Layer 2 Infrastructure Security(Defensive Countermeasures)(Part 3)

Alright, enough of just talking about the attacks. Let us now examine the different solutions that can be implemented to mitigate them.

Port Security

Port Security is a feature on Cisco switches, which enables an engineer to restrict the access to an interface. This can be done by specifying statically or dynamically which MAC addresses are allowed to be seen on that interface. In the event of a security violation, we can decide on what action to take. This can effectively thwart CAM table thrashing.

Alright so I had to perform some configuration on the switch in order to get it to work. The interesting commands to look at are the last 3 ones. The first of the 3 simply activates port security on this particular interface. The next one sets the maximum number of MAC addresses that can be learnt on this interface. So in our case, if we have already learnt 3 MAC addresses and the switch sees more than that it will simply ignore the new ones. The last command says that if we were to see more than 3 MAC addresses on this interface, this would result in a security violation. We would then shutdown this interface.

I ran Macof again and guess what? Port security kicked in very fast! As you can see the Port Status is now Secure-shutdown. This proves that it does work.

Disabling CDP

CDP is a very handy network utility, but it provides no identification and authorization. So that means that just about anyone can send me CDP frames and I won't make sure that they came from a trusted source. There are 2 things that could be done. One can be to disable CDP completely on the whole switch. The other solution can be to allow it on certain pre-defined interfaces. By default, CDP is active on all of the ports. I believe that it is a better solution to disable it on interfaces that are connected to the public networks(Internet) or to ports connected to users(Access ports). Yes, this means that more planning has to be undertaken in order to secure this protocol but it is well worth it.

It's really easy to secure our switch from CDP flooding attacks. In our case, the Kali box was connected to the fastethernet 0/2 interface. So what I did, is the following. I simply entered into the interface configuration mode and disabled the CDP protocol on that interface. That's it! It's really simple, but it works and you won't be facing anymore DoS attacks because of this type of a flood.

Disabling DTP frame

We all need VLANs. Right? So what can be done in order to add an extra layer of security to them. DTP makes it much easier to configure out trunk links, but it also poses a serious security risk. Disabling DTP frames can be a way to harden our network.

What I decided to do is to configure the interface between the switches as a trunk link and I decided to disable DTP frames on those interfaces(fa0/11). So now the only way to form a trunk would be to manually configure one. I also made the interface connected to the Kali box an access port(fa0/1). An access port is configured on ports connected to workstations and servers. It only carries the traffic of one VLAN. Also by making the port an access port, no trunk link can be configured. This is a simple but very effective solution.

BPDU Guard

We all see the need of STP in our networks, but how can one stop STP manipulation attacks? BPDU Guard is a feature that allows a port to shut itself down in the event that it receives a BPDU. So it can be of great use to activate this feature on access ports because we do not expect to have another switch(unauthorized switch) connected on this port. This is the configuration that I placed on my 3560 in order to lock it down.

The first command that I ran will tell the switch to enable BPDU guard on all ports set to portfast(More on this later). I then configured the interface connected to the Kali Box as an access port and I placed it in VLAN 1. Finally, I decided to configure portfast on the interface. So let us try to dissect the meaning of portfast. Portfast is a feature that allows a port to directly start forwarding frames without having to go through all of entire STP process. This whole calculation can take up to 50 seconds! However, one should be careful with this command. The OS is warning us of this configuration. A loop could then be introduced into your layer 2 topology.

Personal thoughts

At first, Dany wasn't very fond of simulating these attacks because he found them to be too simple but I had 2 arguments against his point of view. My first argument was that yes, they are simple, but many companies worry too much about attacks coming from the outside and not enough about internal attack vectors. Think about it, someone could simply come into your office and plug in an Ethernet cable into an RJ45 wall socket. From there on he could perform all of these attacks and take over your network. Do you not think that it is bad enough? My second justification was that my goal is to educate and teach others about security. I wanted to break it down so that even the person that barely understands how to build a PC could understand certain concepts about network security. Later on if more people are interested, we could for sure cover more interesting attacks. Remember Rome was not built in one day and it took time to set up its foundations. I hope this was helpful to you all and you were able to learn something from it. I thank you for reading my articles.

Reference

-"Internet cables connected to Wi-Fi router,..." Internet Cables Connected To Wi-Fi Router, Blinking Lights, Network Connection. Close-up View Of Ethernet Cables Wired To Router Stock Footage Video 20133559 | Shutterstock. N.p., n.d. Web. 14 May 2017.