Layer 2 Security – Protect You and Your Users From Attack

7/26/2019 Layer 2 Security Protect You and Your Users From Attack

1/17

11/20/2014 Layer 2 Security Protect You and Your Users From Attack | Greg Sowell Consulting

http://gregsowell.com/?p=1133 1/17

Skip to content

HomeConsulting/About Me

Contact Me

Mikrotik Training Videos

Cacti Video Tutorials

Dec14 / Greg

Layer 2 Security Protect You and Your Users From Attack

Before your access lists or firewall rules comes layer 2(L2). This is the Data link layer where your MAC addressing lives. Why do we need to protect

L2?

Man in the middle attacks happen via L2

Rogue DHCP on a single segment

DHCP server starvation attack

ARP attacks against your switches

Lets hit these guys one at a time:
http://gregsowell.com/http://gregsowell.com/http://gregsowell.com/http://gregsowell.com/http://gregsowell.com/http://gregsowell.com/http://gregsowell.com/?feed=rss2http://gregsowell.com/?page_id=86http://gregsowell.com/?page_id=951http://gregsowell.com/?page_id=17http://gregsowell.com/?page_id=245http://gregsowell.com/http://gregsowell.com/http://gregsowell.com/?feed=rss2


2/17



Man in the middle attack

What is a man in the middle attack? Hereswhat wikipedia says about it. In a nutshell I tell the router that I am you, and I tell you that I am the router. What

happens is that all your traffic passes through mewhile I intercept everything possible about what you are doing. I wait for you to attempt a bank transaction

and hand you a bunk site certificate and steal your monies I do this by sending gratuitous ARPs. These are unprovoked ARP announcements. I send ARPs

over and over to the router saying Im you. I then send you ARPs over and over saying that I am the router.

Man in the middle...you are Bob and all your base are belong to us

So as you can imagine, if you manage a hotel or apartment complex, this could be a HUGE problem. This could be a problem for enterprises also, but for

more or less shared public infrastructure, this is scary.

Rogue DHCP on a segment

What is a rouge DHCP server? This is when you have an unauthorized DHCP server handing out IP addresses on your network. Why is this a problem? A

DHCP request fulfillment is really a foot race. You can have many DHCP servers on a single LAN segment, but whichever gets its answer back to therequesting host, wins. So, if your legitimate DHCP server is 20 milliseconds away and the rogue is 5 milliseconds away, guess who will win the race? This is a
http://en.wikipedia.org/wiki/Man-in-the-middle_attack


3/17



problem because rogues will generally give you a false path to the internet. They could create a man in the middle attack as above. They can hand you an IP

address and say that they are the router to the internet. You will pass all your traffic to them and they will relay it on. Most often we see rogues in apartment

complex networks. This is due to the fact that users will plug their wireless routers in backwards and start handing out IP addresses. There is no malicious

intent in this second scenario, but they can take out large portions of your apartment users!

Improperly connected wireless router is closer, and responds faster...so now you are getting a junk IP andDefault Route

DHCP starvation attack

A starvation attack is when a user spoofs tons of MAC addresses and requests a DHCP address from each MAC. This means that a single attacker can

accept and hold all of your DHCP addresses, thus not allowing your legitimate users to pull an address.


4/17



I've taken all the DHCP IPs...now you can't pull an IP

ARP attacks against our switches

Ive got a 6509, why should I bother with one little guy ARP attacking me? Because even a Cisco 6500 will only hold about 120K MAC addresses in its

MAC-Address table(per VLAN) before it gets overrun. Once your fancy switch is overrun and the MAC table is full, it turns into a fancy hub! So, all of your

super secret traffic you dont want anyone else to see is now getting broadcast out every port configured for that access VLAN or untagged for that VLAN. I

just got you again. You know whats even better is that my ARP will propagate through your fancy 6500 and down to your not so fancy edge switches that

can handle even less trafficsnapI just got you again. You also realize that this attack can reach maturity in around 10-20 seconds?


5/17



ARP attacking a switch to overrun the MAC Address table - again, all your traffic are come to me

Configuration

So, now we have a few compelling reasons why we need L2 security, how do we do it? The first thing you do is get yourself some Cisco switches:) I have

no idea how to do it with anything else. I know Juniper/Procurve will do it, but exactly how is a mystery to me. So now that Ive told you get Cisco, I must tell

you which models support our features. As far as the 1U switching line, you will need at least a 3550 or above. This covers 3560s and 3750s. If you are going

with say a 6500 series switch, you will need at minimum a Sup32. A 3550 24 port will run you around $150. A 3550 48 port will run you around $190.

Port security

Time to get to the real configuration. What we are going to kick on 1st is port security. This sets a limit on the number of MAC addresses that can be learned


6/17



via a single switch port. Setting port security will help to protect our DHCP server from a starvation attack. I generally like to set the number of allowed MAC

addresses to 10. You have to remember that if you are using Cisco phones and you are piggy backing your PC off of it, you will be required to allow at least 2

MAC addresses. Some switches will see the initial CDP message come from the phone and consider this a separate MAC, so on these switches you would

need 3 MAC allowances. The easiest thing I have found is to simply allow 10 MACs. Port security is configured on a per port basis.

1

2

3

4

5

6

interface FastEthernet0/1

switchport port-security maximum 10 !sets max MACs to 10

switchport port-security !enables port security

switchport port-security aging time 30 ! sets the time in minutes that MAC addresses will timeout

switchport port-security violation restrict !sets the violate action to restrict - default is err disable port

switchport port-security aging type inactivity !sets the aging type to only start when there is no activity on the port

Heres the Cisco docs on it.

Another quick note is that we dont enable port security on trunk ports. Now that we have that covered, lets move on.

DHCP Snooping

We are next going to enable DHCP snooping(DS). DS will prevent our rogue DHCP servers. It only allows DHCP servers to respond on interfaces marked

as trusted. Everything past this point builds off of DHCP snooping, so its quite a critical step. How DS works is to monitor DHCP requests coming from aport and to record the responses into a table on the switch called theget ready for it, deep breathDHCP snooping binding table(DSBT). I know what you

are thinkingWe dont have everything set for DHCP, like some printers and machines. To this I say, almost anything can be set for DHCP. If you use

dynamic DNS like Microsoft Active Directory(AD), you can simply reference the DNS name of the device. Or, if you setup reservation in your DHCP server

for these devices, they will technically make the DHCP request, but they will pull the same IP every time.

DS is configured globally on a VLAN and not locally per interface.

1

2

3

45

ip dhcp snooping vlan 10 !set your VLANs that should be snooped

ip dhcp snooping database tftp://10.1.1.1/the-file !this will offload your DSBT to an TFTP server - We generally use Mikrotik's TFT

ip dhcp snooping database write-delay 60 !setup a write delay if an entry changes in the DSBT

ip dhcp snooping verify mac-address !ensures that the MAC learned on the port matches that in the DHCP requestip dhcp snooping !enable DS on the switch

In the above example you see that I upload the DSBT to an TFTP server. I do this so that when a switch looses power it will repopulate its DSBT. This

doesnt seem like that big a deal because windows hosts and Mac hosts will pull DHCP when an interfaces loses connectivity, so they will be ok. A lot of

Linux hosts, however, wont reDHCP when their interfaces lose connectivity.

By default, when you turn on DS all ports are considered untrusted. You will need to mark the to specify trusted interface. A trusted interface is an interface

where the DHCP server should be coming from. If you are on an edge switch and you dont physically have the DHCP server plugged into it, you will need to

set the trunk ports as trusted ports!

1 interface GigabitEthernet0/1
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/configuration/guide/port_sec.html


7/17



2

3

4

5

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10

switchport mode trunk

ip dhcp snooping trust !set this trunk port as a trusted port

You can also set a packet per second rate limit per port.

1

2


ip dhcp snooping limit rate 50 !50 PPS

Heres what Cisco says about DS.

Dynamic ARP inspection

Now we will turn on some dynamic ARP inspection(DAI). So, what does our friend DAI do? He inspects every ARP packet that flows on untrusted ports

and makes sure they conform to the DHCP snooping binding table. So this kills the man in the middle attacks that leverage false gratuitous ARPs.

DIA configures globally also:

12

3

4

ip arp inspection vlan 10 !specify which VLANs to scanip arp inspection validate src-mac ip !checks for bad IPs and ensures that it is sourced from interface MAC

ip arp inspection log-buffer entries 1024 !by default 32 entries max will be held non violates

ip arp inspection log-buffer logs 1024 interval 10 !by default will only hold them for 5 seconds, this ups to 10

We also have to mark which ports are trusted ports. These are ports we dont inspect on. Your trunk ports will always need to be trustedunless you want

to black hole your traffic?

1

2

3

4

5

interface GigabitEthernet0/1

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10

switchport mode trunk

ip arp inspection trust !marked as trusted

Also, by default he does an ARP packet per second limiting. The default is 15 PPS, I generally up this to 50.

1

2


ip arp inspection limit rate 50

When the PPS rate limit is violated, the switch port will err disable. I recommend doing error recovery for this reason:

1

2

errdisable recovery cause arp-inspection !enables recovery for arp-inspection PPS events

errdisable recovery interval 14400 ! this value is in seconds. I have this set to 4 hours
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/snoodhcp.html


8/17



Ciscos docs can be found here on DAI.

So this will protect you from attacks on L2, but it wont provide any authentication. If you want to do some L2 authentication, you need to check out 802.1X.

Is 802.1X a replacement for L2 security, NO! Just because someone can authenticate doesnt mean they dont have a virus on their machine that will attack

your network in some waytrust no one

If you enjoyed this article and wouldnt mind seeing more, drop me a line and tell me about it.

Filed under Cisco, Mikrotik,Networking, Security

10 Comments

leave a comment

1. Ronald / Dec 30 2009

Nice article! Im going to think about an implementation of this on a new network Im doing as part of my internship

2. Greg/ Dec 30 2009

Ronald:

Nice article! Im going to think about an implementation of this on a new network Im doing as part of my internship

Ronald,

Thanks. Definitely give it a swing. I know it gives me that warm and cozy feeling knowing I have my users on lock downhehe.

3. Kenneth / Mar 23 2010
http://gregsowell.com/http://gregsowell.com/?cat=24http://gregsowell.com/?cat=8http://gregsowell.com/?cat=6http://gregsowell.com/?cat=16http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_20_se/configuration/guide/swdynarp.html


9/17



This is very Pro. easy to understand.

4. Greg/ Mar 23 2010

Kenneth:

This is very Pro. easy to understand.

Thanks Ken. Im glad it helped

5. Vdelarenal / Mar 25 2010

Hi, can you recommend me a cisco switch for doing this on a 300 users network?

Thanks.

6. Greg/ Mar 26 2010

Vdelarenal:

Hi, can you recommend me a cisco switch for doing this on a 300 users network?

Thanks.

Why not the 6509? This way you have a single chassis to manage.

You could always stack a bunch of 3550s if you want to save money.

3750s are the cheapest stackable Cisco, but it would be cheaper to put in a single 6509.

7. sunny / Apr 26 2010
http://gregsowell.com/http://gregsowell.com/


10/17



Very nice article, i need to implement all these feature in my LAN (psecure, dhcp snooping and DAI) this has helped me lottt. but missing some thing

like dhcp snooing information options, which i may need since i have a firewalled network where my dhcp server is in another interface from the local

user interface. but still greatKen. thanks..

8. Greg/ Apr 26 2010

Ken,

I have DHCP snooping in there

9. Benny / May 7 2010

Quite useful and clear! Thanks!

10. RobertM / Feb 21 2011

re: I have no idea how to do it with anything else.

Look for software called dhcpdrop. It sends out discover packets, ignores the legitimate server and then eats all the addresses from the rogue. Email me

if you want an english version of the man page.

Leave a Comment

Name (required)

Email (required, will not be published)

Website
http://gregsowell.com/


11/17



Comment

Comments Feed

CAPTCHA Code *

Submit Comment

Archives

November 2014

September 2014

August 2014

July 2014

May 2014

April 2014

March 2014

February 2014

January 2014

December 2013

November 2013

September 2013

Subscribe to comments on this post
http://gregsowell.com/?m=201309http://gregsowell.com/?m=201311http://gregsowell.com/?m=201312http://gregsowell.com/?m=201401http://gregsowell.com/?m=201402http://gregsowell.com/?m=201403http://gregsowell.com/?m=201404http://gregsowell.com/?m=201405http://gregsowell.com/?m=201407http://gregsowell.com/?m=201408http://gregsowell.com/?m=201409http://gregsowell.com/?m=201411http://gregsowell.com/?feed=rss2&p=1133


12/17



August 2013

July 2013

June 2013

May 2013

April 2013

March 2013

February 2013

January 2013December 2012

November 2012

October 2012

September 2012

August 2012

July 2012

June 2012

May 2012

April 2012March 2012

February 2012

January 2012

December 2011

November 2011

October 2011

September 2011

August 2011

July 2011June 2011

May 2011

April 2011

March 2011

February 2011

January 2011

December 2010

November 2010

October 2010September 2010
http://gregsowell.com/?m=201009http://gregsowell.com/?m=201010http://gregsowell.com/?m=201011http://gregsowell.com/?m=201012http://gregsowell.com/?m=201101http://gregsowell.com/?m=201102http://gregsowell.com/?m=201103http://gregsowell.com/?m=201104http://gregsowell.com/?m=201105http://gregsowell.com/?m=201106http://gregsowell.com/?m=201107http://gregsowell.com/?m=201108http://gregsowell.com/?m=201109http://gregsowell.com/?m=201110http://gregsowell.com/?m=201111http://gregsowell.com/?m=201112http://gregsowell.com/?m=201201http://gregsowell.com/?m=201202http://gregsowell.com/?m=201203http://gregsowell.com/?m=201204http://gregsowell.com/?m=201205http://gregsowell.com/?m=201206http://gregsowell.com/?m=201207http://gregsowell.com/?m=201208http://gregsowell.com/?m=201209http://gregsowell.com/?m=201210http://gregsowell.com/?m=201211http://gregsowell.com/?m=201212http://gregsowell.com/?m=201301http://gregsowell.com/?m=201302http://gregsowell.com/?m=201303http://gregsowell.com/?m=201304http://gregsowell.com/?m=201305http://gregsowell.com/?m=201306http://gregsowell.com/?m=201307http://gregsowell.com/?m=201308


13/17



August 2010

July 2010

June 2010

May 2010

April 2010

March 2010

February 2010

January 2010December 2009

November 2009

October 2009

June 2009

May 2009

April 2009

March 2009

February 2009

January 2009

Categories

Access Control

Arduino

Asterisk

AsterixkAutoit

Cabling

Cacti

Cacti Tutorials

Cacti Video Tutorial

CallManager

Chromecast

Cisco

Cisco ASA

Class Video
http://gregsowell.com/?cat=27http://gregsowell.com/?cat=25http://gregsowell.com/?cat=16http://gregsowell.com/?cat=44http://gregsowell.com/?cat=22http://gregsowell.com/?cat=21http://gregsowell.com/?cat=10http://gregsowell.com/?cat=9http://gregsowell.com/?cat=33http://gregsowell.com/?cat=12http://gregsowell.com/?cat=31http://gregsowell.com/?cat=32http://gregsowell.com/?cat=45http://gregsowell.com/?cat=36http://gregsowell.com/?m=200901http://gregsowell.com/?m=200902http://gregsowell.com/?m=200903http://gregsowell.com/?m=200904http://gregsowell.com/?m=200905http://gregsowell.com/?m=200906http://gregsowell.com/?m=200910http://gregsowell.com/?m=200911http://gregsowell.com/?m=200912http://gregsowell.com/?m=201001http://gregsowell.com/?m=201002http://gregsowell.com/?m=201003http://gregsowell.com/?m=201004http://gregsowell.com/?m=201005http://gregsowell.com/?m=201006http://gregsowell.com/?m=201007http://gregsowell.com/?m=201008


14/17



Dude

Fun

Hardware

Hotspot

Linux

Mikrotik

Mikrotik Tutorials

Mikrotik Video TutorialMy Thumb Drive

MySQL

Networking

PLC

Pop Quiz

Programming/Scripting

SCADA

Script

SecurityServer

Template

TheBrothersWISP

Thoughts

Training/Classes

Ubiquiti

Uncategorized

Vmware

VOIPWindows

Wireless

Pages


Consulting/About Me

Contact Me

http://gregsowell.com/?page_id=951http://gregsowell.com/?page_id=17http://gregsowell.com/?page_id=245http://gregsowell.com/?page_id=86http://gregsowell.com/?cat=18http://gregsowell.com/?cat=15http://gregsowell.com/?cat=19http://gregsowell.com/?cat=40http://gregsowell.com/?cat=1http://gregsowell.com/?cat=38http://gregsowell.com/?cat=26http://gregsowell.com/?cat=4http://gregsowell.com/?cat=43http://gregsowell.com/?cat=39http://gregsowell.com/?cat=13http://gregsowell.com/?cat=24http://gregsowell.com/?cat=35http://gregsowell.com/?cat=41http://gregsowell.com/?cat=7http://gregsowell.com/?cat=30http://gregsowell.com/?cat=42http://gregsowell.com/?cat=8http://gregsowell.com/?cat=29http://gregsowell.com/?cat=11http://gregsowell.com/?cat=23http://gregsowell.com/?cat=17http://gregsowell.com/?cat=6http://gregsowell.com/?cat=14http://gregsowell.com/?cat=34http://gregsowell.com/?cat=20http://gregsowell.com/?cat=28http://gregsowell.com/?cat=37


15/17



Blogroll

Andrew's Blog

JJ's Blog

Justin Miller's Blog

Justin Wilson's Blog

Packet Life

Cacti Links

Cacti.net

Cactiusers

Cactiusers blog

Contact Me

Contact Me

Ads

Links

Andrew's Blog

Cacti.net

Cactiusers

Cactiusers blogContact Me
http://gregsowell.com/?page_id=17http://blog.cactiusers.org/http://cactiusers.org/http://cacti.net/http://mikrotik-routeros.com/http://gregsowell.com/?p=1133http://gregsowell.com/?page_id=17http://blog.cactiusers.org/http://cactiusers.org/http://cacti.net/http://packetlife.net/http://www.mtin.net/blog/http://dynstatic.net/http://3dbwireless.com/boyd/http://mikrotik-routeros.com/


16/17



Categories

Access Control

Arduino

Asterisk

Asterixk

Autoit

Cabling

Cacti

Cacti Tutorials

Cacti Video Tutorial

CallManager

Chromecast

Cisco

Cisco ASA

Class Video

Dude

Fun

Hardware

Hotspot

Linux

Mikrotik

Mikrotik Tutorials

Mikrotik Video Tutorial

My Thumb Drive

MySQLNetworking

PLC

Pop Quiz

Programming/Scripting

SCADA

Script

Security

Server

TemplateTheBrothersWISP
http://gregsowell.com/?cat=43http://gregsowell.com/?cat=39http://gregsowell.com/?cat=13http://gregsowell.com/?cat=24http://gregsowell.com/?cat=35http://gregsowell.com/?cat=41http://gregsowell.com/?cat=7http://gregsowell.com/?cat=30http://gregsowell.com/?cat=42http://gregsowell.com/?cat=8http://gregsowell.com/?cat=29http://gregsowell.com/?cat=11http://gregsowell.com/?cat=23http://gregsowell.com/?cat=17http://gregsowell.com/?cat=6http://gregsowell.com/?cat=14http://gregsowell.com/?cat=34http://gregsowell.com/?cat=20http://gregsowell.com/?cat=28http://gregsowell.com/?cat=37http://gregsowell.com/?cat=27http://gregsowell.com/?cat=25http://gregsowell.com/?cat=16http://gregsowell.com/?cat=44http://gregsowell.com/?cat=22http://gregsowell.com/?cat=21http://gregsowell.com/?cat=10http://gregsowell.com/?cat=9http://gregsowell.com/?cat=33http://gregsowell.com/?cat=12http://gregsowell.com/?cat=31http://gregsowell.com/?cat=32http://gregsowell.com/?cat=45http://gregsowell.com/?cat=36


17/17



Thoughts

Training/Classes

Ubiquiti

Uncategorized

Vmware

VOIP

Windows

Wireless

Pages


Consulting/About Me

Contact Me


Archives

November 2014

September 2014

August 2014

July 2014

May 2014

Search

Type and press enter

Copyright 2014 Your Name Here. All rights reserved.

Paperpunch Themeby The Theme Foundry
http://thethemefoundry.com/http://thethemefoundry.com/paperpunch/http://gregsowell.com/?m=201405http://gregsowell.com/?m=201407http://gregsowell.com/?m=201408http://gregsowell.com/?m=201409http://gregsowell.com/?m=201411http://gregsowell.com/?page_id=951http://gregsowell.com/?page_id=17http://gregsowell.com/?page_id=245http://gregsowell.com/?page_id=86http://gregsowell.com/?cat=18http://gregsowell.com/?cat=15http://gregsowell.com/?cat=19http://gregsowell.com/?cat=40http://gregsowell.com/?cat=1http://gregsowell.com/?cat=38http://gregsowell.com/?cat=26http://gregsowell.com/?cat=4

Documents

Layer 2 Security – Protect You and Your Users From Attack