lecture2 secured network design w.lilakiatsakun. arp problems with arp / countermeasures vlan ...

Lecture2Secured Network Design

W.Lilakiatsakun

ARP Problems with ARP / Countermeasures VLAN Attacking on VLAN / Countermeasures

Topics

Why do we need ARP ARP Operation ARP Packet Attack by using ARP How to protect

Address Resolution Protocol (ARP) (1)

Address Resolution Protocol (ARP) (2)

Related RFC RFC826 : Ethernet Address Resolution

Protocol, Internet Standard STD 37. RFC 5227 : IPv4 Address Conflict Detection,

proposed standard

When the packets are forwarded to the destination network by routers

But , how the packets will be forwarded to destination host ?

IP addresses cannot be used within LAN ,instead, MAC addresses are using to forward frame within LAN

So, we need to map between IP address and MAC

Why do we need ARP(1)

ARP Purpose Sending node needs a way to find the MAC address of the destination for a given Ethernet link

The ARP protocol provides two basic functions:Resolving IPv4 addresses to MAC addressesMaintaining a table of mappings

Why do we need ARP(2)

ARP Operation (1)

ARP Table – Used to find the data link layer address that is mapped to

the destination IPv4 address As a node receives frames from the media, it records the

source IP and MAC address as a mapping in the ARP table

ARP request – Layer 2 broadcast to all devices on the Ethernet LAN The node that matches the IP address in the broadcast will

reply If no device responds to the ARP request, the packet is

dropped because a frame cannot be created

ARP Operation (2)

ARP Operation (3)

ARP Operation (4)

ARP Operation (5)

ARP Operation (6)

If the destination IPv4 host is on the local network, the frame will use the MAC address of this device as the destination MAC address

If the destination IPv4 host is not on the local network, the source uses the ARP process to determine a MAC address for the router interface serving as the gateway

In the event that the gateway entry is not in the table, an ARP request is used to retrieve the MAC address associated with the IP address of the router interface

ARP in Remote network (1)

ARP in Remote network (2)

Ethernet Destination Address ff:ff:ff:ff:ff:ff (broadcast) for ARP request

Ethernet Source Address of ARP requester Frame Type

ARP request/reply: 0x0806 RARP request/reply: 0x8035 IP datagram: 0x0800

ARP in Ethernet Frame

ARP Format (1)

Hardware type: 1 for ethernet Protocol type: 0x0800 for IP (0000.1000.0000.0000)

same of Ethernet header field carrying IP datagram! Hardware len= length in bytes of hardware addresses

(6 bytes for ethernet) Protocol len= length in bytes of logical addresses

(4 bytes for IP) ARP operation: 1=request; 2=reply; 3/4=RARP

req/reply

ARP Format (2)

ARP Format (3)

Avoids ARP request for every IP datagram Entry lifetime defaults to 20min

deleted if not used in this time 3 minutes for “incomplete”cache entries (i.e.

arp requests to non existent host) it may be changed in some implementations in

particularly stable (or dynamic) arp-a to display all cache entries (arp–d to

delete)

ARP Cache (1)

ARP cache of each node needs to be updated periodically by sending ARP requests. ARP requests carry requestor IP/MAC pair ARP requests are broadcast thus, they MUST be

read by everyone Therefore, it comes for free, for every

computer, to update its cache with requestor pair

ARP Cache (2)

Proxy ARP (1)

Proxy ARP is the technique in which one host, usually a router, answers ARP requests intended for another machine.

By "faking" its identity, the router accepts responsibility for routing packets to the "real" destination.

Proxy ARP (2)

Proxy ARP can help machines on a subnet reach remote subnets without the need to configure routing or a default gateway.

Proxy ARP is defined in RFC 1027

ARP request issued by an IP address and addressed to the same IP address Clearly nobody else

than ME can answer WHY asking the

network which MAC address do I have

Gratuitous ARP (1)

2 main reasons: Determine if another host is configured with

the same IP address this case respond occurs, and MAC address of

duplicated IP address is known. Use gratuitous ARP when just changed

hardware address all other hosts update their cache entries! A problem is that, despite specified in RFC, not all

ARP cache implementations operate as described

Gratuitous ARP (2)

Performance ARP operations are basically based on

broadcast frame Alleviated by LAN Segmentation

Security ARP poisoning

Problems with ARP (1)

Dynamic ARP Inspection Based on information from DHCP snooping

Others ?

Countermeasure on ARP poisoning (1)

DHCP Snooping Binding Database The DHCP snooping binding database is also

referred to as the DHCP snooping binding table. The DHCP snooping feature dynamically builds

and maintains the database using information extracted from intercepted DHCP messages.

The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled.

The database does not contain entries for hosts connected through trusted interfaces.


The DHCP snooping feature updates the database when the switch receives specific DHCP messages. For example, the feature adds an entry to the

database when the switch receives a DHCPACK message from the server.

The feature removes the entry in the database when the IP address lease expires or the switch receives a DHCPRELEASE message from the host.

Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host.


Dynamic ARP Inspection (DAI) DAI is a security feature that validates ARP packets in

a network. DAI intercepts, logs, and discards ARP packets with

invalid IP-to-MAC address bindings. DAI ensures that only valid ARP requests and

responses are relayed. The switch performs these activities:•Intercepts all ARP requests and responses on untrusted ports•Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination•Drops invalid ARP packets


DAI Rate Limiting of ARP Packets (1) The switch performs DAI validation checks,

which rate limits incoming ARP packets to prevent a denial-of-service attack.

By default, the rate for untrusted interfaces is 15 packets per second (pps). Trusted interfaces are not rate limited. You can change this setting by using the ip

arp inspection limit interface configuration command.


DAI Rate Limiting of ARP Packets (2) When the rate of incoming ARP packets

exceeds the configured limit, the switch places the port in the error-disabled state. The port remains in that state until you intervene. You can use the errdisable recovery global

configuration command to enable error disable recovery so that ports automatically emerge from this state after a specified timeout period.


ARP Authentication (Pongsure/Woraphon)


VLAN (1)

A VLAN is a logically separate IP subnetwork. VLANs allow multiple IP networks and subnets

to exist on the same switched network. For computers to communicate on the same

VLAN, each must have an IP address and a subnet mask that is consistent for that VLAN.

The switch has to be configured with the VLAN and each port in the VLAN must be assigned to the VLAN.

VLAN (2)

A switch port with a singular VLAN configured on it is called an access port.

Remember, just because two computers are physically connected to the same switch does not mean that they can communicate.

Devices on two separate networks and subnets must communicate via a router (Layer 3), whether or not VLANs are used.

VLAN (3)

Type of VLAN

Data VLAN Default VLAN Native VLAN Management VLAN Voice VLAN

Types of VLANs - Data VLAN (1)

Data VLAN - a VLAN that is configured to carry only user-generated traffic.

It is common practice to separate voice and management traffic from data traffic.

A data VLAN is sometimes referred to as a user VLAN.

Types of VLANs - Data VLAN (2)

Data VLAN

Types of VLANs- Default VLAN (1)

All switch ports become a member of the default VLAN after the initial boot up of the switch. Having all the switch ports participate in the default

VLAN makes them all part of the same broadcast domain.

This allows any device connected to any switch port to communicate with other devices on other switch ports.

The default VLAN for Cisco switches is VLAN 1. VLAN 1 has all the features of any VLAN, except that

you cannot rename it and you can not delete it.


Layer 2 control traffic, such as CDP and spanning tree protocol traffic, will always be associated with VLAN 1 - this cannot be changed.

In the figure, VLAN 1 traffic is forwarded over the VLAN trunks connecting the S1, S2, and S3 switches.

It is a security best practice to change the default VLAN to a VLAN other than VLAN 1; this entails configuring all the ports on the switch to be associated with a default VLAN other than VLAN 1.


Default VLAN

Types of VLANs - Native VLAN (1)

A native VLAN is assigned to an 802.1Q trunk port.

An 802.1Q trunk port supports traffic coming from many VLANs (tagged traffic) as well as traffic that does not come from a VLAN (untagged traffic).

The 802.1Q trunk port places untagged traffic on the native VLAN.

In the figure, the native VLAN is VLAN 99. Untagged traffic is generated by a computer

attached to a switch port that is configured with the native VLAN.


Native VLANs are set out in the IEEE 802.1Q specification to maintain backward compatibility with untagged traffic common to legacy LAN scenarios.

For our purposes, a native VLAN serves as a common identifier on opposing ends of a trunk link.

It is a best practice to use a VLAN other than VLAN 1 as the native VLAN.

Types of VLANs - Management VLAN (1)

A management VLAN is any VLAN you configure to access the management capabilities of a switch.

VLAN 1 would serve as the management VLAN if you did not proactively define a unique VLAN to serve as the management VLAN.

You assign the management VLAN an IP address and subnet mask. A switch can be managed via HTTP, Telnet, SSH, or

SNMP. VLAN 1 is normally used as the default VLAN,

VLAN1 would be a bad choice as the management VLAN; you wouldn't want an arbitrary user connecting to a switch to default to the management VLAN.

Types of VLANs - Management VLAN (2)

Types of VLANs - Voice VLAN (1)

It is easy to appreciate why a separate VLAN is needed to support Voice over IP (VoIP).

VoIP traffic requires: Assured bandwidth to ensure voice quality Transmission priority over other types of network

traffic Ability to be routed around congested areas on the

network Delay of less than 150 milliseconds (ms) across

the network


A Cisco Phone is a Switch

The Cisco IP Phone contains an integrated three-port 10/100 switch as shown in the Figure. The ports provide dedicated connections to these devices:

Port 1 connects to the switch or other voice-over-IP (VoIP) device.

Port 2 is an internal 10/100 interface that carries the IP phone traffic.

Port 3 (access port) connects to a PC or other device.

VLAN Trunk (1)

A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device, such as a router or a switch.

Ethernet trunks carry the traffic of multiple VLANs over a single link.

A VLAN trunk allows you to extend the VLANs across an entire network.

Cisco supports IEEE 802.1Q for coordinating trunks on Fast Ethernet and Gigabit Ethernet interfaces.

VLAN Trunk (2)

VLAN Trunk (3)

Without VLAN trunking

VLAN Trunk (4)

With VLAN trunks

VLAN Trunk - 802.1Q Frame tagging (1)

The VLAN tag field consists of an EtherType field, a tag control information field,and the FCS field.

EtherType field Set to the hexadecimal value of 0x8100. This value is called the tag protocol ID (TPID) value. With the EtherType field set to the TPID value, the

switch receiving the frame knows to look for information in the tag control information field.


Tag control information field 3 bits of user priority - Used by the 802.1p

standard, which specifies how to provide expedited transmission of Layer 2 frames.

1 bit of Canonical Format Identifier (CFI) - Enables Token Ring frames to be carried across Ethernet links easily.

12 bits of VLAN ID (VID) - VLAN identification numbers; supports up to 4096 VLAN IDs.

FCS field After the switch inserts the EtherType and tag

control information fields, it recalculates the FCS values and inserts it into the frame.

VLAN hopping describes when an attacker connects to a VLAN to gain access to traffic on other VLANs that would normally not be accessible.

There are two VLAN hopping exploit methods: Switch spoofing Double tagging

VLAN Hopping (1)

Switch Spoofing Switch spoofing can occur when the switch port an

attacker connects to is either in trunking mode or in DTP auto-negotiation mode – both allowing devices that use 802.1q encapsulation to tag traffic with different VLAN identifiers.

An attacker adds 802.1q encapsulation headers with VLAN tags for remote VLANs to its outgoing frames.

The receiving switch interprets those frames as sourced from another 802.1q switch (only switches usually use 802.1q encapsulation after all), and forwards the frames into the appropriate VLAN.

VLAN Hopping (2)

VLAN Hopping (3)

In a basic switch spoofing attack, the attacker takes advantage of the fact that the default configuration of the switch port is dynamic auto.

Double Tagging This type of attack takes advantage of the way that

hardware on most switches operates. Most switches perform only one level of 802.1Q

deencapsulation, which allows an attacker to embed a hidden 802.1Q tag inside the frame.

This tag allows the frame to be forwarded to a VLAN that the original 802.1Q tag did not specify. An important characteristic of the double-encapsulated VLAN hopping attack is that it works even if trunk ports are disabled, because a host typically sends a frame on a segment that is not a trunk link.

VLAN Hopping (4)

VLAN Hopping (5)

VLAN Double Tagging

Switch Spoofing The two preventive measures against switch spoofing

attacks are [1] to set edge ports to static access mode and [2] disable DTP auto-negotiation on all ports.

The switchport mode access command forces the port to act as an access port, disabling any chance that it could become a trunk port and send traffic for multiple VLANs.

Manually disabling Dynamic Trunking Protocol (DTP) on all ports prevents access ports configured as dynamic from forming a trunk relationship with a potential attacker.

Switch Spoofing Switch(config-if)# switchport mode access Switch(config-if)# switchport nonegotiate

Mitigate VLAN Hopping (1)

The key feature of a double tagging attack is exploiting the native VLAN.

Since VLAN 1 is the default VLAN for access ports and the default native VLAN on trunks, it’s an easy target.

The first countermeasure is to remove access ports from the default VLAN 1 since the attacker’s port must match that of the switch’s native VLAN. Switch(config-if)# switchport access vlan 10 Switch(config-if)# description access_port


The second countermeasure is to assign the native VLAN on all switch trunks to an unused VLAN.Switch(config-if)# switchport trunk native vlan 99

Or tag the native VLAN over all trunks, disabling all untagged traffic over the interface.

Switch(config-if)# switchport trunk native vlan tag


lecture2 secured network design w.lilakiatsakun. arp problems with arp / countermeasures vlan ...

Documents

ip arp operation

proxy arp

0x0800 arp

arp process

arp tablearp request

ip addresses

destination network

source ip