Securing network switches at the layer 2 level is important to prevent various attacks. The document outlines steps to secure administrative access to switches, protect the management port, turn off unused services and interfaces, and use features like DHCP snooping, dynamic ARP inspection (DAI), port security, and VLANs to mitigate attacks like VLAN hopping, STP manipulation, DHCP spoofing, ARP spoofing, CAM table overflows, and MAC address spoofing. Following configuration best practices and securing switches at layer 2 helps strengthen network security.
1. Applying Security Policies to Network Switches Deniz Kaya Microsoft, Cisco, Ironport Trainer CCSI, CCNP, MCT, MCSE, ICSI, ICSP
2.
3. Why Worry About Layer 2 Security? Host B Host A Physical Links MAC Addresses IP Addresses Protocols and Ports Application Stream OSI was built to allow different layers to work without knowledge of each other. Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19. STP Attack (Cont.) F The attacker sends spoofed BPDUs to change the STP topology. Access Switches F The attacker now becomes the root bridge. Access Switches Root F F F F Root B X Root F F F F B F X STP STP
20.
21.
22.
23.
24.
25.
26. “Learns” by Flooding the Network MAC A MAC B MAC C Port 1 Port 2 Port 3 A->B MAC Port A 1 C 3 The CAM table is incomplete. MAC B is unknown, so the switch will flood the frame. MAC C “sees” traffic to MAC B. A->B A->B
27. CAM Learns MAC B Is on Port 2 B->A B->A MAC A MAC B MAC C Port 1 MAC Port A 1 C 3 Port 2 Port 3 B 2 Host C drops the packet addressed to host B. CAM learns that MAC B is on Port 2. MAC A = host A MAC B = host B MAC C = host C
28. CAM Table Is Updated — Flooding Stops A->B A->B MAC A MAC B MAC C Port 1 MAC Port A 1 C 3 Port 2 Port 3 B 2 CAM has learned MAC B is on Port 2. CAM tables are limited in size. MAC A = host A MAC B = host B MAC C = host C MAC C does not “see” traffic to MAC B anymore.
29. Intruder Launches macof Utility Y->? MAC A MAC B Port 1 Port 2 Port 3 MAC C Bogus addresses are added to the CAM table. MAC Port A 1 B 2 C 3 MAC Port X 3 B 2 C 3 MAC Port X 3 Y 3 C 3 X->? Macof starts sending unknown bogus MAC addresses. Intruder runs macof on MAC C. Y is on Port 3 and CAM is updated. X is on Port 3 and CAM is updated.
30. The CAM Table Overflows — Switch Crumbles Under the Pressure The CAM table is full, so Port 3 is closed. MAC A MAC B MAC C Port 1 Port 2 Port 3 A->B MAC Port X 3 Y 3 C 3 MAC B is unknown, so the switch floods the frame looking for MAC B. MAC A = host A MAC B = host B MAC C = host C A->B A->B
31. MAC Address Spoofing Attack A A A A B B (Attacker) B Switch Port Table B DEST MAC: A DEST MAC: A Switch Port Table 1 1 1 1 2 3 2 3 2 3 2 3 Host Host Host Host Spoofed Switch Port Table Updated Switch Port Table SRC: MAC (A) SRC: MAC (A) SRC = Source DEST = Destination 1 1 1 1 2 2 2 2 3 3 3 3 A B C A B C A B C A,B C
32.
33.
34.
35. Port Security Defaults Shutdown (The port shuts down when the maximum number of secure MAC addresses is exceeded, and an SNMP trap notification is sent.) Violation mode 1 Maximum number of secure MAC addresses Disabled on a port Port security Default Setting Feature