24 Feb Information Security Part 2: Datalink Layer Security
Things you can do today to secure your network
In part two of our information security series, Alan Bunyard, Solutions Architect for Pinnacle, shares six ways you can actively protect the datalink layer of your network.
Alan’s advice comes from eight years of experience working as a network engineer for companies in healthcare, gaming, and the manufacturing industry, as well as time with managed services.
Below are six well-established best practices for datalink layer security that have been around for many years but are rarely implemented in the networks we review for customers.
Alan shared, “You don’t need to start with an expensive and difficult to manage Network Access Control (NAC) system to secure access to your network. There are some basic items that you can take care of first that are no cost to you.”
Use SSH for management
This is an Open Systems Interconnection (OSI model) layer 4 protocol, but we’re talking about securing the access layer (Layer 2). It is incredibly common to find L2 access switches that are administered via Telnet by default credentials. I recommend that you create RSA keys and disable Telnet because anyone can sniff a password sent in clear text over Telnet. It’s especially easy if you haven’t take care of these other L2 security issues below.
Would you like to see your expensive managed Layer 2 switch turned into a network hub from 1995? All you need is Kali Linux and MACoff to flood the CAM table with fake MAC addresses. Any script-kiddy can do it. The CAM table is how your switch learns to intelligently forward packets. A full CAM table causes the switch to flood all packets out all ports – a la network hubs. This network attack causes a lot of problems. It will almost certainly lead to performance issues as the switch struggles to keep up. It also allows an attacker to capture all network traffic on the switch for future analysis. You can make a Port Security policy as micro (hyper secure) or macro (take care of basics) as you want. It’s very quick and simple to just limit the number of MACs on an access port to some reasonably low level like 5 or 10 without causing pesky users grief or management hassle for the IT staff.
Disable Dynamic Trunking Protocol (DTP)
“You put me in the guest VLAN?” More likely, you think you put me in the guest VLAN. With DTP, I can put myself in any VLAN that I choose. DTP makes it incredibly easy to setup trunk ports between switches. That’s why it’s on by default. It also makes it very easy for an attacker to choose which VLAN he/she wants to be in. This can allow an attacker all sorts of access to the network without even having to attempt to bypass firewall rules or other security measures. Simply putting a port in access mode doesn’t disable DTP. You have to run the ‘nonegotiate’ command on every port. Easy-peasy. Done in 60 seconds per switch. Disaster averted.
Dynamic Host Configuration Protocol (DHCP) Snooping
Ignorant users? Man in the middle? Malicious Denial-of-Service (DOS) attack? DHCP attacks can do all of those things. DOS – DHCP starvation attacks intentionally use all of the available IP addresses in the DHCP pool. An attacker simply requests new DHCP address with a fake MAC address until the pool is exhausted. Another DOS event can occur innocently when an industrious user deciding to setup his own wireless in his cubicle could lead to accidental DOS. They bring a Netgear router from the house and plug it in. It then spews rogue DHCP leases onto your network. Users getting those addresses won’t have network access. Man in the middle – A rogue DHCP server could be configured to respond to DHCP requests before the legitimate upstream server. The attacker hands out an address that lists themselves as the gateway. Unsuspecting users now have proxy network access through the attacker who can sniff all packets before forwarding them normally or rerouting them as they please. DHCP snooping simply disables or limits these DHCP behaviors on the access ports. It stops DHCP responses from coming from anywhere other than trusted ports where legitimate DHCP servers live and can be used to rate limit DHCP requests from
Private Virtual Local Area Network (VLANS)
The demilitarized zone (DMZ) has some very secure rules and an awesome intrusion prevention systems scanning traffic. Too bad all servers in the DMZ are L2 adjacent. The scope of compromise is huge in most DMZs. Some people will configure multiple DMZ’s to avoid this situation, but there’s an easier way. Private VLANs! They allow you to microsegment a parent VLAN into many isolated ports and communities. This stops a compromised web server from spreading the joy to the other tenants in the DMZ.
Spanning Tree Protocol (STP)
First off, make sure you’re running it. Per-VLAN Spanning Tree (PVST) is typically enabled by default on Cisco devices, but some manufacturers don’t run STP or extensible authentication protocol (EAPS) by default. They have to be enabled. And you should certainly use one of the loop prevention protocols on your network in the user access layer. Spanning tree has a lot of cool features. Too many. I’ll cover a few common things. Never, ever use bridge protocol data unit (BPDU) filtering. If you don’t know why you shouldn’t use it, you don’t have a legitimate use case for the feature. It’s a network loop and crash waiting to happen and there is no common use case. Yet I frequently see it configured. Go figure. You should always use BPDU Guard (globally enabled) and Portfast. Layer 2 switches capable of running the spanning tree protocols send BPDUs. BPDU guard on an access port with Portfast will shutdown a port that receives a BPDU packet. This feature further prevents loops and speeds up the STP process on an access port. Simple as that.
These are easy fixes cost nothing and they prepare you take your network security to the next step.
Look for Part 3 of our Things You Can Do Today to Secure Your Network series coming in a few weeks! It will focus on Network/Transport Layer Security. For more information on how to protect your network and full-scale solutions offering that we have available, get in touch with the Midwest-based experts at Pinnacle today.
Writer: Alan Bunyard, solutions architect at Pinnacle Business Systems.
Information Security 4-part Series
- Information Security Part 1: Physical Layer Security
- Information Security Part 2: Datalink Layer Security
- Information Security Part 3: Network/Transport Layer Security
- Information Security Part 4: Application Layer Security (Layers 5-7)