofing and ARP poisoning attacks.
Address Spoofing Attacks
Includes MAC address and IP address spoofing attacks.
STP Attacks
Includes Spanning Tree Protocol manipulation attacks.
Solution
Description
Port Security
Prevents many types of attacks including MAC address flooding attacks and DHCP starvation attacks.
DHCP Snooping
Prevents DHCP starvation and DHCP spoofing attacks.
Dynamic ARP Inspection (DAI)
Prevents ARP spoofing and ARP poisoning attacks.
IP Source Guard (IPSG)
Prevents MAC and IP address spoofing attacks.
Always use secure variants of these protocols such as SSH, Secure Copy Protocol (SCP), Secure FTP (SFTP), and Secure Socket Layer/Transport Layer Security (SSL/TLS).
Consider using out-of-band management network to manage devices.
Use a dedicated management VLAN where nothing but management traffic resides.
Use ACLs to filter unwanted access.
Recall that to make forwarding decisions, a Layer 2 LAN switch builds a table based on the source MAC addresses in received frames. MAC address tables are stored in memory and are used to more efficiently forward frames.
A tool such as macof can flood a switch with up to 8,000 bogus frames per second; creating a MAC address table overflow attack in a matter of a few seconds.
Another reason why these attack tools are dangerous is because they not only affect the local switch, they can also affect other connected Layer 2 switches. When the MAC address table of a switch is full, it starts flooding out all ports including those connected to other Layer 2 switches.
To mitigate MAC address table overflow attacks, network administrators must implement port security. Port security will only allow a specified number of source MAC addresses to be learned on the port.
A VLAN hopping attack enables traffic from one VLAN to be seen by another VLAN without the aid of a router. In a basic VLAN hopping attack, the threat actor configures a host to act like a switch (use yersinia -G on Kali -> launch attack -> DTP tab -> enabling trunking), to take advantage of the automatic trunking port feature enabled by default on most switch ports.
A threat actor in specific situations could embed a hidden 802.1Q tag inside the frame that already has an 802.1Q tag. This tag allows the frame to go to a VLAN that the original 802.1Q tag did not specify.
A VLAN double-tagging attack is unidirectional and works only when the attacker is connected to a port residing in the same VLAN as the native VLAN of the trunk port. The idea is that double tagging allows the attacker to send data to hosts or servers on a VLAN that otherwise would be blocked by some type of access control configuration. Presumably the return traffic will also be permitted, thus giving the attacker the ability to communicate with devices on the normally blocked VLAN.
VLAN hopping and VLAN double-tagging attacks can be prevented by implementing the following trunk security guidelines :
Disable trunking on all access ports.
Disable auto trunking on trunk links so that trunks must be manually enabled.
Be sure that the native VLAN is only used for trunk links.
The goal of the DHCP Starvation attack is to create a DoS for connecting clients. DHCP starvation attacks require an attack tool such as Gobbler.
Gobbler has the ability to look at the entire scope of leasable IP addresses and tries to lease them all. Specifically, it creates DHCP discovery messages with bogus MAC addresses.
We can also use Yersinia (prefered way).
A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients. A rogue server can provide a variety of misleading information:
Wrong default gateway - The rogue server provides an invalid gateway or the IP address of its host to create a man-in-the-middle attack. This may go entirely undetected as the intruder intercepts the data flow through the network.
Wrong DNS server - The rogue server provides an incorrect DNS server address pointing the user to a nefarious website.
Wrong IP address - The rogue server provides an invalid IP address effectively creating a DoS attack on the DHCP client.
In this attack, both dhcp servers (legitimate and rogue) will reply to the client discovery message, and the first offer received by the client is the one selected. That's why this kind of attack have to be practice after the legitimate dhcp is offline (due to DoS for example) to make sure the rogue server will be the one choose.
Two types of DHCP attacks are DHCP starvation and DHCP spoofing. Both attacks are mitigated by implementing DHCP snooping.
Recall that hosts broadcast ARP Requests to determine the MAC address of a host with a particular IP address. This is typically done to discover the MAC address of the default gateway. All hosts on the subnet receive and process the ARP Request. The host with the matching IP address in the ARP Request sends an ARP Reply.
According to the ARP RFC, a client is allowed to send an unsolicited ARP Reply called a “gratuitous ARP.” When a host sends a gratuitous ARP, other hosts on the subnet store the MAC address and IP address contained in the gratuitous ARP in their ARP tables.
The problem is that an attacker can send a gratuitous ARP message containing a spoofed MAC address to a switch, and the switch would update its MAC table accordingly. Therefore, any host can claim to be the owner of any IP and MAC address combination they choose. In a typical attack, a threat actor can send unsolicited ARP Replies to other hosts on the subnet with the MAC Address of the threat actor and the IP address of the default gateway.
There are many tools available on the internet to create ARP man-in-the-middle attacks including dsniff, Cain & Abel, ettercap, Yersinia, and others. IPv6 uses ICMPv6 Neighbor Discovery Protocol for Layer 2 address resolution. IPv6 includes strategies to mitigate Neighbor Advertisement spoofing, similar to the way IPv6 prevents a spoofed ARP Reply.
ARP spoofing and ARP poisoning are mitigated by implementing DAI.
The threat actor sends two spoofed gratuitous ARP Replies in an attempt to replace R1 as the default gateway:
The first one informs all devices on the LAN that the threat actor’s MAC address (CC:CC:CC) maps to R1’s IP address, 10.0.0.1.
The second one informs all devices on the LAN that the threat actor’s MAC address (CC:CC:CC) maps to PC1’s IP address, 10.0.0.11.
R1 and PC1 remove the correct entry for each other’s MAC address and replace it with PC2’s MAC address. The threat actor has now poisoned the ARP caches of all devices on the subnet. ARP poisoning leads to various man-in-the-middle attacks, posing a serious security threat to the network.
When the switch receives the frame, it examines the source MAC address. The switch overwrites the current MAC table entry and assigns the MAC address to the new port, as shown in the figure. It then inadvertently forwards frames destined for the target host to the attacking host.
When the target host sends traffic, the switch will correct the error, realigning the MAC address to the original port. To stop the switch from returning the port assignment to its correct state, the threat actor can create a program or script that will constantly send frames to the switch so that the switch maintains the incorrect or spoofed information.
There is no security mechanism at Layer 2 that allows a switch to verify the source of MAC addresses, which is what makes it so vulnerable to spoofing. Difficult but IP and MAC address spoofing can be mitigated by implementing IPSG.
Network attackers can manipulate the Spanning Tree Protocol (STP) to conduct an attack by spoofing the root bridge and changing the topology of a network. Attackers can make their hosts appear as root bridges; and therefore, capture all traffic for the immediate switched domain.
To conduct an STP manipulation attack, the attacking host broadcasts STP bridge protocol data units (BPDUs) containing configuration and topology changes that will force spanning-tree recalculations, as shown in the figure. The BPDUs sent by the attacking host announce a lower bridge priority in an attempt to be elected as the root bridge.
If successful, the attacking host becomes the root bridge, as shown in the figure, and can now capture a variety of frames that would otherwise not be accessible.
This STP attack is mitigated by implementing BPDU Guard on all access ports.
The Cisco Discovery Protocol (CDP) is a proprietary Layer 2 link discovery protocol. It is enabled on all Cisco devices by default. CDP can automatically discover other CDP-enabled devices and help auto-configure their connection. Network administrators also use CDP to help configure and troubleshoot network devices.
CDP information is sent out CDP-enabled ports in periodic, unencrypted broadcasts. CDP information includes the IP address of the device, IOS software version, platform, capabilities, and the native VLAN. The device receiving the CDP message updates its CDP database.
However, the information provided by CDP can also be used by a threat actor to discover network infrastructure vulnerabilities.
In the figure, a sample Wireshark capture displays the contents of a CDP packet. The attacker is able to identify the Cisco IOS software version used by the device. This allows the attacker to determine whether there were any security vulnerabilities specific to that particular version of IOS.
CDP broadcasts are sent unencrypted and unauthenticated. Therefore, an attacker could interfere with the network infrastructure by sending crafted CDP frames containing bogus device information to directly-connected Cisco devices.
To mitigate the exploitation of CDP, limit the use of CDP on devices or ports. For example, disable CDP on edge ports that connect to untrusted devices.
To disable CDP globally on a device, use the no cdp run global configuration mode command. To enable CDP globally, use the cdp run global configuration command.
To disable CDP on a port, use the no cdp enable interface configuration command. To enable CDP on a port, use the cdp enable interface configuration command.
Link Layer Discovery Protocol (LLDP) is also vulnerable to reconnaissance attacks. Configure no lldp run to disable LLDP globally. To disable LLDP on the interface, configure no lldp transmit and no lldp receive.
