1 / 123

Layer 2 Network Security

Layer 2 Network Security. Outline. How Layer 2 Switches Work ? Virtual LAN Security IEEE 802.1Q : Virtual Bridged LANs VLAN hopping Spanning Tree Security IEEE 802.1D: Spanning Tree Algorithm STP manipulation CAM table overflow MAC address spoofing DHCP starvation.

clara
Télécharger la présentation

Layer 2 Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Layer 2 Network Security

  2. Outline • How Layer 2 Switches Work ? • Virtual LAN Security • IEEE 802.1Q : Virtual Bridged LANs • VLAN hopping • Spanning Tree Security • IEEE 802.1D: Spanning Tree Algorithm • STP manipulation • CAM table overflow • MAC address spoofing • DHCP starvation

  3. How Layer 2 Switches Work ? • Layer 2 switch uses store and forward scheme to forward or filter incoming frames. • MAC Address Learning (Filtering Database) • MAC Address Lookup Engine • Forward frame into the port x if the destination MAC is found in the Filtering DB with port x. Otherwise, broadcast to all ports. • Broadcast all multicast/broadcast frames • Ether-Switch Architecture with switching Fabric ASICs • Each pair of Ethernets can have a transmission simultaneously. • Wire-speed design Gbps, 10Gbps, 100Gbps, … • Plug-and-Play • Are L2 switches secure ?

  4. Ethernet Switch ASIC (24+4) Typical Architecture for Ethernet Switch ASIC (24+4)

  5. 8-Port Gigabit Ethernet Switch ASIC Typical Architecture for Ethernet Switch ASIC (8 GE)

  6. Security Issues for L2 Switch • VLAN hopping attack • STP manipulation attack • CAM table overflow attack • MAC address spoofing attack • DHCP starvation attack

  7. Virtual Bridged LANs (IEEE 802.1Q)

  8. VLANTopology H H H H H VLANA VLANC Access Link H H Access Link VLANB VAB H VLANA Trunk Link 802.1D BLAN VLANC VAB H B Group in VLANA H B VLANC Hybrid Link Spanning Tree H H H Access Link H VAB VLANA VLANB H H Access Link

  9. Overview of Virtual LAN • Virtual LAN Services in Bridged LANs. • Forwarding Process required to support VBLANs. • Filtering Database needed to support VBLANs. • Protocols and Procedures required to provide VLAN services and distribute the VLAN membership information. • Management services and Operations required to configure and administer VBLANs.

  10. VLAN Aims and Benefits • Easy administration of logical group of stations. Also moves, adds, and changes in members of theses groups. • Traffic between VLANs is firewalled. The propagation of multicast and broadcast traffic between VLANs is limited. • Supported over shared and point-to-point media. • Each VLAN is uniquely identified (VID). • Maintain compatibility with existing bridges/switches and stations. • In the absence of VLAN configuration, bridges work in Plug-and-Play.

  11. VLAN Architecture Overview • Based on a 3-level model: • Configuration • Distribution/Resolution • Relay MIBs Declaration Protocols Req/Resp Protocols Ingress Rules Forwarding Rules Egress Rules

  12. Configuration • The VLAN configuration is specified in the first place. • Assignment of VLAN configuration.

  13. Virtual LANs Technologies • Port-based VLAN • MAC-based VLAN • IP-subnet based VLAN • Layer-3 Protocol based VLAN

  14. Port-based Virtual LANs Bridge/Switch 1 12 1 VLAN 1 Bridge/Switch 3 Bridge/Switch 2 12 1 12 1 VLAN 2 VLAN 3

  15. MAC-based Virtual LANs Bridge/Switch 1 5 6 8 4 7 2 3 1 Bridge/Switch 3 Bridge/Switch 2 16 9 11 12 13 14 15 10 VLAN 4 VLAN 1 VLAN 2 VLAN 3

  16. MAC-based Virtual LANs -- MAC5moves Bridge/Switch 1 6 8 4 7 2 3 1 Bridge/Switch 3 Bridge/Switch 2 5 11 12 16 9 13 14 15 10 VLAN 4 VLAN 1 VLAN 2 VLAN 3

  17. IP Subnet-based Virtual LANs Bridge/Switch 1 5 6 8 4 7 2 3 1 140.114.78.xx 140.114.76.xx 140.114.77.xx Bridge/Switch 3 Bridge/Switch 2 16 9 11 12 13 14 15 10 140.114.76.xx 140.114.78.xx 140.114.77.xx VLAN 1 = IP subnet 140.114.76 VLAN 2 = IP subnet 140.114.77 VLAN 3 = IP subnet 140.114.78

  18. Layer-3 Protocol based Virtual LANs Bridge/Switch 1 5 6 8 4 7 2 3 1 Bridge/Switch 3 Bridge/Switch 2 16 9 11 12 13 14 15 10 VLAN 2 (IP) VLAN 1 (IPX)

  19. Distribution • Distribute information for Bridges to determine on which VLAN a given packet should be forwarded. • Various possibilities exist for achieving this: • Declaration Protocols for distributing VLAN associations (such as GARP to distribute membership information among Bridges) • Request/Response protocols to request a specific VLAN association (SNMP).

  20. Relay • Mapping received frames to VLANs: determined by a set of ingress rules. • Where received frames should be forwarded: determined by a set of forwarding rules. • Mapping frames for output Ports and format (tagged or untagged): determined by a set of egress rules. • VLAN frame format to carry VLAN IDs (VIDs). • The procedure to tag frames, modify tagged frames, and untag frames.

  21. Relay • The Port-based approach specifies ingress, forwarding and egress rules based on VLAN membership, which allow bridges to: • Classify all received untagged frames as belonging to particular VLAN(PVID, Port VID). • Recognize the VID associated with received tagged frames. • Make use of this VID to forwarding/filtering. • Transmit frames in tagged or untagged format, as defined for a given Port/VLAN pairing.

  22. Frame Tagging • Implicit tagging • A frame is classified to a particular VLAN based on the data content of the frame (MAC address, Layer 3 Protocol ID, etc) and/or the receiving Port. • Explicit tagging • A frame carries an explicit identification of the VLAN to which it belongs. DA SA Tag (VLANID) PT N Bytes C-Data 46 <= N <= 1496 FCS

  23. Ingress Rules/Egress Rules • Each frame received is classified as belonging to exactly one VLAN by associating a VID with it. • The classification is achieved as follows • Explicit Tagging : the VID value it carries • Implicit Tagging : the PVID associated with the port it is received. • Frames shall be filtered if outgoing port is not preset in the Member Set of the VLAN

  24. Port-Based VLAN Definitions • VLAN aware devices understand VLAN membership and VLAN frame format. • VLAN unaware devices. • An Access Link is a LAN segment used to multiplex one or more VLAN unaware devices into a Port of a VLAN Bridge. • All frames on an access link are implicitly tagged. • No VLAN tagged frames on an access link. • Viewed as being on the edge of the network. • Can be attached to other 802.1D-conferment Bridges (BLAN).

  25. Definitions • A Trunk Link is a LAN segment used to multiplex VLANs between VLAN Bridges. • All devices connect to a Trunk Link must be VLAN aware. • All frames (including end station frames) on a Trunk Link are explicitly tagged with a VLAN ID. • A Hybrid Link is a LAN segment that has both VLAN aware and unaware devices. • There can be a mix of Tagged Frames and Untagged Frames but they must be from different VLANs.

  26. VLANTopology H H H H H VLANA VLANC Access Link H H Access Link VLANB VAB H VLANA Trunk Link 802.1D BLAN VLANC VAB H B Group in VLANA H B VLANC Hybrid Link Spanning Tree H H H Access Link H VAB VLANA VLANB H H Access Link

  27. Rules for Tagging Frames • For each VLAN, all frames traversing a particular hybrid link must be tagged the same way: • All implicitly tagged or • All carrying the same explicit tag. • There can be a mix of implicitly and explicit tagged frames but they must be for different VLANs. • All the frames for VLANs A and B are explicit tagged on the hybrid link. • All frames for VLAN C on the hybrid link are implicitly tagged. • On the trunk link all frames are tagged.

  28. Spanning Tree • Eliminate loops in a bridged LAN. • Improve scalability in a large network. • Spanning tree formed in a virtual LAN environment need not be identical to the topology of the VLAN(S). • Each VLAN may be overlaid on different segments or entirely separate from each other. • All VLANs are aligned along the Spanning Tree from which they are formed. • A VLAN is defined by a subset of the Spanning Tree. • The topology of the VLAN is dynamic.

  29. Bridge Operation • A Bridge filters frames to ensure that traffic destined for a given VLAN is forwarded only on segments (ports) that form a path to members of that VLAN. • For each VLAN, the bridge needs to keep: • Member set (Port IDs) • Untagged set (Port IDs)

  30. Addressing Learning • Shared VLAN Learning (SVL) • Independent VLAN Learning (IVL) • In most cases, SVL or IVL produces the same result. But in some special cases, we need to specify the learning mode of bridge.

  31. IVL Example -- Multiple Independent VLANs • Server (Bridge-Router, or Connector) connecting multiple independent VLANs. • Connector and stations are VLAN unaware (untag). • Connector did not turn on spanning tree algorithm. • VLAN Red (A) <--> VLAN Blue (B) should be delivered to Connector (firewalled). • The Filtering databases should be independent. Otherwise, MAC A(B) will be learned from different ports 1,4 (2,3) alternatively. • The frames from A (B) to B(A) will be delivered in a wrong way.

  32. IVL Example -- Multiple Independent VLANs Filtering DB MAC Port Correct paths For A->B and B->A Bridge Router A X B Y Port X Port Y VLAN Red Member Set: Red - Ports 1,3 Blue - Ports 2,4 MAC Port Port 3 Port 4 A 1 PVID = Blue PVID = Red B 3 VLAN Bridge VLAN Blue Untag Set: Red - Ports 1,3 Blue - Ports 2,4 MAC Port PVID = Blue PVID = Red A 4 B 2 Port 1 Port 2 A B

  33. If SVL is used for this case Filtering DB MAC Port Bridge Router A X Incorrect path For B->A B Y Port X Port Y Member Set: Red - Ports 1,3 Blue - Ports 2,4 Port 3 Port 4 SVL (Red, Blue) PVID = Blue PVID = Red MAC Port ? A 4 B 3 PVID = Blue PVID = Red Untag Set: Red - Ports 1,3 Blue - Ports 2,4 Port 1 Port 2 A B

  34. IVL Example (2) -- Multiple Independent VLANs • Server (Bridge-Router, or Connector) connecting multiple independent VLANs. • Server is VLAN aware (tagging frames) and stations are VLAN unaware. • VLAN Red : A <--> Server • VLAN Blue : B <--> Server • The Filtering databases should be independent. Otherwise, MAC A(B) will be learned from different ports alternatively. • The frames from server with tag Blue or Red may be filtered.

  35. IVL Example (2) -- Multiple Independent VLANs Shared Filtering DB (Red, Blue) Bridge Router MAC Port A 1 B 1 Port 1 B A VLAN Red Member Set: Red - Ports 1,3 Blue - Ports 2,3 MAC Port Port 3 A 1 PVID = Discard B 3 VLAN Bridge VLAN Blue MAC Port PVID = Blue PVID = Red Untag Set: Red - Port 1 Blue - Port 2 A 3 B 2 Port 1 Port 2 A B

  36. If SVL is used for this case Shared Filtering DB (Red, Blue) Bridge Router MAC Port A 1 B 1 Port 1 B A Member Set: Red - Ports 1,3 Blue - Ports 2,3 Port 3 SVL (Red, Blue) PVID = Discard MAC Port A 1 <-> 3 B 2 <-> 3 Untag Set: Red - Port 1 Blue - Port 2 PVID = Blue PVID = Red Port 1 Port 2 A B

  37. IVL Example (3) -- Duplicate MAC addresses • Stations A and B use the same MAC address X. • Server is VLAN aware (tagging frames) and stations are VLAN unaware. • VLAN Red : A <--> Server • VLAN Blue : B <--> Server • The Filtering databases should be independent. Otherwise, MAC X will be learned from different ports alternatively. • The frames from server with tag Blue (Red) may be forwarded to wrong destination A (B).

  38. IVL Example (3) -- Duplicate MAC addresses Server (VLAN-aware) VLAN Red Port 3 MAC Port Member Set: Red - Ports 1,3 Blue - Ports 2,3 X 1 PVID = Discard VLAN Bridge VLAN Blue PVID = Blue PVID = Red MAC Port X 2 Untag Set: Red - Port 1 Blue - Port 2 Port 1 Port 2 A B MAC X MAC X

  39. If SVL is used for this case Server (VLAN-aware) SVL (Red, Blue) Port 3 MAC Port PVID = Discard Member Set: Red - Ports 1,3 Blue - Ports 2,3 X 1 <-> 2 ? ? PVID = Blue PVID = Red Untag Set: Red - Port 1 Blue - Port 2 Port 1 Port 2 A B Incorrect path For Server ->A MAC X MAC X

  40. Asymmetric VLAN • Typically, two stations A and B belong to the same VLAN use the same VID to communicate. • Asymmetric VLAN: A->B and B -> A use different VIDs. • All server and stations are VLAN unaware (untagging frames) • A -> S and S->B but not A <-> B for security reason. • VLAN Purple: Server --> A or B • VLAN Red : A --> Server • VLAN Blue : B --> Server

  41. Asymmetric VLAN • If the Filter databases of VLAN Red and Purple are independent, then the frame from the server to A will be forwarded to both A and B due to A is not learned by VLAN Purple. Broadcast the frame in VLAN Purple for this case. • SVL is required for Asymmetric VLAN !!

  42. Asymmetric VLAN Server (VLAN-unaware) Purple Purple Member Set: Purple - Ports 1,2 Red - Port 3 Blue - Port 3 Port 3 SVL (Purple, Red, Blue) PVID = Purple MAC Port A 1 B 2 PVID = Blue PVID = Red S 3 Untag Set: Purple - Ports 1,2 Red - Port 3 Blue - Port 3 Port 1 Port 2 Red Blue A B

  43. If IVL is used for this caseS  A or S  B, but will S A and B Server (VLAN-unaware) VLAN Purple MAC Port S 3 Member Set: Purple - Ports 1,2 Red - Port 3 Blue - Port 3 Purple Purple Port 3 VLAN Red MAC Port PVID = Purple A 1 Untag Set: Purple - Ports 1,2 Red - Port 3 Blue - Port 3 VLAN Bule PVID = Blue PVID = Red MAC Port B 2 Port 1 Port 2 A B

  44. The Filtering Database • Static Filtering Entry • Static VLAN Registration Entry • Dynamic Filtering Entry • Dynamic VLAN Registration Entry

  45. Static Filtering Entry MAC VLAN ID Port MAP MACa2 MACb3 MACc3 MACd2 MACe4 Control Element Individual MAC, Group MAC, All Group MAC, All Unregistered Group MAC Forward, Filter, According to dynamic FD

  46. Static VLAN Registration Entry VLAN ID Port MAP 2 3 4 5 6 Control Element GVRP Registrar Administrative Control : Registration Fixed, Forbidden, Normal. Tagged/Untagged

  47. Dynamic Filtering Entry (By Learning Process) MAC FID Port (MAP) Time MACa2 200 MACa3 120 MACb3 100 250 MACb2 60 MACc4 Individual MAC

  48. Dynamic VLAN Registration Entry VLAN ID Port MAP 2 3 4 5 6 Control Element VID is registered on this port ?

  49. VLAN Tag Structure • Tag Protocol Identifier (TPID) • Tag Control Information (TCI) • User-Priority • Canonical Format Indicator • VID 8 2 SNAP-encoded TPID Ethernet-encoded TPID 2 2 TCI TCI 3 1 12 Bits VLAN Identifier (VID) Canonical Format Indicator User-Priority

  50. Tag Format (Ethernet-encoded) 2 2 2 2-30 Bytes Ethernet-encoded TPID (81-00) TCI LEN RIF 3 1 12 Bits VLAN Identifier (VID) Canonical Format Indicator (CFI) User Priority (0-7)

More Related