2. Layer 2 Design
L2 Control protocols - 802.1q, STP and ARP
802.1q
for Ethernet switches to exchange VLAN info
Primary Issues: VLAN hopping
Spanning Tree Protocol
for L2 loop avoidance
Primary Issues: No authentication on bridge
PDUs
Attacks: Cause link failure; pretend to be root
of tree.
Defense: Control participation in STP (switch
level)
3. Layer 2 Design
ARP
for MAC <-- IP mapping
Primary Issues: gARP messages for high
availability
Defense: VLANs, static ARP entries
DHCP
for IP allocation
Issues: MAC Spoofing, rogue DHCP server
allow/deny for specific ports to respond to
DHCP requests
4. Layer 2 Design
Wireless Networks – Medium Access
Boundary is diffused (not hard)
Intruders do not have to intercept wires
– all messages are broadcast (in a shared
medium)
Unauthenticated access modes may
cause problems
Contention resolution – Fairness issues
Easy to limit / eliminate availability
5. IP Addressing Design
Subnetting
Administrative / Physical separation
Primary Issues: Access Control
Defense: VLANs, Level 3 ACLs (Access Control
Lists)
6. Ingress / Egress Filtering
Private address traffic not seen outside.
Incoming traffic only from outside world
Filtering at edge or close to edge - not necessarily
only at the firewall.
7. NAT
Private addresses translated to public addresses
Incoming traffic - reverse translation
static, 1-1, many-1
avoid using NAT (many-1) for security
8. ICMP Design Issues
ping messages
essential for admin. - turning off is not a
solution except in specific cases.
Primary issue - Echo request/reply messages -
variable length data field
ping-of-death attacks, DoS attacks, buffer
overflows
covert channels (w/ software on host)
Solutions: “Explicitly permit - implicitly deny”
Permit ICMP echo request/reply messages
w/ networks of necessity and for required
users
Deny all other echo messages
9. ICMP - Design Issues
Other required ICMP messages
(some types of ) Destination
Unreachable messages
TTL 0 messages needed by traceroute
lCMP filtering
ACLs for permitting specific messages
(seen above) and for denying all others
10. Routing - Issues
Possible attacks:
Traffic Redirection
Traffic sent to a black-hole
Router DoS (Denial of Service) - Attack
on Availability
Routing protocol DoS
Unauthorized router prefix origination
11. Routing - Issues
Attack methods & possible solutions:
Configuration modification of routers
Secure routers - Device Hardening
Rogue Router Introduction
Add message authentication to routing protocol
Use ACLs to block routing protocol message
types from unwanted networks
Spoofing / Modifying of routing messages
Message authentication; TCP seq. #s help;
Sending malformed or excess packets
DoS mitigation for excess; no easy soln. for
malformed packets
12. Router - Device
Disable Unneeded Services
hardening
No DNS lookup for router
no echo or fingering services
no bootp service (if not needed)
no source routing and directed broadcast
no ICMP redirects
Password Encryption
Authentication
Use hashed passwords
Use secure protocols (say SSH) for line access
Setup usernames and access controls
13. Routing Protocol - Message Auth.
Passwords with routing update messages
MD5 digest authentication with secret keying
Protocol Specific:
Avoid RIP v1. - has no auth. mechanism
OSPF (widely userd for interior gateways) -
supports keyed MD5
BGP (widely used for cross-domain routing) -
supports keyed MD5 through TCP option
14. Routing - Issues
Asymmetric Routing & State-Aware
Security
Asymetric traffic - different paths
for request and return; per packet
routing
Can happen at switches, over the
Internet or at ISP.
Causes problems for state-aware
security devices and mechanisms -
Firewalls, IDS etc.
15. Routing - Issues
Asymmetric Routing - Solutions
Use Symmetric Routing
hard to do and impractical
Load balance per flow (rather than per packet)
cannot avoid request-return asymmetry.
Manipulate flows using NAT or routing
Use state-sharing security devices - e.g exchange info.
bet. firewalls
significant traffic overhead
Use stateless security features - e.g. ACLs
works only for easy situations - simple traffic
categorizations
16. Transport Protocol - Design Issues
Denial Of Service attacks
easy to launch and cannot be completely
stopped.
network flooding (consume bw) vs.
transport flooding (consume host
resources)
Network Flooding
Detection: thru’ Network Intrusion
Detection, routers and firewalls (i.e.
their log data)
Stopping: often thru’ Service provider
only; stops good as well as bad traffic
17. Transport Protocol - Design Issues
Stopping Network Flooding
Basic ACL: drop all traffic destined for
an IP address; configure this throughout
the ISP’s network.
Black Hole Filtering: Propagate static
routes to divert traffic to a black hole.
Faster than basic ACL approach; much
less CPU impact.
Sinkhole Routing: Traffic diverted to a
specific location so that it can be
studied.
18. Transport Protocol - Design Issues
Trace Back (DoS)
Manual ACL trace back : create an ACL with
broad permits that are made more specific
as more information about attack is gained.
Backscatter Trace back :
combine black hole and sinkhole routing
black hole routing results in ICMP
unreachable messages
use a chunk of unallocated IP addresses
for internal routing within ISP to
forward to a sinkhole.
Tracebacks are useless if the attacker is
spoofing a legitimately allocated address.
19. Transport Protocol - Design Issues
DoS Mitigation
QoS techniques -
limit traffic by type (UDP 10 Mbps,
ICMP 200Kbps etc.) ; use token
system for traffic to limit it;
application specific filtering
(e.g. in ecommerce scenarios UDP
traffic is needed)
use a distributed design
content delivery networks
20. Transport Protocol - Design Issues
(back to) Denial Of Service attacks
easy to launch and cannot be completely
stopped.
network flooding (consume bw) vs.
transport flooding (consume host
resources)
Transport Flooding
TCP SYN flooding - use a SYN packet
(part of a 3-way handshake) but never
respond to the acknowledgment; TCP is
connection oriented : connections kept
open for a time; connection queues
overflow;
21. Transport Protocol - Design Issues
SYN cookies
host specific method of mitigating SYN
flooding attacks;
avoid storing SYN packets in queue; use
challenge-response model for handshake.
TCP intercept
network-level protection for SYN floods
intercept connection requests at an
intermediate node which transparently
forwards TCP packets to server; SYN packets
are acked ASAP; if client does not respond use
a backoff protocol; (e.g PIX firewalls)