Layer 2 security; the forgotten front

Layer 2 security; the forgotten front

Summary: One of the fastest ways for hackers to breech security systems is to circumvent Layer 2 which is your LAN switching infrastructure.  Unfortunately that also happens to be one of the most overlooked aspects of Information Security with most security audits focusing on policy and compliance issues on the upper layers of the stack.

SHARE:
TOPICS: Networking
25

One of the fastest ways for hackers to breech security systems is to circumvent Layer 2 which is your LAN switching infrastructure.  Unfortunately that also happens to be one of the most overlooked aspects of Information Security with most security audits focusing on policy and compliance issues on the upper layers of the stack.  The vast majority of networks large or small that I have come across in my past career as an IT consultant lacked most of the basic defenses on their LAN switching infrastructure.

To help fix this situation, I created this free comprehensive guide "Essential lockdowns for Layer 2 switch security" to address all of the following issues.

  • Enable SSH and disable TELNET
  • Lock down VTP and SNMP security
  • Basic port lockdown
  • VLAN trunking lockdown
  • STP BPDU and Root guard
  • Prevent CAM table and DHCP bombing
  • Prevent DHCP, MAC, and IP spoofing
  • Limit the size of STP domains
  • Maintain the switch software to the latest stable build
  • A look at the future: 802.1x and NAP/NAC

A PDF version is also available for (free) registered users for offline viewing.

The consequences for not deploying these security mechanisms means that hackers who manage to break in to a single computer on your network will be able to expand their reach.  They'll be able to:

  • Sniff your internal LAN for passwords and break in to other critical systems
  • Crash your LAN and lock it up indefinitely
  • Nuke your LAN configuration and shut your whole network down
  • Take your phone system down if you're using IP Telephony

[poll id=14]

Topic: Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

25 comments
Log in or register to join the discussion
  • Added to my list of things to do yesterday.

    I am such a slacker.

    I can tell that I need very much to work on locking down everything.
    nucrash
  • I wouldn't worry about it if I were you...

    ... not while Microsoft seems to be locking down the OS.

    I came across an article on Groklaw which I've posted to David Berlind's DRM posts

    http://talkback.zdnet.com/5208-10741-0.html?forumID=1&threadID=29710&messageID=553174&start=-1

    Whilst locking down the network is important, how many of us are directly going to fiddle with Cisco routers? Also, what is the likelihood of such attacks? A security specialist I talked to once said that he found the most common form of industrial espionage was bribing someone on the inside to copy the information to a CD and them mail it in the post. That way it left no email traces in the system logs.

    For a lot of companies data is stolen by employees leaving the job. They copy (say) the customer list to a pen drive, take it home and hand in their resignation the next day. Escorting them out of the building at this point is too late.

    I'm not saying that techincal security should be neglected, but if you do lock down your systems as George outlines, don't think that you are secure!
    bportlock
    • That's just a real foolish attitude

      "Whilst locking down the network is important, how many of us are directly going to fiddle with Cisco routers? Also, what is the likelihood of such attacks? A security specialist I talked to once said that he found the most common form of industrial espionage was bribing someone on the inside to copy the information to a CD and them mail it in the post. That way it left no email traces in the system logs"

      That's just a real foolish attitude.

      One measure doesn't negate the other. Doing my list of Layer 2 lock downs doens't mean I'm telling you not to worry about the application layer. You should do ALL of them. I only brought this to your attention because of your ignorant attitude that this is somehow not likely. If you ever checked with hackers to see how they break deep in to a network, the layer 2 attack is one of their primary tools.
      georgeou
      • That's a realistic attitude

        [i]"That's just a real foolish attitude."[/i]

        No it is not. A real foolish attitude is to think that securing your network will secure your I.T. The security agencies discovered a long time ago that the best way to circumvent ANY security is to subvert the holder of all the passwords. If I have full administrator access to computers on the network then no matter how secure they are, if I can be suborned then the security won't stop me and that's a fact.

        [i]"One measure doesn't negate the other"[/i]

        I never said it did. What I did say was that people should not think that securing Layer 2 means you are secure. It actually means that Layer 2 is secure.

        [i]"I only brought this to your attention because of your ignorant attitude that this is somehow not likely."[/i]

        Once again, I never said that it was not likely. I asked how likely it was. I said [i]"what is the likelihood of such attacks?"[/i]. You could have answered that without the righteous indignation.
        bportlock
        • I am not for sure who can urinate farther

          But I wish you would both stop...

          1. People are aways exploitable
          2. Don't go in public with your pants unzipped. (zip up your layer 2)

          I remember hearing about how 80% of attacks occur internally. By fixing layer 2, you do reduce the amount of internal attacks by Joe Blow Employee jacking into a network port and snooping passwords. (I don't manage this network was well as I should, but I do know what can be abused.
          nucrash
          • Take it easy...

            ... all I did was point that securing the network is not the be-all and end-all of security. Next thing I know George is accusing me of saying things I never said.

            All I did was respond. As far as I am concerned, I've made my position clear. I have no intention of starting a pi**ing contest.
            bportlock
          • No, you said don't worry about this stuff

            "all I did was point that securing the network is not the be-all and end-all of security"

            No, you said don't worry about this stuff and you questioned how likely this stuff is to occur. That is a very ignorant attitude from a security stand point and I really hope you're not in charge of someone's security. Do not pretend you didn't say these words because it's in black and white what you said in this thread.

            On the other hand, do not put words in my mouth that this is the "be-all and end-all of security" when my EXACT words are that this is the forgotten front on security. Do not accuse me of saying that one does not need to worry about other security issues when I said no such thing.
            georgeou
          • I'm not worried

            [i]"Do not pretend you didn't say these words because it's in black and white what you said in this thread."[/i]

            That's right George - it is in black and white and anyone who reads it can see how you are misquoting me, attributing things to me that I didn't say and taking things out of context.
            bportlock
          • Let's not start moral equivalency here

            "But I wish you would both stop..."

            Let's not start moral equivalency here. I bring up a very important front on security. The man comes here and says "don't worry about it" and "who touches those Cisco routers anyways" and "is this really a likely threat". I'm not going to stand here and pretend he didn't say those dumb things on my thread.

            One of the dumbest and most used arguments against implementing any security is to change the subject and say oh but you didn't secure this other thing where people sneakernet your data out. I'll say it one last time: One doesn't negate the other. All security fronts must be treated seriously.
            georgeou
        • I never said that

          "No it is not. A real foolish attitude is to think that securing your network will secure your I.T"

          I said this was one of the FORGOTTEN fronts. I did NOT say you do this and not everything else.

          "Once again, I never said that it was not likely. I asked how likely it was. I said "what is the likelihood of such attacks?". You could have answered that without the righteous indignation."

          You said not to worry about this security front and then you asked how likely were these attacks. That's a very foolish attitude and I'll answer your question. Once a hacker breaks in to a single node on your network, there is a 100% probability that he will use these attacks to extend his reach.
          georgeou
  • The Best Security is Physical Security

    [url=http://www.eweek.com/article2/0,1895,2087568,00.asp]fyi[/url]

    With HIPAA and Sarbanes-Oxley compliancy looming, CIOs are looking to solutions to stave off the contingent liability.

    There's no substitute for plain old-fashion physical security measures.

    Which is why data center secure server administration with locked down solid state Thin Clients is coming into vogue.

    Don't believe it? Well maybe if you worked in IT in a Healthcare setting and dealt with HIPAA you would!

    All it takes is one class action lawsuit can put an institution out of business.

    Thin Client over ssh or SSL and a physical lock down on both endpoints.[1]

    Thanks

    [1] This doesn't keep nefarious activities from happening altogether but it certainly makes it more difficult and it would most likely be an 'inside job' from the start.
    D T Schmitz
    • One doesn't substitute for the other

      Yes Physical security is important, but it's not always possible in a large facility especially in a hospital. But even if you could lock down physical security, it doesn't mean you don't have to worry about someone slipping in via a single compromised machine. From there, you better hope you're in full compliance with my list of recommendations. Unfortunately, most people aren't even close.
      georgeou
      • Possible? Cost vs Liability Cost

        When you measure the impact of potential litigation vs the cost of new hardware/security implementation cost, suddenly 'all things are possible'.

        ;)
        D T Schmitz
        • Point is you can't prevent patients from being near RJ45 jacks

          Point is you can't prevent patients from being physically near RJ45 jacks and computers, but what you can do is implement auto-screen savers that lockout the PC terminals and you can implement port-based security. That's a classic example of not being able to control physical access to your computers and network but using Layer 2 (switch layer 802.1x) and Layer 7 (application layer as in the screen lockout) security.

          Now if we're talking about a data center, then you must do everything possible to control physical security. Security isn't about one versus the other, you have to have every front secured.
          georgeou
          • HIPAA and Patients

            It has nothing to with Patients' access; rather it is release of patient personal/private health information without their consent which is at issue.

            One compromised arping pc on the subnet sniffing clear text is all it takes to have a breach.

            This scenario is not possible with encrypted Thin Client solid state diskless client machines.

            What's more, there is a bonus for moving the data off of the local machine to the data center--central administration, and the inherent lowered cost of maintaining server farms running VMs.

            The user will still be able to do their work without seeing a difference--all the apps will be there as with Fat Clients.

            This is not 'pie in the sky' stuff.

            Thanks George.
            D T Schmitz
          • I can agree with the thin clients for medical use

            I can agree with the thin clients for medical use or any of these types of applications. In fact, it lets you use small Windows CE tablets and Citrix to access the application.

            I was only pointing out that it is unavoidable to have the general public near your data ports in a hospital and that 802.1x layer 2 port-based security is a very wise thing to implement. I've sat in hospitals where I could have easily plugged in my laptop.
            georgeou
  • Good article George

    I'm not our official network administrator, so I don't do the Cisco side of stuff at my job, but being interested in security, I know about all of these attacks and how to mitgate them. I've been lobbying for better lockdown on our wired network (at least our wireless is set up properly) for years now.

    Right now, we're in the "wide open" category. :(
    toadlife
    • You're in the majority

      You're in the majority based in my experience. Most of the time you get this look "but this is the internal LAN" as if it were somehow fundamentally immune. Extremely few networks are in full compliance with my entire list short of NAP/NAC.
      georgeou
      • You'll love this

        Just after posting, I turned to my coworker who is the official "network administrator" and start talking to him about all of these measures we should implement. He is all for it, so I start laying down attack vectors and the countermeasures that we both know we can implement easily. He is all for it, and in only a few minutes we already have a broad "meta-plan" layed out in our heads.

        The IT head walks in and we tell her what we're talking about. We explain how incredibly vulnerable our internal network is to things like ARP spoofing/MITM attacks and how implementing some measures to control access to our internal network would greatly decrease our exposure to attacks from inside.

        She acknowledges that our ideas are great and we should look into this, but to forget about it now because we have 'so many other important things to do'.

        So I browse over to our ticketing system and look at the number of open cases I have; none.

        *sigh*

        Oh well. I'm going to lunch.
        toadlife
        • Thank god I don't have a ticket system yet

          I never get everything done as it is. Right now, I have worked a total of 42 hours in the past three days and I still am not even close to catching up with work.
          nucrash