Friday, February 24, 2012

ADDITIONAL LAYER 2 SECURITY

ADDITIONAL LAYER 2 SECURITY


DHCP SNOOPING

  • This is a way of enforcing the dhcp server role on ports.
  • The potential issue that dhcp snooping is that a man in the middle attack on the dhcp.
  • The way dhcp works is that dhcp request (broadcast) is sent out by the host onto the segement the router on the segement will usually configured to pass this broadcast to dhcp server the dhcp server then unicast back a dhcp offer with the  ip address on offer etc.The client will  sent back dhcprequest(broadcast) saying it would like to reserve this and the dhcp server replies with unicast dhcppack As we see the initial request is broadcast so other devices on the segment recieve this. So this what DHCP attack could be is that you would setup a DHCP server on the segment when the broadcast is recieved you will send back the offer the router will go with the first dhcp server that responds back so the ogue dhcp server sends an offer setting itself as the default gateway.
  • So DHCP snooping will validate dhcp message from untrusted source ports and filter out messages. So if dhcp offer is coming out an access port that is not the dhcp server if dhcp snooping is enabled it will filter this
  • DHCP snooping will only allow trusted ports respons to dhcp request broadcast. So you would set your user acccess ports to untrusted and your uplink towards the designated dhcp server as trusted so only offers can comes in trusted ports.
  • Also when you enable dhcp snooping it creates the dhcp database which will keep track of your mac to IP to port bindings. This is also used by other security features
  • it can also rate limit dhcp traffic from trusted and untrusted port
  • it is enabled on per vlan basis
  • if dhcp mac verification os on the snooping check the source mac and dhcp client hardware address if they do not match it is not allowed

DHCP SNOOPING CAVEATS

  • Do not forget to trust port to dhcp server
  • in multiswitch scenerio trust trunk links
  • keep in mind that dhcp snooping inser option 82 information option into packet some servers do not support this if it is the case you can disable it
no ip dhcp snooping information-option
  • Alternatively configure server to trust empty giaddress

Commands

ip dhcp snooping
ip dhcp snooping vlan 146
int fa0/1
ip dhcp snooping trust

all other ports in vlan 146 are set to untrusted


LAB

S4
---
so i have switched vlan snooping on and added vlan 146
s4(config)#ip dhcp snooping
s4(config)#ip dhcp snooping vlan 146
s4#sh ip dhcp snoop
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
146
DHCP snooping is configured on the following Interfaces:
Insertion of option 82 is enabled
   circuit-id format: vlan-mod-port
    remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
s4#

ok so i will enable a trusted interface where the dhcp server is

s4(config)#int fa0/1
s4(config-if)#ip dhcp snooping trust

s4#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
146
DHCP snooping is configured on the following Interfaces:
Insertion of option 82 is enabled
   circuit-id format: vlan-mod-port
    remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
FastEthernet0/1              yes         unlimited
s4#

that is really all that is required you just need to watch out if the dhcp server is not connected trust the trunk links
watch out for the option 82 particular if using cisco ios as dhcp server it does not support so you need to disable option 82

s4(config)#no ip dhcp snooping information option

Dynamic ARP Inspection (DAI)

  • This is in response to arp poisoning attack. So the attack is that a client will arp out for the mac of the default gateway as per normal The rogue attacker will reply back saying i have the default gateway ip and my mac is this. The user will then forward the packets at layer 2 to the rogue device again the attacker will most likely forward the packets on to the legitmate default gateway so the attack becomes transparent to the user they do not know that it is happening
  • ARP inspection (DAI) is way of dealing with this type of attack It inspects arp request+ response and compare them to the dhcp snooping database if it is conflict with this the arp is ignored
  • There is a second part to this if dhcp snooping or dhcp is not been used i.e we are using static mapping we could configure statically the arp address for the default gateway
  • static is preffered over dynamic
Commands

ip arp inspection vlan 146

int fa0/1
ip arp inspection trust

Static config
arp access-list
permit ip host 10.229.254.1 mac host 0000.0000.000.0001

we apply to the vlan

ip arp inspection filter 'myfilter' vlan 146


LAB

we will look at the config for both scenerios
for Dynamic with dhcp address
s4(config)#ip arp inspection vlan 146
this willl enable inspection for arp request responses on the segment it will check the dhcp database for binding for port to mac to ip

we will configure our trunks to be trusted as this will carry multiple macs for multiple vlans

s4(config)#int fa0/4
s4(config-if)#ip arp inspection trust

for the static mappings
------------------------
We do not have the dhcp binding entry for statically assigned addresses so we can manually create a entry for the inspection to use
we use and arp access-list
s4(config)#arp access-list MYFILTER
s4(config-arp-nacl)#permit ip host 10.229.254.1 mac host 0000.0000.0001

we apply this to the vlan with
s4(config)#ip arp inspection filter MYFILTER vlan 146


IP SOURCE GUARD

  • Prevents IP address Spoofing
  • Same concept as arp inspection but at layer 3
  • Uses the dhcp snooping database to filter ip on the port dynamically
  • Port secuirty must be enabled
  • Ip source guard is not supported on etherchannels

Commands
ip verify source (interface command)
Mac address filtering could also be enforced
Requires port security enable on interface
additinal paramters

ip verify souce port security

static ip to mac mapping on vlan
ip source binding (global comman

No comments:

Post a Comment