Layer 2 Threat Mitigation Part 2

VLAN Hopping

An attack in which an attacker jumps from one VLAN to another VLAN by tagging targeted VLAN number to frame. For example I am an attacker and I am connected to VLAN 10 but I want to get access to VLAN 1 so what I do that I grab the packet before it leaves my NIC and I tag it with VLAN ID 1 so now when it gets to the switch it will tag another VLAN ID which is 10 because I am connected to VLAN 10 but when this frame gets to another switch then the switch will open the first tag VLAN ID which is in this case 1, now the attacker has jumped from his connected VLAN to target VLAN.

This attack has almost been mitigated by Cisco switches so they discard any VLAN ID frame on Access port. Meaning that if I have tag my frame with VLAN ID 10 before it gets to the switch, when frame gets to switch it will discard the VLAN ID header on access port.
This is not feature on trunking port so it is highly recommended that you do not use dynamic trunking protocol.

Native VLAN Issue

The native VLAN ID is 1, so if the frame has no VLAN tag on it, the frame will be sent to native VLAN. Attacker can damage their VLAN ID tag to get there frame into native VLAN to do some malicious purposes.

Cisco recommends that you change the ID of native VLAN and do not allow any port on native VLAN so if attacker has still get into the VLAN he can do no harm.

The issue is with 802.1q trunking protocol which allows VLAN hopping, you can either get with ISL trunking mode or you can change the native VLAN ID.

It is important that you change the native VLAN at both end of cable it should be same at both side if it is not then the data from one switch will land to different VLAN.
For example if on one switch you have defined the native VLAN 999 and on another it is 1 then the untagged data from 999 will land to 1 on other side and vice versa.

Configuring Native VLAN

Native VLAN is configured on trunk port.

Switchport trunk encapsulation dot1q tells switch to use the dot1q trunking.

Switchport mode trunk says that change the port mode to trunk.

Switchport nonegotiate says that stay trunk do not negotiate to other end of cable you have to be trunk.

Switchport trunk native vlan 999 define the VLAN 999 as native.

The error messages shown because the other end of switch was using native VLAN ID 1 and we needed to change that.

The status shows the detail of trunking port. We need to the same for the other switch which is connected to this switch.

Physical Layer 2 Security

There are two ways to secure the ports of switch the one is to turn off the unused ports all the time it is easy and simple approach and other is using 802.1x authentication.

802.1X Authentication

It is a low level authentication which is used to authenticate the user using a certificate/key.
This approach is not easy it requires a lot of administration and a strong infrastructure, because any new device that needs to be connected to the network will need to get to the administration desk they will burn the certificate into the device and then the certificate will be authenticated at time of connection. If certificate does not match the port blocks the communication.
The switch itself cannot read or authenticate the certificates, we need a separate server that will be doing authentication and commanding switch to permit the access or deny. The switch is just working an intermediate device between server and client who passes the authentication certificate and does whatever server tells it.

Configuring 802.1X

aaa new-model turns on the authentication protocols.

dot1x system-auth-control handles the certificate from clients.

radius server server01 is name of the server which will authenticate users.

address ipv4 auth-port 1812 is the port number for authentication it is new number the older is 1645.

key cisco123 is the key that clients need to have in order to talk to the server.

aaa authentication dot1x default group radius tells switch to send the authentication requests to the RADIUS server.

This is all for server side configuration on switch now we have to tell the switch that what ports should be authenticated by this service and what should be action.

dot1x pae authenticator tells that these ports needs to be authenticated before allowing permissions.

dot1x port-control auto tells that take automatic actions as well for instance if certificate is bad then block the access.

This protocol is awesome level authentication protocol for low-level security, it is hard to break but it also requires a lot of infrastructure work to get implemented. You need to manage and set the authenticator server, then you need to burn certificates into current and new devices, then you need configuration on switches and management at time to time as well.

Notice that this protocol should only be configured on access ports.

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo