VLAN and Trunking Fundamentals | VLAN和Trunk的原理
Automatic negotiation to determine whether a port will be an access port or a trunk port is risky because an attacker could potentially negotiate a trunk with a switch; then the attacker could directly access any available VLANs simply by illegally tagging the traffic directly from his PC (VLAN Hopping).
与交换机自动协商出一个端口是采用access还是trunk模式的这种行为是非常危险的。因为据此攻击者也很有可能与交换机协商出trunk,并通过伪造报文直通交换机上的其他VLAN(VLAN跳跃攻击)。
Common Layer 2 Threats and How to Mitigate Them | 常见的2层威胁及治理办法
Best practice: | 最佳实践:
Select an unused VLAN (other than VLAN 1) and use that for the native VLAN for all your trunks.
Avoid using VLAN 1 anywhere, because it’s default
Administratively configure access ports as access ports so that users cannot negotiate a trunk and disable the negotiation of trunking (DTP) (switchport nonegotiate)
Limit the number of MAC addresses learned on a given port (port security feature)
Use BPDU Guard and Root Guard features for STP
Turn off CDP on ports facing untrusted or networks that do not require CDP for anything positive.
Shut down all unused ports.
选择(除1以外)闲置的VLAN作为所有trunk接口的本征VLAN
避免任意使用默认的VLAN 1
将Access的端口配置成access模式,避免终端协商成trunk模式;关闭trunking协商(DTP)功能(交换机端口协商)
使用端口安全功能限制端口上可习得的MAC地址数量
为STP开启BPDU保护和根保护功能
关闭连接着不可信或者明显不需要CDP(Cisco Discovery Protocol)功能的网络的端口上的CDP功能。
关闭未使用的端口
Toolkit for L2 Security | 二层安全工具箱
Port security: Limits the number of MAC addresses to be learned on an access switch port.
BPDU Guard: When you enable BPDU Guard, a switch port that was forwarding stops and disables the port if a BPDU is seen inbound on the port. A user should never be generating legitimate BPDUs. (
interface# spanning-tree bpduguard enable)Root Guard: Controls which port are not allowed to become root ports to remote root switches.
Dynamic ARP Inspection: Prevents spoofing of L2 information by hosts
IP Source Guard: Prevents spoofing of L3 information by hosts
802.1X: Authenticates useres before allowing their data frames into the network.
DHCP snooping: Prevent rogue DHCP servers from impacting the network
Storm control: Limits the amount of broadcast or multicast traffic flowing through the switch
Access control list: Traffic control to enforce policy.
端口安全:限制交换机端口上能够学习到的MAC地址数量
BPDU保护:当启用BPDU保护后,端口上一旦出现BPUD报文,交换机将停止转发该报文,并禁能该端口。用户本应禁止发出任何合法的BPDU报文
根保护:控制哪些端口不能成为远端交换机的根端口。
动态ARP检测:防止主机伪造L2信息
IP源保护:防止主机伪造L3信息
802.1X:在用户向网络注入报文前需要鉴权
防DHCP欺诈:防止伪造的DHCP服务器攻击网络
风暴控制:限制交换机上的广播和多播流量
访问控制表:根据策略控制流量
Port security | 端口安全
A typical user uses just a single MAC (except virtual machines / virtual switches/IP phone). An attacker could send thousands of frames to the network with different bogus MAC addresses, this way trying to exhaust the limits of the dynamic MAC address table on the switch, which might cause the switch to forward all frames to all ports within a VLAN so the attacker can sniff all packets. This is called CAM table overflow attack.
一般用户仅仅使用一个MAC地址(虚拟机、虚拟交换机、IP电话除外)。攻击者可以尝试通过发送成千上万拥有不同MAC地址的报文耗尽交换机上的MAC地址表;这将导致交换机会把报文发送至同一个VLAN下的所有交换机端口,攻击者便可嗅探网络中的所有报文。这被称为CAM表溢出攻击
You can use port security to limit the number of MAC addresses that the switchport can learn:
可以通过端口安全功能限制交换机端口上可以习得的MAC地址数量:
#interface Fa0/1
(int)#switchport port-security
! The default value is 1, which is not visible, but we can increase it:
(int)#switchport port-security maximum 5
! Violation action:
! - protect: Do not learn MACs above 5, and denies frames which MAC is not learned
! - restrict: Same as protect, but increases the SecurityViolation counter
! - shutdown: Puts the interface to err-disabled state and sends SNMP trap
(int)#switchport port-security violation protect</pre>
You can verify the port security settings with the *show port-security interface <interface>* or *show port-security* command.
通过命令*show port-security interface <interface>* 和*show port-security* 验证端口安全设置。
DHCP Snooping | DHCP侦听
DHCP Snooping acts like a firewall between untrusted hosts and trusted DHCP servers:
DHCP侦听充当了不可信主机与可信DHCP服务器之间的防火墙:
- Validates DHCP messages received from untrusted sources and filters out invalid messages
- Rate-limits DHCP traffic from trusted and untrusted sources
- Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses
- Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts
- 验证从不可信源接收到的DHCP消息,滤除非法消息
- 限制可信源与不可信源之间的DHCP通信速率
- 建立并维护包含了不可信主机及其IP绑定关系的DHCP侦听数据库
- 根据上述建立的数据库验证不可信主机后续发出的请求
DHCP Snooping is enabled on per-VLAN basis. By default it is inactive for all VLANS.
DHCP侦听在每个VLAN上都被启用。默认使针对所有VLAN都生效的。
#ip dhcp snooping
#ip dhcp snooping vlan 10
#interface fa0/1
(int)#ip dhcp snooping trust
! Configure the DHCP snooping database agent to store the bindings
#ip dhcp snooping database tftp://1.1.1.1/directory/file
Dynamic ARP Inspection | 动态ARP检查
ARP maps the MAC address to an IP address. When a device would like to use L3 communication, first it sends an ARP message to find out what destination MAC address should it use for the L2 header. This broadcast message is received by all devices in the LAN segment and the device that has the IP address will reply with it’s own MAC address.
ARP映射了IP地址和MAC地址。设备在进行三层通信之前,首先需要发送ARP消息探测用于二层头部的目的MAC地址。同一广播域的所有设备都将接收到这个广播请求,拥有对应IP地址的设备将使用自身的ARP地址回复该请求。
A host can send gratuitous reply even if it did not receive an ARP request. This can be used for ARP cache poisoning or ARP spoofing attacks.
主机即使没有收到任何ARP请求,也可以发出免费的ARP回复。这可以用于ARP缓存投毒或ARP嗅探攻击。
In the above example when Host A want to send traffic to Host B it will first send an ARP request, because it does not know Host B’s MAC. Host C however can reply with its own MAC address, so the switch will associate the IP address of Host B with the MAC address of Host C in its MAC table. This means that all traffic from Host A will flow through Host C and Host C will forward it to Host B since it knows the real MAC. Man in the middle attack.
在上述示例中,当主机A向主机B发送数据之前,由于不知道主机B的MAC地址,首先需要发送ARP请求。
然而主机C可以使用自己的MAC地址回复主机A发出的ARP请求。交换机的MAC表中,主机B的IP被映射成主机C的MAC地址。如果主机C知道主机B的正确MAC地址,那么所有来自主机A的报文都将通过主机C中转后发送给主机B。这就是中间人攻击。
Dynamic ARP inspection intercepts, logs and discards ARP packets with invalid IP-to MAC bindings. DAI determines the validity of ARP packets based on valid IP-to-MAC binding stored in the DHCP snooping binding database.
动态ARP检测将拦截、记录、丢弃无效IP-MAC绑定关系的ARP报文。DAI根据DHCP侦听数据库和存储的有效IP-MAC绑定关系决定ARP报文的合法与否。
If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.
可信端口上收到的ARP报文,交换机将无条件转发。不可信端口上,交换机只转发合法的ARP报文。
译自:https://badlyconnected.wordpress.com/2018/10/09/securing-layer-2-technologies/
