Content Addressable Memory (CAM) in Layer 2 Switching

Transcription

1 Sham Rizal Ramlee Faculty of Computer and Mathematical Sciences University Technology Mara (UiTM) Malaysia IT Security for the Next Generation Asia Pacific & MEA Cup, Hong Kong March, 2012

2 Introduction Problem Statement Objective Related Works Project Architecture Result Conclusion

3 Introduction Layer 2 attacks are often overlooked when designing a network security solution. Usually any laptops can plug into the network and gain access to the network. The hackers who manage to break in to a single computer on our network will be able to expand their reach. They will be able to : a. Sniff our internal LAN for password and break in to other critical systems. b. Crash our LAN and lock it up indefinitely. c. Nuke our LAN configuration and shut our whole network down. d. Take our phone system down if using IP Telephony. e. Illegally using accounts and privileges. f. Running code to damage and corrupt data for Servers. PAGE March, 2012

4 Problem Statement All the switches model uses Content Addressable Memory (CAM) table for layer 2 switching. However, it also important to be familiar of the function of CAM table and how the intruder attacking the switches with flood of invalid mac-address to CAM table. This research focus to capture invalid mac-address flooding to switches and result happened and impact to network users during the CAM Overflow Attacks. PAGE March, 2012

5 Objective To capture invalid Mac-Address for data collection purposes, analyze the network traffic and securing condition in Layer 2 switches. To propose solution to mitigate mac-address flooding and other layer 2 Content Address Memory (CAM) Overflow attacks. This research is done in a real area control environment with consists of 3 Servers (VMWare), DNS Servers, Window Server, Backtrack 5 and 1 switch connected to those servers. PAGE March, 2012

6 Related Works Title and Author Contribution Secure Use of VLAN: security assessment (David Pollino and Mike Schiftman. August 2002) Framework for Layer 2 attacks Yersinia (David Barroso, Alfredo Andres, Blackhat EU 2005) Interest of identifying and precisely security risk associate with VLAN implemented using the Cisco Catalyst Family of products. Brief about the protocols and attacks STP/RSTP,CDP,DHCP,HSRP,VTP,IEEE802.1Q and Mitigation. Subverting the ARP Protocol (Peter Davies. Jan 2009) Describe about forms of attacks such as mac-flooding, arp poisoning, man-in-middle, and practical example. Understanding preventing and defending against layer 2 attacks (Yusuf Bharji 2007) Packet Sniffing on Layer 2 switches local area network (Ryan Spangler Dec 2003) Layer 2 attacks landscape, attacks and counter measures, vlan hopping, mac attacks, dhcp attacks, arp attacks, spoofing attacks and general attacks. Paper discussed several methods that results in packet sniffing on layer 2 switched network. Show how sniffing can be accomplish on switches networks and to understand how it can be prevented. PAGE March, 2012

7 Project Architecture PAGE March, 2012

8 Tool Capture Ping Connectivity Test Dsniff (macof) - tool to flood invalid mac-address. Backtrack 5 Ettercap tool to sniff servers. PAGE March 2012

9 CAM Table Switch Before Attacking Show mac-address-table dynamic list the dynamically learned entries in CAM Table Show mac address-table aging-time default aging time 300 sec. Show mac address-table count - size of the CAM table and how many hosts are using the network Output: PAGE March, 2012

10 Result : CAM Table Switch After Attacking Run macof Output: size of CAM Cable reducing into 0 After the CAM tables is flooded the switch enters a fail-open mode acting as a HUB, forwarding traffic to all ports making sniffing easier or achieving a DOS attack consuming switch processing power. CAM-Table-Overflow against a switch results in a "degradation of service". Run Ettercap to sniff servers by capture username and password. PAGE March, 2012

11 CAM Table architecture The switch CAM table stores the source MAC address and the associated port of each device connected to the switch. The CAM table on the Catalyst 6500 can contain 128,000 entries. These 128,000 entries are organized as 8 pages that can store approximately 16,000 entries. A 17 bit hash algorithm is used to place each entry in the CAM table. If the hash results in the same value, each entry is stored on separate pages. Once these eight locations are full, the traffic is flooded out all ports on the same VLAN on which the source traffic is being received.. 8 Buckets / Pages 1 A B C 2 D E G 3 H. I. J K L M N O P Q R S T Flooded 17 Bit Hash algorithms is used to place each entry in CAM Table PAGE March, 2012

12 MAC-Address Flooding Mitigation Cisco Port security can be configured in a port to restrict the MAC-Addresses allowed into the ports. Mitigate MAC-flooding and other Layer 2 Content Addressable Memory (CAM) overflow attack. Three MAC Addresses encompass the phone, the switch in the phone and the PC. Restrict rather than error-disable to allow only three, and log more than three. Aging time of two and aging time type inactivity to allow for phone CDP of one minute. PAGE March, 2012

13 Conclusion Switches networks are designed to allow computers to communicate more effectively with other local computers. Switches were never intended to be used as security features, as they are today. They are designed to increase the efficiency of available bandwidth on networks. My point of view to protect servers from be attack during the CAM Table Overflow with add a IDS or firewall so that can help network administrator to monitor network activity and take the protective action. Propose the Kaspersky Internet Security 2012, which includes a firewall with an Intrusion Detection System (IDS) for each of servers connected to network.. PAGE March, 2012

14 Thank You Sham Rizal Ramlee Faculty of Computer and Mathematical Sciences University Technology Mara (UiTM) Malaysia IT Security for the Next Generation Asia Pacific & MEA Cup, Hong Kong March, 2012