paul coggin @paulcoggin - tacticaledge coggin - hallowed be... · 2016. 10. 30. · vlan trunking...
TRANSCRIPT
![Page 1: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/1.jpg)
1 1
Hallowed Be Thy Packets
Tactical Edge
Paul Coggin @PaulCoggin
![Page 2: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/2.jpg)
2 2
OSI and TCP/IP Model
OSI Model
7
6
5
4
3
2
1
Application
Presentation
Session
Transport
Network
Data Link
Physical
TCP/IP Model
Network Interface
Application
Transport
Internet
Frame Header
Ow
n th
e N
etw
ork
![Page 3: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/3.jpg)
3 3
Cisco Discovery Protocol (CDP)
Cisco Discovery Protocol (CDP) - Great tool for mapping out a network during an audit - Be sure to disable on connections to external networks such as WAN, MetroE - VoIP phones use CDP (how to secure info leakage on VoIP net??)
![Page 4: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/4.jpg)
4 4
Cisco Discovery Protocol (CDP) – Great for Recon!
![Page 5: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/5.jpg)
5 5
Multicast Source 1
Multicast Overview
Multicast Source 2
Multicast uses UDP One-way traffic stream “Fire and Forget” - Video - Many other apps Multicast Routing PIM - Reverse Path Forwarding(RPF)
Receiver Receiver Receiver
IGMP Report to Join Multicast Group
Member 1
IGMP Report to Join Multicast Group
Member 1
IGMP Report to Join Multicast Group
Member 2
- Routers send periodic queries - Host per VLAN per group reports - Host may send
leave messages - IPv4 – IGMP - IPv6 - MLD
Multicast PIM routing
![Page 6: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/6.jpg)
6 6
Multicast - IGMP
![Page 7: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/7.jpg)
7 7
Multicast Routing - PIM
![Page 8: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/8.jpg)
8 8
Multicast Source 1
Attacking Multicast
Multicast Source 2
Receiver Receiver Receiver
Multicast PIM routing
Craft Router PIM Packets - SCAPY - Colasoft Packet Builder - Possible to use GNS3
or Quagga etc to add PIM router
Local VLAN Segement - Hello packets - Join/Prune packets - Assert Unicast PIM Packets - Register - Register-Stop - C-RP-Advertisement
Craft IGMP/MLD - SCAPY - Collasoft Packet Builder - IGMP Leaves - IGMP Queries - Spoof IGMP Source
![Page 9: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/9.jpg)
9 9
Multicast Source 1
Securing Multicast
Multicast Source 2
Receiver Receiver Receiver
Multicast PIM routing
- Control Plane Policing(CoPP) - Modular Quality of Service - PIM Neighbor Filter (ACL may be defeated by spoofing. L2 spoof protection needed.) - RP Announce Filter - Multicast Boundary Filter - L3 Switch Aggregation
Multicast Storm Control on switches L2 port security
Secure Multicast Control Protocol Trust Relationships
![Page 10: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/10.jpg)
10 10
Spanning Tree Protocol – Attack
Implement Root Guard, BPDU Guard, Syslog, SNMPv3 Alerts
Root Bridge MITM, DoS (Yersinia)
BPDUw/priority0
Root
![Page 11: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/11.jpg)
11 11
VLAN Hopping – Dynamic Trunking Protocol
• Dynamic Trunk Protocol (DTP) Modes : Auto, On, Off, Desirable, Non-negotiate • IP Phones, Wireless Access Points • All VLANs are trunked by default • Native VLAN (untagged); Default Native VLAN 1 and required by DTP • Yersinia or other packet crafting tools • Disable trunking on interfaces where not in use • Specify VLANs to be allowed on trunk interfaces • Do not use Native VLAN 1
VLAN 50
VLAN 60
VLAN 50
VLAN 40
VLAN 60
DTP Trunk
Spoof DTP to look like switch (Yersinia)
![Page 12: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/12.jpg)
12 12
VLAN Hopping – Double VLAN Tag
• No two-way communication. Frames sent to target with no response to sender. • Craft Frames with double encapsulated frames • VLAN trunking is not required in this scenario • Disable AUTO\DYNAMIC NEGOTIATION! • Don’t use native VLAN 1. Use tagged mode for native VLAN x on trunks • Disable interfaces not in use
VLAN 50
VLAN 60
VLAN 50 VLAN 40
VLAN 60
VLAN 10
Yersinia VLAN10,VLAN40
VLAN40TagFrame UntaggedFrame
Switch strips off first VLAN ID
![Page 13: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/13.jpg)
13 13
VLAN Trunking Protocol (VTP)
VTP Server
Transparent (VTP DB rev 0) VTP
Client VTP
Client
802.1Q Trunk 802.1Q Trunk
802.1Q Trunk
• VLANs are added\removed on VTP Server • VLAN modifications propagated to VTP Clients • Common VTP Domain name and password • Same Native VLAN on Trunk • Sync to latest changes
VTP Client
802.1Q Trunk
![Page 14: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/14.jpg)
14 14
VLAN Trunking Protocol (VTP) - Security
VTP Server
Transparent (VTP DB rev 0) VTP
Client VTP
Client
802.1Q Trunk 802.1Q Trunk
802.1Q Trunk
• Existing network running default VTP settings • Switches sync to higher rev VTP DB resulting in VLAN config being lost!! • Everyone has a current VLAN.DAT backup right?? • Configure a password for VTP Domain (NOT Cisco….SanFran….) • Delete VLAN.DAT before connecting a new switch • Change the native VLAN to something other than 1
VTP Client
802.1Q Trunk
Switch with higher rev of VTP DB added
![Page 15: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/15.jpg)
15 15
Broadcast Storms
VLAN 20
VLAN 20
VLAN 20 VLAN 20
VLAN 20
Rogue Insider Misconfigured Application
Failed NIC
Broadcast storm propagated across VLAN
VLAN 20
Traffic Storm Control limits unicast, multicast, broadcast traffic to a % of port BW • Not enabled on interfaces by default (add to template configuration for port security) • Traffic that exceeds configured threshold will be dropped • Violations can be configured to be shutdown or send a SNMP Trap(recommend v3)
![Page 16: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/16.jpg)
16 16
Protocol Hacking Tools GNS3 SCAPY Colasoft Packet Builder Many others… (Remember to enable IP forwarding)
First Hop Redundancy Protocols
Global Load Balancing Protocol (GLBP) Hot Standby Router Protocol (HSRP) Virtual Redundant Router Protocol (VRRP)
Active router 192.168.1.1
Backup router 192.168.1.2 Virtual router
192.168.1.3
192.168.1.50
Multicast protocol Priority elects role MD5, clear, no authentication
V
VRogue Insider
![Page 17: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/17.jpg)
17 17
VRRP – No Authentication
VRRP – No Authentication
![Page 18: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/18.jpg)
18 18
VRRP – Clear Text Authentication
VRRP – Clear Text Authentication
![Page 19: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/19.jpg)
19 19
HSRP MITM – Packet Analysis
HSRP Password Clear Text
![Page 20: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/20.jpg)
20 20
FHRP – Crafted HSRP Packets
Routers
Rogue Insider
Crafted HSRP coup packet with higher priority
![Page 21: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/21.jpg)
21 21
IPv6 Neighbor Discover Protocol
Filter on IPv6 or Ethernet Type 0x86DD to Identify IPv6 Packets
IPv6 uses multicast \ No more broadcast
![Page 22: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/22.jpg)
22 22
Hack the Network via OSPF
Area 1
Area Border Router (ABR)
ABR
Area 2
Area 0
Autononynmous System Border Router (ASBR)
DR BDR
OSPF Exploit Tools - Quagga - NRL Core(Network Simulator) - Nemesis - Loki - GSN3\Dynamips - Buy a router on eBay - Hack a router and reconfigure - Code one with Scapy - IP Sorcery( IP Magic) - Cain & Able to crack OSPF MD5 - MS RRAS - NetDude - Collasoft - Phenoelit IRPAS
OSPF Attack Vectors - Take over as DR - Inject routes to mask source of attack - DoS - Inject routes for MITM - Add new routes to hacked router - Change interface bandwidth or use IP OSPF Cost for Traffic Engineering on hacked router
OSPFtypicallyisimplementedwithoutanythoughttosecurity.LSA’saremulGcastonthespokeLANforanyusertosniffwithoutMD5.
External Network BGP, EIGRP, ISIS
![Page 23: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/23.jpg)
23 23
OSPF – No Authentication
![Page 24: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/24.jpg)
24 24
OSPF – Clear Text Authentication
![Page 25: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/25.jpg)
25 25
EIGRP Overview
10.1.1.0 255.255.255.0
• Advanced Distance Vector – “Hybrid” • No authentication / MD5 Authentication • Classless \ Classful routing default • Supports IPv4/6, IPX and Appletalk • Fast convergence - Successor - Feasible Successor • Unequal and equal cost load balancing • Upgrade replacement for IGRP
10.1.2.0 255.255.255.0
192.168.1.0 255.255.255.0
• Incremental updates • EIGRP uses DUAL algorithm • Cisco proprietary • 3 Tables similar to OSPF - Neighbor table - Routing table - Topology table • Summarization at any interface in network
Remember to use “no auto-summary” command to enable classless routing or experience
dis-contiguous network issues.
![Page 26: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/26.jpg)
26 26
10.1.1.0 255.255.255.0
10.1.2.0 255.255.255.0
192.168.1.0 255.255.255.0
Hack the Network via EIGRP
SimilartoOSPF,EIGRPtypicallyisimplementedwithoutanythoughttosecurity.Network
administratorsshoulduseauthenGcaGonandconfigureinterfacestobepassiveinEIGRP.
EIGRP Attack Vectors - Inject routes to mask source of attack - DoS - Inject routes for MITM - Add new routes to hacked router - Change interface bandwidth for Traffic Engineering on hacked router
EIGRP Exploit Tools - GSN3\Dynamips - Buy a router on eBay - Hack a router and reconfigure - Phenoelit IRPAS
![Page 27: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/27.jpg)
27 27
10.1.2.0 255.255.255.0
EIGRP – No Authentication
![Page 28: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/28.jpg)
28 28
IPv6 SLACC MITM
IPv6 Neighbor Discovery Protocol (NDP) (Think ARP for IPv6) IPv6 MITM Tools - Chiron, - Evil FOCA - THC Parasite6 - SCAPY - Colasoft Packet Builder
Windows
Linux Mac
Default - Hosts Send ICMPv6 Router Solicitation
Rogue Insider Sending RA’s
Man-in-the-Middle
Mitigations - RAguard - 802.1x - Private VLANs - IPv6 port security - Source\Destination Guard - SeND (encrypt NDP)
![Page 29: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/29.jpg)
29 29
IPv6 Network Discovery Spoofing - MITM
Windows
Linux
Mac
Mitigations - Source\Destination Guard - 802.1x - Private VLANs - IPv6 port security - NDP Spoofing - DHCP Snooping - Source\Destination Guard - SeND (encrypt NDP)
Rogue Insider
Network Discovery Spoofing - MITM (ARP Spoofing equivalent for IPv6)
IPv6 Neighbor Discovery Protocol (NDP) (Think ARP for IPv6) IPv6 MITM Tools - Chiron - Evil FOCA - THC Parasite6 - SCAPY - Colasoft Packet Builder
![Page 30: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/30.jpg)
30 30
VPN_A
VPN_A
VPN_B 10.3.0.0
10.1.0.0
11.5.0.0
P P
P
P
PE
PE CE
CE
CE
VPN_A
VPN_B
VPN_B
10.1.0.0
10.2.0.0
11.6.0.0
CE PE
PE CE
CE
VPN_A 10.2.0.0
CE
iBGP sessions
• P Routers (LSRs) are in the Core of the MPLS Cloud • PE Routers (Edge LSRs or LERs) Use MPLS with the
Core and Plain IP with CE Routers • P and PE Routers Share a Common IGP • PE Routers are MP-iBGP Fully-meshed
MPLS Architecture Overview
Service provider may accidentally or intentionally misconfigure VPN’s
Utilize IPSEC VPN over MPLS VPN to insure security
![Page 31: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/31.jpg)
31 31
MPLS Label PCAP - Service Provider Core
32-bit MPLS Label Format • Label : 20-bit • EXP : 3-bit • Bottom-of-Stack : 1-bit • TTL : 8-bit
CPE to CPE Telnet over Service Provider MPLS VPN
![Page 32: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/32.jpg)
32 32
Telnet Username \ Password – Clear Text Encapsulated in MPLS VPN
A Separate Overlay Encrypted VPN is Required to Secure Your Traffic
![Page 33: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/33.jpg)
33 33
DMZ Layer 2 Security
Secure DMZ Trusts - PVLAN - VACL - Separate Virtual or Physical Int w/ ACL’s - Develop a network traffic matrix to define required network traffic flows
WWW
DNS
SMTP
SharePoint
DMZ - Typically single VLAN - Open trusts Inside VLAN - DMZ to Internal AD integ. - Pivot from DMZ to Internal network
Internal Network
Database Email DNS
*NIX w/NIS(AD Integ.)
Active Directory
Internet
![Page 34: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/34.jpg)
34 34
Layer 2 – Secure Visualization and Instrumentation
TAP/Sniffer
NOC \ SOC
Out-of-bound Network
Whitelist the Layer 2 Network Trust Relationships
Whitelist Trusted Information Flows in Monitoring
Secure Control, Management, Data Planes
In-band Monitoring EPC SPAN RSPAN ERSPAN Netflow
![Page 35: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/35.jpg)
35 35
References DevelopingIPMulGcastNetworks,Vol1–BeauWilliamson
LANSwitchSecurity–WhatHackersKnowAboutYourSwitches,EricVyncke,ChristopherPaggen,CiscoPressEnnoRey-@Enno_Insinuator,�@WEareTROOPERS��,ERNWPapersandResources,www.ernw.de,www.insinuator.netIvanPepeInjak-@IOShints,PapersandResources,h_p://www.ipspace.netIPv6Security,Sco_HoggandEricVyncke,CiscoPressh_p://www.gtri.com/wp-content/uploads/2014/10/IPv6-Hacker-Halted-The-Hacker-Code-Angels-vs-Demons.pdf
ThePracGceofNetworkSecurityMonitoring,RicardBejtlich,NoStarchPressRouterSecurityStrategiesSecuringIPNetworkTrafficPlanes,GreggSchudel,DavidJ.Smith,CiscoPressh_ps://www.cisco.com/go/safeh_p://docwiki.cisco.com/wiki/FHSh_p://www.netopGcs.com/blog/01-07-2011/sample-pcap-filesh_p://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_grp/configuraGon/12-4/gp-12-4-book.html
h_p://www.cisco.com/c/en/us/td/docs/soluGons/Enterprise/Security/Baseline_Security/securebasebook/sec_chap8.htmlh_p://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/best/pracGces/recommendaGons.htmlh_p://www.cisco.com/c/en/us/td/docs/soluGons/Enterprise/Security/Baseline_Security/securebasebook/sec_chap8.htmlh_p://www.cisco.com/web/about/security/intelligence/ipv6_first_hop.htmlh_p://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.htmlh_p://monkey.org/~dugsong/dsniff/
h_ps://www.yersinia.neth_ps://www.nsa.gov/ia/_files/factsheets/Factsheet-Cisco%20Port%20Security.pdfh_p://iase.disa.mil/sGgs/net_perimeter/network-infrastructure/Pages/index.aspxh_p://www.cisco.com/c/en/us/about/security-center/mulGcast-toolkit.html
![Page 36: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/36.jpg)
36 36
Ques%ons?
@PaulCoggin
![Page 37: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/37.jpg)
37 37
ExtraBackupSlides
![Page 38: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/38.jpg)
38 38
OSPF – MD5 Authentication
![Page 39: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/39.jpg)
39 39
EIGRP – MD5 Authentication
![Page 40: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/40.jpg)
40 40
CAM Table Overflow Attack
Yersinia, Macof, DSNIFF
Node2toNode4
Node2toNode4
Node 1
Node 2 Node 4
Node 3
Node2toNode4
Switch CAM table exploited resulting in switch VLAN operating like a shared Ethernet hub Attack may cause multiple switches to fallback to shared Ethernet behavior
Implement port security to limit MACs per interface, SNMP Traps
![Page 41: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/41.jpg)
41 41
ARP Poisoning
Corporate Server
IP 172.16.1.1
User 1 IP 192.168.1.2 MAC 2222.2222.2222
User 3 IP 192.168.1.3 MAC 3333.3333.3333
Router IP 192.168.1.1 MAC 1111.1111.1111
Gratuitous ARP – User 1 traffic to server redirected to User 3 172.16.1.1 MAC 3333.3333.3333
Gratuitous ARP – Return traffic redirected to User 3 192.168.1.2 MAC 3333.3333.3333
Cain and Abel Ettercap
User 1 ARP Cache Poisoned
Router ARP Cache Poisoned
![Page 42: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/42.jpg)
42 42
ARP Poisoning
• Dynamic ARP Inspection • IP Source Inspection • SNMP Alerts and Syslog monitoring
![Page 43: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/43.jpg)
43 43
Rogue DHCP Server
DHCP Client Corporate
DHCP Server
Rogue User
Unauthorized DHCP Server • Allocates bad DNS server or default gateway
Denial of service by exhausting the leases in the DHCP scope • Tools – Yersinia, Gobbler
Mitigation • Limit MAC addresses per interface • VACL’s to block DHCP UDP 68 • DHCP snooping Trusted\Untrusted (mitigates client hardware address change)
![Page 44: Paul Coggin @PaulCoggin - TacticalEdge Coggin - Hallowed Be... · 2016. 10. 30. · VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q](https://reader035.vdocuments.net/reader035/viewer/2022071000/5fbc58aa9f7de352200348e5/html5/thumbnails/44.jpg)
44 44
Lawful Intercept Identify Physical Source of Traffic
DHCP with Option 82
Support
Example Enterprise Network
DHCP Option 82 provides the DSLAM and Switch Name and the Physical Interface That Requested a DHCP IP Address
DHCP request
DHCP response with IP address
DHCP request with sub ID in Option identifier (RFC 3046)
Ethernet Access Domain
MAC B
MAC C
MAC A
ISP
DHCP Server ADSL
modem
IP DSLAM PE-AGG
DSL CPE
L3VPN-PE