Szerkesztő:LinguisticMystic/ru/безопасность/14
🔐 14.0. Module 14: Layer 2 Security Considerations Introduction
[szerkesztés]Layer 2 Security is essential for protecting network infrastructure from attacks targeting the data link layer of the OSI model. Since Layer 2 focuses on switching and MAC address management, securing it is crucial to prevent unauthorized access, traffic interception, and network disruptions.
🌟 1. Why Is Layer 2 Security Important?
[szerkesztés]✅ Prevents Network Disruptions – Stops attacks like MAC flooding and STP manipulation.
✅ Blocks Unauthorized Access – Ensures that only trusted devices can connect.
✅ Mitigates Spoofing Attacks – Prevents MAC and ARP spoofing.
✅ Protects VLAN Segmentation – Stops VLAN hopping and unauthorized VLAN access.
✅ Improves Overall Network Security – Strengthens Layer 2 defenses against cyber threats.
🔑 2. Common Layer 2 Threats
[szerkesztés]| Threat Type | Description | Impact |
|---|---|---|
| MAC Flooding | Overloads a switch’s MAC table with fake addresses. | Causes switches to flood traffic, leading to sniffing attacks. |
| ARP Spoofing | Attacker sends fake ARP replies to impersonate a device. | Allows Man-in-the-Middle (MitM) attacks and data interception. |
| STP Manipulation | Exploiting Spanning Tree Protocol (STP) to alter topology. | Can redirect or disrupt network traffic. |
| VLAN Hopping | Bypassing VLAN restrictions to access other VLANs. | Enables attackers to gain unauthorized access to network segments. |
| DHCP Starvation | Exhausts available DHCP addresses. | Prevents legitimate devices from obtaining IP addresses. |
🛠️ 3. Layer 2 Security Best Practices
[szerkesztés]| Security Feature | Purpose |
|---|---|
| Port Security | Prevents MAC flooding by limiting the number of MAC addresses per port. |
| Dynamic ARP Inspection (DAI) | Stops ARP spoofing by validating ARP requests/replies. |
| DHCP Snooping | Prevents DHCP Starvation and rogue DHCP servers. |
| BPDU Guard | Protects Spanning Tree Protocol (STP) from manipulation. |
| Private VLANs | Restricts communication between VLAN hosts for segmentation. |
| Storm Control | Limits broadcast, multicast, and unknown unicast traffic floods. |
🔥 4. Layer 2 Security Configuration on Cisco Switches
[szerkesztés]
✅ Enable Port Security (Prevent MAC Flooding)
[szerkesztés]interface GigabitEthernet0/1
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation restrict
🔹 Allows only 2 MAC addresses per port and restricts extra connections.
✅ Enable Dynamic ARP Inspection (Prevent ARP Spoofing)
[szerkesztés]ip arp inspection vlan 10
interface GigabitEthernet0/1
ip arp inspection trust
🔹 Verifies ARP packets to prevent spoofing.
✅ Enable DHCP Snooping (Prevent Rogue DHCP Servers)
[szerkesztés]ip dhcp snooping
ip dhcp snooping vlan 10
interface GigabitEthernet0/1
ip dhcp snooping trust
🔹 Blocks unauthorized DHCP responses.
✅ Enable BPDU Guard (Prevent STP Manipulation)
[szerkesztés]interface GigabitEthernet0/1
spanning-tree bpduguard enable
🔹 Shuts down the port if an unexpected BPDU packet is received.
✅ Enable Storm Control (Prevent Traffic Flooding)
[szerkesztés]interface GigabitEthernet0/1
storm-control broadcast level 5
storm-control multicast level 10
🔹 Limits excessive broadcast and multicast traffic.
✅ 5. Best Practices for Layer 2 Security
[szerkesztés]✔ Disable Unused Ports – Prevents unauthorized access to unused switch ports.
✔ Use Private VLANs – Segments devices for added isolation.
✔ Apply VLAN ACLs (VACLs) – Controls traffic within VLANs.
✔ Use Strong Authentication (802.1X) – Ensures only authorized devices connect.
✔ Monitor Network Traffic – Detects suspicious activity and unauthorized access.
🚀 Final Thoughts
[szerkesztés]Layer 2 security is critical for preventing unauthorized access, attacks, and network disruptions. By implementing port security, ARP inspection, DHCP snooping, and STP protection, organizations can secure their switching infrastructure from threats.
🔥 14.1. Layer 2 Security Threats
[szerkesztés]Layer 2 (Data Link Layer) security threats target the switching infrastructure of a network. Attackers exploit weaknesses in MAC address handling, VLAN configuration, and protocol vulnerabilities to intercept, manipulate, or disrupt network traffic.
🌟 1. Why Are Layer 2 Security Threats Dangerous?
[szerkesztés]✅ Exploits Core Network Functions – Attacks target switches, ARP, STP, and VLANs.
✅ Difficult to Detect – Many attacks occur within the local network without generating logs.
✅ Can Bypass Firewalls & Perimeter Security – Threats occur inside the LAN, often bypassing security tools.
✅ Leads to Network Disruptions & Data Theft – Attackers manipulate traffic, cause denial-of-service (DoS), or intercept sensitive data.
🔑 2. Common Layer 2 Security Threats
[szerkesztés]| Threat Type | Description | Impact |
|---|---|---|
| MAC Flooding | Overloads a switch’s MAC address table with fake MAC addresses. | Switch enters fail-open mode, flooding traffic to all ports (used for sniffing). |
| ARP Spoofing (Poisoning) | Attacker sends fake ARP replies to impersonate a legitimate device. | Allows Man-in-the-Middle (MitM) attacks and data interception. |
| VLAN Hopping | Exploits VLAN misconfigurations to access unauthorized VLANs. | Allows attackers to bypass network segmentation. |
| STP Manipulation | Exploits Spanning Tree Protocol (STP) to change the network topology. | Causes traffic redirection or network outages. |
| DHCP Starvation | Exhausts all DHCP addresses by sending fake DHCP requests. | Prevents legitimate devices from obtaining IP addresses. |
| Rogue DHCP Servers | Attacker sets up a fake DHCP server to assign incorrect IP settings. | Redirects users to malicious gateways or hijacks DNS requests. |
| CDP/LLDP Spoofing | Sends fake Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP) packets to manipulate switches. | Can lead to network mapping and VLAN hopping attacks. |
| Port Stealing | Attacker listens for ARP requests and replies with their own MAC to hijack traffic. | Allows traffic redirection and interception. |
| Spoofing & Rogue Devices | Attackers connect unauthorized devices to the network. | Enables unauthorized access to sensitive resources. |
🛠️ 3. How Attackers Exploit Layer 2 Vulnerabilities
[szerkesztés]1️⃣ Sniffing Traffic – Using MAC flooding or ARP spoofing to capture unencrypted packets.
2️⃣ Masquerading as a Legitimate Device – Using spoofed MAC/IP addresses to steal credentials or intercept traffic.
3️⃣ Manipulating Network Protocols – Using STP, CDP, or LLDP exploits to reroute or disrupt traffic.
4️⃣ Gaining Unauthorized VLAN Access – Using VLAN hopping techniques to bypass security segmentation.
5️⃣ Launching DoS Attacks – Exhausting DHCP pools, flooding ARP tables, or creating broadcast storms to disrupt connectivity.
✅ 4. Best Practices for Preventing Layer 2 Attacks
[szerkesztés]✔ Enable Port Security – Limits MAC addresses per port to prevent MAC flooding.
✔ Enable Dynamic ARP Inspection (DAI) – Stops ARP spoofing attacks.
✔ Enable DHCP Snooping – Prevents rogue DHCP servers and DHCP starvation.
✔ Use BPDU Guard – Protects Spanning Tree Protocol (STP) from manipulation.
✔ Disable Unused Ports – Prevents rogue device connections.
✔ Use VLAN Access Control Lists (VACLs) – Restricts traffic flow within VLANs.
✔ Implement 802.1X Authentication – Ensures only authorized devices can connect.
✔ Monitor Network Logs & Anomalies – Detects suspicious Layer 2 activity in real time.
🚀 Final Thoughts
[szerkesztés]Layer 2 threats can be devastating to network security, but with proper configuration and best practices, organizations can protect their switching infrastructure from attacks.
🔥 14.2. MAC Table Attacks
[szerkesztés]MAC Table Attacks exploit vulnerabilities in a switch’s MAC address table to disrupt network traffic, intercept communications, or launch denial-of-service (DoS) attacks. Attackers use these techniques to manipulate how Layer 2 switches handle traffic.
🌟 1. Why Are MAC Table Attacks Dangerous?
[szerkesztés]✅ Disrupts Normal Network Functioning – Causes switches to behave like hubs, exposing traffic to all devices.
✅ Enables Eavesdropping (Packet Sniffing) – Attackers can capture sensitive data.
✅ Causes DoS (Denial-of-Service) Attacks – Overloads switch memory, leading to network slowdowns or failures.
✅ Bypasses VLAN Security – Can be used alongside VLAN hopping and ARP spoofing for broader network compromise.
🔑 2. Types of MAC Table Attacks
[szerkesztés]| Attack Type | Description | Impact |
|---|---|---|
| MAC Flooding | Overloads a switch’s MAC address table by sending thousands of fake MAC addresses. | Switch fails open, flooding traffic to all ports, allowing sniffing. |
| MAC Spoofing | Attacker forges a MAC address to impersonate another device. | Used for bypassing access controls, session hijacking, or man-in-the-middle (MitM) attacks. |
| Port Stealing Attack | Listens for ARP replies and impersonates the legitimate MAC address. | Redirects traffic to the attacker while keeping the real device offline. |
🛠️ 3. How MAC Table Attacks Work
[szerkesztés]
✅ 1. MAC Flooding Attack (CAM Table Overflow)
[szerkesztés]1️⃣ The attacker sends thousands of fake MAC addresses to a switch.
2️⃣ The switch’s MAC address table overflows and enters fail-open mode.
3️⃣ Traffic is flooded to all switch ports, allowing packet sniffing.
📌 Tools Used: macof (from dsniff package)
macof -i eth0
🔹 This floods the switch with fake MAC addresses.
✅ 2. MAC Spoofing Attack
[szerkesztés]1️⃣ The attacker forges the MAC address of a trusted device.
2️⃣ The attacker bypasses security policies (e.g., port security, authentication).
3️⃣ The attacker can now intercept traffic or bypass network access controls.
📌 Linux MAC Spoofing Example:
ifconfig eth0 hw ether 00:11:22:33:44:55
🔹 This changes the MAC address of the network interface.
✅ 3. Port Stealing Attack
[szerkesztés]1️⃣ The attacker monitors ARP traffic to detect the MAC address of a victim.
2️⃣ The attacker sends fake ARP replies, claiming the victim’s MAC.
3️⃣ The switch redirects traffic to the attacker instead of the legitimate device.
📌 Attack Using Ettercap
ettercap -Tq -M arp:remote /192.168.1.1/ /192.168.1.100/
🔹 Intercepts traffic between the victim and gateway.
✅ 4. How to Prevent MAC Table Attacks
[szerkesztés]✔ Enable Port Security – Restricts the number of MAC addresses per port.
✔ Use Dynamic ARP Inspection (DAI) – Prevents ARP-based MAC spoofing attacks.
✔ Enable DHCP Snooping – Blocks rogue DHCP servers from assigning fake MACs.
✔ Implement 802.1X Authentication – Ensures only trusted devices connect.
✔ Monitor Network Logs & Alerts – Detects unusual MAC address activity.
🔥 5. Secure MAC Table with Cisco Port Security
[szerkesztés]
✅ Enable Port Security on a Switch
[szerkesztés]interface GigabitEthernet0/1
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation restrict
🔹 Limits each port to 2 MAC addresses and blocks extra connections.
✅ Enable Sticky MAC Addressing
[szerkesztés]switchport port-security mac-address sticky
🔹 Automatically learns and binds MAC addresses to prevent spoofing.
✅ Monitor Port Security Violations
[szerkesztés]show port-security interface GigabitEthernet0/1
🔹 Displays security violations and blocked devices.
🚀 Final Thoughts
[szerkesztés]MAC Table Attacks are a serious threat to network security and confidentiality. Implementing Port Security, ARP Inspection, and 802.1X authentication can prevent attackers from exploiting Layer 2 vulnerabilities.
🔐 14.3. Mitigate MAC Table Attacks
[szerkesztés]MAC Table Attacks exploit switch vulnerabilities to manipulate traffic, intercept sensitive data, or cause network disruptions. To protect Layer 2 networks, administrators must implement security features that restrict unauthorized MAC address activities.
🌟 1. Why Is Mitigating MAC Table Attacks Important?
[szerkesztés]✅ Prevents Network Disruptions – Stops MAC flooding and table overflows.
✅ Protects Against Unauthorized Access – Ensures only trusted devices can connect.
✅ Prevents Packet Sniffing (Eavesdropping) – Secures traffic against interception.
✅ Enhances Network Stability – Protects against denial-of-service (DoS) attacks.
🔑 2. Security Features to Prevent MAC Table Attacks
[szerkesztés]| Security Feature | Purpose |
|---|---|
| Port Security | Limits the number of MAC addresses per port to prevent MAC flooding. |
| Sticky MAC Addresses | Learns and binds MAC addresses to prevent spoofing. |
| Dynamic ARP Inspection (DAI) | Stops ARP poisoning and spoofing attacks. |
| DHCP Snooping | Prevents rogue DHCP servers from assigning fake IP/MAC addresses. |
| BPDU Guard | Blocks Spanning Tree Protocol (STP) attacks. |
| Storm Control | Limits broadcast and multicast storms that can overwhelm switches. |
🛠️ 3. Configuring Cisco Switches to Prevent MAC Table Attacks
[szerkesztés]
✅ 1. Enable Port Security (Limit MAC Addresses Per Port)
[szerkesztés]interface GigabitEthernet0/1
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation restrict
🔹 Allows only 2 MAC addresses per port and restricts extra connections.
✅ 2. Enable Sticky MAC Addressing
[szerkesztés]switchport port-security mac-address sticky
🔹 Dynamically learns MAC addresses and binds them to prevent spoofing.
✅ 3. Configure Dynamic ARP Inspection (Prevent ARP Spoofing)
[szerkesztés]ip arp inspection vlan 10
interface GigabitEthernet0/1
ip arp inspection trust
🔹 Validates ARP packets and prevents attackers from impersonating devices.
✅ 4. Enable DHCP Snooping (Prevent Rogue DHCP Servers)
[szerkesztés]ip dhcp snooping
ip dhcp snooping vlan 10
interface GigabitEthernet0/1
ip dhcp snooping trust
🔹 Prevents fake DHCP servers from assigning incorrect MAC/IP mappings.
✅ 5. Enable BPDU Guard (Prevent STP Manipulation)
[szerkesztés]interface GigabitEthernet0/1
spanning-tree bpduguard enable
🔹 Blocks unauthorized STP messages that could alter the network topology.
✅ 6. Enable Storm Control (Prevent Traffic Flooding)
[szerkesztés]interface GigabitEthernet0/1
storm-control broadcast level 5
storm-control multicast level 10
🔹 Limits excessive broadcast/multicast traffic that could overwhelm switches.
🔍 4. Monitoring for MAC Table Attacks
[szerkesztés]
✅ Check Port Security Violations
[szerkesztés]show port-security interface GigabitEthernet0/1
🔹 Displays blocked devices and MAC violations.
✅ Monitor ARP Traffic for Spoofing Attempts
[szerkesztés]show ip arp inspection statistics
🔹 Detects suspicious ARP traffic.
✅ View DHCP Snooping Logs
[szerkesztés]show ip dhcp snooping binding
🔹 Verifies assigned IP-MAC bindings.
✅ 5. Best Practices for Mitigating MAC Table Attacks
[szerkesztés]✔ Enable Port Security with MAC Address Limits – Prevents MAC flooding attacks.
✔ Use Sticky MAC Addresses – Ensures only authorized devices reconnect.
✔ Implement Dynamic ARP Inspection (DAI) – Blocks spoofed ARP packets.
✔ Enable DHCP Snooping – Stops rogue DHCP servers from manipulating IP assignments.
✔ Use 802.1X Authentication – Ensures only trusted users/devices connect.
✔ Regularly Monitor Network Logs – Detects suspicious MAC activity and violations.
🚀 Final Thoughts
[szerkesztés]By implementing Port Security, ARP Inspection, and DHCP Snooping, networks can be hardened against MAC Table Attacks. Regular monitoring and security best practices further enhance protection against unauthorized access and network disruptions.
🔐 14.4. Mitigate VLAN Attacks
[szerkesztés]VLAN (Virtual Local Area Network) attacks exploit misconfigurations and weaknesses in Layer 2 networks to bypass segmentation, access restricted VLANs, and manipulate network traffic. Proper VLAN security ensures network isolation, integrity, and protection against unauthorized access.
🌟 1. Why Is VLAN Security Important?
[szerkesztés]✅ Prevents Unauthorized VLAN Access – Stops VLAN hopping and privilege escalation.
✅ Protects Network Segmentation – Ensures VLANs remain isolated from each other.
✅ Defends Against Man-in-the-Middle (MitM) Attacks – Prevents rogue devices from intercepting VLAN traffic.
✅ Enhances Layer 2 Security – Strengthens switch configurations to prevent VLAN manipulation.
🔑 2. Common VLAN Attack Techniques
[szerkesztés]| Attack Type | Description | Impact |
|---|---|---|
| VLAN Hopping (Switch Spoofing) | Attacker configures a fake trunk port to gain access to all VLANs. | Grants unauthorized access to multiple VLANs. |
| Double-Tagging Attack | Attacker inserts two VLAN tags into packets to bypass VLAN restrictions. | Allows the attacker to send packets into unauthorized VLANs. |
| DHCP Spoofing | Attacker sets up a rogue DHCP server to assign incorrect VLAN configurations. | Redirects users to malicious VLANs or fake gateways. |
| CDP/LLDP Spoofing | Attacker injects fake Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP) packets. | Can lead to VLAN hopping, network mapping, or traffic redirection. |
🛠️ 3. Mitigating VLAN Attacks on Cisco Switches
[szerkesztés]
✅ 1. Disable Unused Switch Ports (Prevent Unauthorized VLAN Access)
[szerkesztés]interface range GigabitEthernet0/10-24
shutdown
🔹 Prevents attackers from connecting unauthorized devices.
✅ 2. Disable Auto-Trunking (Prevent VLAN Hopping – Switch Spoofing)
[szerkesztés]interface GigabitEthernet0/1
switchport mode access
switchport nonegotiate
🔹 Forces the port to be an access port** and prevents it from dynamically becoming a trunk.**
✅ 3. Configure Allowed VLANs on Trunk Ports
[szerkesztés]interface GigabitEthernet0/2
switchport trunk allowed vlan 10,20
🔹 Limits VLANs available on trunk links, preventing unauthorized VLAN access.
✅ 4. Disable Native VLAN on Trunks (Prevent Double-Tagging Attacks)
[szerkesztés]interface GigabitEthernet0/2
switchport trunk native vlan 999
🔹 Moves the native VLAN to an unused VLAN (e.g., VLAN 999) to prevent tagging attacks.
✅ 5. Enable VLAN Access Control Lists (VACLs) (Restrict VLAN Traffic)
[szerkesztés]vlan access-map VLAN_SEC 10
match ip address BLOCK_ATTACKS
action drop
!
ip access-list extended BLOCK_ATTACKS
deny ip any any
🔹 Blocks unauthorized inter-VLAN traffic.
✅ 6. Enable DHCP Snooping (Prevent Rogue DHCP Servers)
[szerkesztés]ip dhcp snooping
ip dhcp snooping vlan 10
interface GigabitEthernet0/3
ip dhcp snooping trust
🔹 Prevents attackers from assigning unauthorized VLAN configurations.
✅ 7. Enable Dynamic ARP Inspection (Prevent VLAN-Based ARP Spoofing)
[szerkesztés]ip arp inspection vlan 10
interface GigabitEthernet0/3
ip arp inspection trust
🔹 Ensures ARP packets are verified before being forwarded.
🔍 4. Monitoring for VLAN Attacks
[szerkesztés]
✅ Check Trunk Ports and VLAN Configurations
[szerkesztés]show interfaces trunk
🔹 Ensures VLAN trunking is only enabled where necessary.
✅ View DHCP Snooping Entries
[szerkesztés]show ip dhcp snooping binding
🔹 Detects rogue DHCP assignments.
✅ Check VLAN Access Maps
[szerkesztés]show vlan access-map
🔹 Verifies VLAN ACLs are applied correctly.
✅ 5. Best Practices for Mitigating VLAN Attacks
[szerkesztés]✔ Disable Auto-Trunking on Switch Ports – Prevents attackers from turning ports into trunks.
✔ Assign an Unused VLAN as the Native VLAN – Mitigates double-tagging attacks.
✔ Use VLAN Access Control Lists (VACLs) – Restricts unauthorized inter-VLAN traffic.
✔ Enable DHCP Snooping & ARP Inspection – Prevents spoofing and unauthorized DHCP configurations.
✔ Use 802.1X Authentication – Ensures only trusted devices can connect.
✔ Regularly Monitor VLAN Logs & Security Events – Detects suspicious VLAN activity.
🚀 Final Thoughts
[szerkesztés]VLAN security is essential for preventing unauthorized access, attacks, and data breaches. By implementing trunk restrictions, DHCP snooping, ARP inspection, and VACLs, organizations can strengthen Layer 2 security and protect VLAN segmentation.
🔐 14.5. Mitigate DHCP Attacks
[szerkesztés]Dynamic Host Configuration Protocol (DHCP) attacks exploit vulnerabilities in network address assignment processes to steal information, redirect traffic, or cause denial-of-service (DoS) conditions. Securing DHCP services is essential to prevent rogue DHCP servers, IP exhaustion, and spoofing attacks.
🌟 1. Why Is Mitigating DHCP Attacks Important?
[szerkesztés]✅ Prevents Unauthorized IP Assignments – Stops rogue DHCP servers from hijacking network traffic.
✅ Ensures Network Stability – Prevents IP address depletion and DoS conditions.
✅ Blocks Unauthorized Access – Ensures only trusted devices receive DHCP leases.
✅ Defends Against MITM Attacks – Prevents attackers from intercepting network traffic via rogue gateways.
🔑 2. Common DHCP Attack Techniques
[szerkesztés]| Attack Type | Description | Impact |
|---|---|---|
| DHCP Starvation | Attacker floods the DHCP server with fake requests, exhausting available IP addresses. | Prevents legitimate devices from obtaining an IP address. |
| Rogue DHCP Server Attack | Attacker sets up a fake DHCP server to assign incorrect IP settings. | Redirects users to malicious gateways, DNS servers, or fake networks. |
| DHCP Spoofing | Attacker intercepts DHCP requests and responds with false configurations. | Enables man-in-the-middle (MITM) attacks and traffic redirection. |
🛠️ 3. How to Mitigate DHCP Attacks on Cisco Switches
[szerkesztés]
✅ 1. Enable DHCP Snooping (Prevent Rogue DHCP Servers & Starvation Attacks)
[szerkesztés]ip dhcp snooping
ip dhcp snooping vlan 10
interface GigabitEthernet0/1
ip dhcp snooping trust
interface GigabitEthernet0/2
ip dhcp snooping untrust
🔹 Blocks DHCP replies from unauthorized sources and protects trusted DHCP servers.
✅ 2. Limit DHCP Rate to Prevent Starvation Attacks
[szerkesztés]interface GigabitEthernet0/3
ip dhcp snooping limit rate 10
🔹 Restricts DHCP request rate to 10 packets per second.
✅ 3. Enable ARP Inspection (Prevent Spoofing via Fake DHCP Assignments)
[szerkesztés]ip arp inspection vlan 10
interface GigabitEthernet0/1
ip arp inspection trust
interface GigabitEthernet0/2
ip arp inspection untrust
🔹 Ensures that only valid IP-MAC address bindings are allowed.
✅ 4. Use Port Security to Limit Devices on a Port
[szerkesztés]interface GigabitEthernet0/1
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation restrict
🔹 Limits the number of allowed devices per port to prevent MAC address flooding attacks.
✅ 5. Monitor DHCP Snooping Logs for Anomalies
[szerkesztés]show ip dhcp snooping binding
🔹 Verifies valid DHCP leases and checks for suspicious activity.
🔍 4. Detecting DHCP Attacks
[szerkesztés]| Command | Purpose |
|---|---|
show ip dhcp snooping binding |
Displays legitimate DHCP-assigned addresses. |
show ip dhcp snooping statistics |
Displays DHCP attack statistics. |
show ip arp inspection statistics |
Verifies ARP-related security threats. |
✅ 5. Best Practices for Mitigating DHCP Attacks
[szerkesztés]✔ Enable DHCP Snooping – Blocks rogue DHCP servers and fake leases.
✔ Limit DHCP Request Rate – Prevents starvation attacks by attackers flooding DHCP requests.
✔ Implement ARP Inspection – Prevents spoofing and MITM attacks.
✔ Use Port Security – Limits device connections to prevent MAC flooding.
✔ Regularly Monitor DHCP Logs – Detects suspicious DHCP activity in real time.
✔ Use VLAN Segmentation for DHCP Servers – Isolates critical DHCP infrastructure from user VLANs.
🚀 Final Thoughts
[szerkesztés]DHCP attacks can severely disrupt network functionality and lead to security breaches. Implementing DHCP Snooping, rate-limiting, ARP Inspection, and Port Security ensures a secure and reliable DHCP infrastructure.
🔐 14.6. Mitigate ARP Attacks
[szerkesztés]Address Resolution Protocol (ARP) attacks exploit weaknesses in Layer 2 communication to redirect, intercept, or manipulate network traffic. Attackers use ARP spoofing or poisoning to impersonate devices and launch Man-in-the-Middle (MitM) attacks, steal credentials, or cause network disruptions.
🌟 1. Why Is Mitigating ARP Attacks Important?
[szerkesztés]✅ Prevents Traffic Interception – Stops MITM attacks and credential theft.
✅ Ensures Network Integrity – Prevents fake ARP replies from redirecting traffic.
✅ Protects Against Data Theft – Secures user sessions, VoIP calls, and encrypted traffic.
✅ Prevents Network Downtime – Blocks attackers from disrupting normal ARP operations.
🔑 2. Common ARP Attack Techniques
[szerkesztés]| Attack Type | Description | Impact |
|---|---|---|
| ARP Spoofing (Poisoning) | Attacker sends fake ARP replies to associate their MAC address with another IP. | Redirects traffic to the attacker, allowing packet sniffing or data modification. |
| Man-in-the-Middle (MITM) via ARP | Attacker positions themselves between two devices by poisoning ARP tables. | Allows real-time traffic interception, credential theft, and session hijacking. |
| Denial-of-Service (DoS) via ARP | Attacker floods ARP tables with fake MAC-IP bindings. | Overwhelms network devices, causing network slowdowns or failures. |
🛠️ 3. Mitigating ARP Attacks on Cisco Switches
[szerkesztés]
✅ 1. Enable Dynamic ARP Inspection (DAI) (Prevents ARP Spoofing & Poisoning)
[szerkesztés]ip arp inspection vlan 10
interface GigabitEthernet0/1
ip arp inspection trust
interface GigabitEthernet0/2
ip arp inspection untrust
🔹 Verifies ARP packets against DHCP bindings before forwarding.
✅ 2. Enable DHCP Snooping (Prevents Fake MAC-IP Bindings)
[szerkesztés]ip dhcp snooping
ip dhcp snooping vlan 10
interface GigabitEthernet0/3
ip dhcp snooping trust
🔹 Prevents attackers from assigning rogue ARP entries.
✅ 3. Use Static ARP Entries for Critical Devices
[szerkesztés]arp 192.168.1.1 00:1A:2B:3C:4D:5E ARPA
🔹 Locks critical devices to known MAC addresses to prevent spoofing.
✅ 4. Enable Port Security (Restrict MAC Address Learning on Ports)
[szerkesztés]interface GigabitEthernet0/1
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation restrict
🔹 Prevents MAC flooding, which could be used in conjunction with ARP spoofing.
✅ 5. Monitor ARP Activity & Logs
[szerkesztés]show ip arp inspection statistics
show ip dhcp snooping binding
🔹 Detects anomalies in ARP activity and verifies legitimate DHCP bindings.
🔍 4. Detecting ARP Attacks
[szerkesztés]| Command | Purpose |
|---|---|
show ip arp inspection statistics |
Displays ARP security violations. |
show ip dhcp snooping binding |
Verifies IP-MAC bindings against DHCP-snooped addresses. |
show arp |
Lists ARP table entries (check for unusual changes). |
✅ 5. Best Practices for Mitigating ARP Attacks
[szerkesztés]✔ Enable Dynamic ARP Inspection (DAI) – Ensures only legitimate ARP traffic is processed.
✔ Use DHCP Snooping to Validate ARP Entries – Prevents spoofed MAC-IP pairings.
✔ Implement Port Security – Limits the number of MAC addresses per switch port.
✔ Use Static ARP Entries for Key Devices – Prevents spoofing of critical network infrastructure.
✔ Monitor Network Logs for Suspicious ARP Activity – Detects potential ARP-based attacks.
🚀 Final Thoughts
[szerkesztés]ARP attacks pose a serious threat to network security, enabling attackers to intercept, modify, or disrupt network traffic. By implementing Dynamic ARP Inspection (DAI), DHCP Snooping, Port Security, and static ARP entries, organizations can effectively block ARP-based attacks.
🔐 14.7. Mitigate Address Spoofing Attacks
[szerkesztés]Address spoofing attacks involve attackers forging MAC or IP addresses to bypass network security, impersonate trusted devices, or manipulate network traffic. These attacks are commonly used in Man-in-the-Middle (MITM), Denial-of-Service (DoS), and reconnaissance exploits.
🌟 1. Why Is Address Spoofing Dangerous?
[szerkesztés]✅ Allows Unauthorized Network Access – Attackers can bypass access controls.
✅ Enables Man-in-the-Middle (MITM) Attacks – Can intercept sensitive data and steal credentials.
✅ Can Be Used for Denial-of-Service (DoS) Attacks – Attackers can overwhelm network resources.
✅ Bypasses Firewall & ACL Rules – Attackers use spoofed IPs to evade security policies.
🔑 2. Common Address Spoofing Attack Techniques
[szerkesztés]| Attack Type | Description | Impact |
|---|---|---|
| MAC Spoofing | Attacker forges a MAC address to impersonate a trusted device. | Bypasses MAC-based security policies, hijacks sessions. |
| IP Spoofing | Attacker sends packets with a fake IP address to disguise their identity. | Used in DoS, MITM, and evasion of firewall rules. |
| ARP Spoofing | Attacker sends false ARP replies to associate their MAC with another device’s IP. | Enables MITM attacks and traffic redirection. |
| DNS Spoofing | Attacker redirects DNS queries to a malicious site by modifying DNS responses. | Used for phishing, malware distribution, and data theft. |
🛠️ 3. Mitigating Address Spoofing on Cisco Switches
[szerkesztés]
✅ 1. Enable DHCP Snooping (Prevent Rogue IP Assignments & IP Spoofing)
[szerkesztés]ip dhcp snooping
ip dhcp snooping vlan 10
interface GigabitEthernet0/1
ip dhcp snooping trust
interface GigabitEthernet0/2
ip dhcp snooping untrust
🔹 Ensures only trusted DHCP servers can assign IP addresses, preventing spoofed IP leases.
✅ 2. Enable Dynamic ARP Inspection (Prevent ARP Spoofing & MITM)
[szerkesztés]ip arp inspection vlan 10
interface GigabitEthernet0/3
ip arp inspection trust
interface GigabitEthernet0/4
ip arp inspection untrust
🔹 Validates ARP packets to prevent attackers from spoofing legitimate devices.
✅ 3. Configure IP Source Guard (Prevent IP Spoofing on Hosts)
[szerkesztés]interface GigabitEthernet0/5
ip verify source
🔹 Blocks packets that have a mismatched IP/MAC address, stopping IP spoofing attempts.
✅ 4. Use Port Security (Prevent MAC Spoofing & Unauthorized Devices)
[szerkesztés]interface GigabitEthernet0/6
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security mac-address sticky
🔹 Limits the number of MAC addresses per port and enforces sticky MAC for authentication.
✅ 5. Enable Unicast Reverse Path Forwarding (uRPF) (Prevent Source IP Spoofing)
[szerkesztés]interface GigabitEthernet0/7
ip verify unicast source reachable-via rx
🔹 Ensures that inbound packets come from legitimate interfaces based on the routing table.
✅ 6. Configure VLAN Access Control Lists (VACLs) (Prevent Unauthorized VLAN Traffic)
[szerkesztés]vlan access-map BLOCK_SPOOF 10
match ip address SPOOF_ATTACKS
action drop
!
ip access-list extended SPOOF_ATTACKS
deny ip 192.168.1.0 0.0.0.255 any
permit ip any any
🔹 Blocks unauthorized traffic within VLANs to prevent lateral movement.
🔍 4. Detecting Address Spoofing Attacks
[szerkesztés]| Command | Purpose |
|---|---|
show ip dhcp snooping binding |
Displays legitimate DHCP-assigned addresses. |
show ip arp inspection statistics |
Identifies ARP spoofing attempts. |
show ip verify source |
Checks IP Source Guard logs for spoofing violations. |
show port-security address |
Displays MAC addresses secured on each switch port. |
✅ 5. Best Practices for Mitigating Address Spoofing
[szerkesztés]✔ Enable DHCP Snooping – Blocks rogue DHCP servers and prevents fake IP assignments.
✔ Enable ARP Inspection – Stops ARP poisoning and MITM attacks.
✔ Use IP Source Guard – Prevents devices from spoofing their IP addresses.
✔ Implement Port Security – Limits device connections and prevents MAC spoofing.
✔ Use VLAN Access Lists (VACLs) – Blocks unauthorized traffic within VLANs.
✔ Monitor Network Logs for Spoofing Attempts – Detects suspicious IP/MAC address activity.
🚀 Final Thoughts
[szerkesztés]Address spoofing attacks pose a significant risk to network integrity and security. Implementing DHCP Snooping, ARP Inspection, IP Source Guard, and Port Security effectively prevents spoofed addresses from disrupting the network.
🔥 14.8. Spanning Tree Protocol (STP) Security
[szerkesztés]Spanning Tree Protocol (STP) is a Layer 2 protocol that prevents network loops in redundant switch topologies. However, attackers can exploit STP vulnerabilities to manipulate network traffic, cause denial-of-service (DoS) attacks, or take control of the network topology.
🌟 1. Why Is STP Security Important?
[szerkesztés]✅ Prevents Network Loops – Avoids broadcast storms and packet duplication.
✅ Protects Against STP Manipulation – Prevents unauthorized devices from becoming the root bridge.
✅ Ensures Network Stability – Blocks rogue BPDU messages that disrupt topology changes.
✅ Defends Against DoS Attacks – Stops attackers from forcing network recalculations to cause downtime.
🔑 2. Common STP Attacks
[szerkesztés]| Attack Type | Description | Impact |
|---|---|---|
| STP Manipulation (Root Bridge Attack) | Attacker sends superior BPDUs to become the root bridge. | Redirects network traffic, enabling Man-in-the-Middle (MITM) attacks. |
| BPDU Flooding | Attacker sends excessive BPDU messages, forcing frequent topology recalculations. | Causes network instability and performance degradation. |
| TCN (Topology Change Notification) Injection | Attacker injects fake TCN messages, forcing frequent MAC table flushes. | Results in packet flooding and loss of network efficiency. |
🛠️ 3. Mitigating STP Attacks on Cisco Switches
[szerkesztés]
✅ 1. Enable BPDU Guard (Blocks Rogue BPDU Messages)
[szerkesztés]interface GigabitEthernet0/1
spanning-tree bpduguard enable
🔹 Shuts down ports receiving unauthorized BPDUs, preventing rogue root bridge attacks.
✅ 2. Enable Root Guard (Prevents Unauthorized Root Bridge Elections)
[szerkesztés]interface GigabitEthernet0/2
spanning-tree guard root
🔹 Ensures only trusted switches can become the root bridge.
✅ 3. Enable BPDU Filtering (Prevents BPDU Injection Attacks)
[szerkesztés]interface GigabitEthernet0/3
spanning-tree bpdufilter enable
🔹 Prevents BPDUs from being sent or received on ports where STP is not needed.
✅ 4. Enable Loop Guard (Prevents Loops Due to Unidirectional Link Failures)
[szerkesztés]interface GigabitEthernet0/4
spanning-tree guard loop
🔹 Detects unidirectional link failures and prevents looping.
✅ 5. Limit VLAN Root Bridge Elections (Prevents VLAN-Based STP Attacks)
[szerkesztés]spanning-tree vlan 10 priority 0
🔹 Forces the switch to always be the root bridge for VLAN 10.
🔍 4. Monitoring STP Security
[szerkesztés]| Command | Purpose |
|---|---|
show spanning-tree summary |
Displays STP settings and active protection mechanisms. |
show spanning-tree interface GigabitEthernet0/1 detail |
Shows STP configuration for a specific port. |
show spanning-tree root |
Displays the current root bridge in the network. |
✅ 5. Best Practices for Securing STP
[szerkesztés]✔ Enable BPDU Guard on Access Ports – Prevents rogue switches from participating in STP.
✔ Use Root Guard on Trunk Ports – Ensures only trusted devices can become root bridges.
✔ Enable BPDU Filtering on Edge Ports – Stops unnecessary BPDU traffic on non-trunk links.
✔ Use Loop Guard on Trunk Ports – Detects and prevents loops caused by link failures.
✔ Manually Configure Root Bridge Priority – Prevents unauthorized devices from becoming root bridges.
✔ Monitor BPDU and STP Activity – Detects suspicious network topology changes.
🚀 Final Thoughts
[szerkesztés]STP security is critical for preventing network disruptions, loops, and unauthorized control over Layer 2 topologies. By implementing BPDU Guard, Root Guard, BPDU Filtering, and Loop Guard, administrators can protect against STP-based attacks and ensure a stable network.
🔐 14.9. Mitigate STP Attacks
[szerkesztés]Spanning Tree Protocol (STP) attacks exploit vulnerabilities in Layer 2 network redundancy to manipulate traffic flow, cause network loops, or disrupt topology stability. Attackers use rogue BPDUs, root bridge manipulation, and topology changes to hijack network control or cause downtime.
🌟 1. Why Is Mitigating STP Attacks Important?
[szerkesztés]✅ Prevents Unauthorized Root Bridge Elections – Blocks attackers from taking over network topology.
✅ Defends Against Network Loops – Ensures redundant links don’t cause broadcast storms.
✅ Prevents Network Disruptions – Stops malicious BPDU flooding and topology recalculations.
✅ Ensures Stable Traffic Flow – Protects network devices from unexpected path changes.
🔑 2. Common STP Attack Techniques
[szerkesztés]| Attack Type | Description | Impact |
|---|---|---|
| Root Bridge Manipulation | Attacker sends superior BPDUs to become the root bridge. | Redirects traffic, leading to Man-in-the-Middle (MITM) attacks. |
| BPDU Flooding Attack | Attacker sends excessive BPDU messages to force network recalculations. | Causes network downtime and instability. |
| Topology Change Notification (TCN) Injection | Attacker injects fake TCN messages, causing frequent MAC table flushes. | Results in packet flooding and slower network performance. |
🛠️ 3. Mitigating STP Attacks on Cisco Switches
[szerkesztés]
✅ 1. Enable BPDU Guard (Prevents Rogue BPDU Messages on Access Ports)
[szerkesztés]interface GigabitEthernet0/1
spanning-tree bpduguard enable
🔹 Shuts down ports that receive unauthorized BPDU messages, blocking rogue STP devices.
✅ 2. Enable Root Guard (Prevents Unauthorized Root Bridge Elections)
[szerkesztés]interface GigabitEthernet0/2
spanning-tree guard root
🔹 Prevents connected devices from becoming root bridges.
✅ 3. Enable BPDU Filtering (Stops BPDU Injection on Access Ports)
[szerkesztés]interface GigabitEthernet0/3
spanning-tree bpdufilter enable
🔹 Blocks BPDUs on ports that don’t require STP participation.
✅ 4. Enable Loop Guard (Prevents Loops Due to Link Failures)
[szerkesztés]interface GigabitEthernet0/4
spanning-tree guard loop
🔹 Detects and prevents network loops caused by failed links.
✅ 5. Manually Configure Root Bridge Priority (Prevents Root Bridge Hijacking)
[szerkesztés]spanning-tree vlan 10 priority 0
🔹 Ensures that the intended switch remains the root bridge.
🔍 4. Monitoring for STP Attacks
[szerkesztés]| Command | Purpose |
|---|---|
show spanning-tree summary |
Displays STP protection mechanisms in use. |
show spanning-tree root |
Identifies the current root bridge in the network. |
show spanning-tree interface GigabitEthernet0/1 detail |
Shows STP status per interface. |
✅ 5. Best Practices for Preventing STP Attacks
[szerkesztés]✔ Enable BPDU Guard on Access Ports – Stops unauthorized switches from sending BPDUs.
✔ Use Root Guard on Trunk Links – Prevents malicious devices from becoming root bridges.
✔ Enable BPDU Filtering – Blocks BPDU messages on non-trunk ports.
✔ Use Loop Guard – Detects unidirectional link failures and prevents network loops.
✔ Manually Set Root Bridge Priority – Ensures only trusted switches act as root bridges.
✔ Monitor STP Activity & Logs – Detects unusual topology changes or BPDU floods.
🚀 Final Thoughts
[szerkesztés]STP attacks can severely disrupt Layer 2 networks, causing outages and security risks. By enabling BPDU Guard, Root Guard, BPDU Filtering, and Loop Guard, administrators can protect their network topology from unauthorized manipulation.
🔐 14.10. Layer 2 Security Considerations Summary
[szerkesztés]Layer 2 (Data Link Layer) security is crucial for protecting network infrastructures from various threats, as it governs switching, MAC address management, and traffic forwarding within the network. Securing Layer 2 helps prevent attacks such as MAC flooding, ARP spoofing, VLAN hopping, and STP manipulation.
🌟 1. Why Is Layer 2 Security Important?
[szerkesztés]✅ Prevents Unauthorized Access – Ensures that only trusted devices can connect to the network.
✅ Avoids Network Loops – Protects against broadcast storms and network disruptions.
✅ Mitigates Data Interception – Stops attackers from sniffing traffic or performing MITM attacks.
✅ Maintains Network Stability – Secures redundant connections and prevents topology manipulation.
🔑 2. Key Layer 2 Security Threats
[szerkesztés]| Threat Type | Description | Impact |
|---|---|---|
| MAC Flooding | Overloads the MAC address table, causing the switch to flood traffic to all ports. | Enables packet sniffing, data interception, and DoS conditions. |
| ARP Spoofing (Poisoning) | Attacker sends fake ARP replies to associate their MAC with another IP. | Leads to MITM attacks, traffic redirection, and data theft. |
| VLAN Hopping | Attacker exploits VLAN misconfigurations to access other VLANs. | Allows unauthorized access and network segmentation bypass. |
| STP Manipulation | Attacker sends fake BPDUs to alter the Spanning Tree topology. | Causes traffic redirection, network instability, and Denial-of-Service (DoS). |
| DHCP Spoofing | Attacker sets up a rogue DHCP server to assign incorrect IP settings. | Redirects users to malicious gateways, hijacking DNS or traffic. |
🛠️ 3. Key Layer 2 Security Measures
[szerkesztés]| Security Measure | Purpose |
|---|---|
| Port Security | Limits MAC addresses per port, preventing MAC flooding and unauthorized access. |
| Dynamic ARP Inspection (DAI) | Verifies ARP packets and prevents ARP spoofing. |
| DHCP Snooping | Prevents rogue DHCP servers and IP address spoofing. |
| BPDU Guard | Prevents STP manipulation by shutting down ports receiving unauthorized BPDUs. |
| VLAN Access Control Lists (VACLs) | Restricts traffic flow between VLANs for better segmentation and access control. |
| 802.1X Authentication | Ensures only authorized devices can connect to the network. |
| Storm Control | Limits broadcast, multicast, and unknown unicast traffic to prevent network congestion. |
✅ 4. Mitigation Techniques for Layer 2 Attacks
[szerkesztés]
✅ MAC Flooding Attack Prevention
[szerkesztés]- Enable Port Security to restrict the number of allowed MAC addresses per port.
- Use Sticky MAC to bind dynamically learned MAC addresses to the port.
✅ ARP Spoofing Prevention
[szerkesztés]- Enable Dynamic ARP Inspection (DAI) to ensure ARP packets are legitimate.
- Use DHCP Snooping to block unauthorized DHCP responses.
✅ VLAN Hopping Prevention
[szerkesztés]- Disable unused switch ports to prevent attackers from exploiting VLAN hopping.
- Set up VLAN Access Control Lists (VACLs) to restrict traffic between VLANs.
✅ STP Manipulation Prevention
[szerkesztés]- Enable BPDU Guard on all access ports to block rogue switches from sending BPDUs.
- Enable Root Guard on trunk ports to ensure only trusted switches can become the root bridge.
- Set a priority for the root bridge to prevent unauthorized root bridge elections.
✅ General Layer 2 Security Best Practices
[szerkesztés]- Disable unused ports and apply Port Security to limit physical access.
- Use 802.1X authentication for network access control.
- Monitor network logs regularly to detect unauthorized activity and potential attacks.
🚀 Final Thoughts
[szerkesztés]Layer 2 security is vital for maintaining the integrity, availability, and confidentiality of the network. Implementing Port Security, Dynamic ARP Inspection, DHCP Snooping, and STP protection ensures that the network is protected from a variety of attacks targeting the switching and communication protocols of Layer 2.