Tweet

Let’s quickly look what kinds of Security Attacks on OSI 7 Layer.

Layer 7. Application /6. Presentation/5. Session Layer – Virus, Warms, Tro-hourse, Buffer overfolw, APP/OS weakness.

Layer 4. Transport Layer – TCP sync flooding, UDP flooding, Scanning and so on.

Layer 3. Network Layer – IP modification, DHCP attack, ICMP attack and so on.

Layer 2. Data Link Layer – MAC modification, MAC attack, MAC flooding and so on.

Layer 1. Physical Layer – Cable disconnected

How to prevent above threats? see below helps

 

Prevent Physical Layer’s threats

– Someone pulled or cut physical cable on purpose in any reasons. Better to have a quick recovery plan and procedure to complete restoration. Also, well treat and take care of employee ^.^.

Actually, if phsical link is cut, it is serious situation especially cable was installed in deep or without blueprint.
These days, high graded switches provide OTDR function built-in. By sending pulse signal on the link, cutting location or suspicious location can be found easily.

It will compare timing slot when a singal was sent and returned.
[NVP(Nominal Velocity of Propagation) – Cable Propagation delay]

ex) sample TDR testing from Catalyst 6500

Console>(enable) test cable-diagnostics tdr 1/1 (generate pulse singal) ;

TDR test started on port 1/1. Use show port TDR to see the result

Console>(enable) show port TDR 1/1 (Output of TDR result) ;

TDR test last run on Tue, Feb x.x at x.x.x.x

Port Speed Local Pair Pairlength Remote Pair Pair status
—————————————————————–

1/1 1000 Pair A 12+/-3 meters Pair A Terminated
Pair B 12+/-3 meters Pair B Terminated
Pair C 12+/-3 meters Pair C Terminiated
Pair D 12+/-3 meters pair D Terminated 

 

Data Link Layer’s threats

– Most common threats on Data link layer would be MAC address alteration and MAC Flooding attacks. Network device or host under MAC Flooring attack will be taken all the CPU resource. By MAC address alteration, traffic flow can be changed easily, once attacker find a security hole on the switch. To prevent this, you can mapped host MAC address on each physical switch port.

MAC Floording attacks are dumping massive MAC addresses were created by auto tool. It makes overflow of MAC table(CAM table) on the switch. The swich is running in malfuction or getting slow(crashing). To prevent this threat, you can use port-security function that is provided by Cisco ISO.

ex) Utilize Cisco Port-Security on Catalyst 2950

Switch(config)#interface fastethernet 1
Switch(config-if)#switchport port-security maximum 7

; Limit max MAC addresses as 7 on the port

Switch(config-if)#switchport port-security mac-address xx:xx:xx:xx

; Pre-configure MAC address that is connected to the port1

Switch(config-if)#switchport port-security violation[protect/restrict/shutdown]

;If suspicious activity is detected, restrict policy can be applied

Switch(config-if)#mac-address-table static yy:yy:yy:yy vlan drop

; Filtering MAC address cuased an issue.

 

ARP attack is another pattern of data link layer threat. Frist, attacker find a LAN port and sniffing alive traffic to choose victim. Pick an active MAC address which is actively communicating to server or other host. Using MAC duplicator/Hacker’s tool, intercept communication and collect important information such as login/pwd and so on. Actually, it can be done easily with well-known sniffing sw and hacker’s tool.
Some tools has built-in password dictionary to crack logins.
** Hey, this is only for education purpose. Do not try it!

Common way to prevent this threat would be ARP Inspection.

ex) Apply ARP Inspection on Catalyst 4000

Switch>(enable) set security acl ip ARP permit arp-inspection host 10.0.0.1 xx:xx:xx:xx
Switch>(enable) set security acl ip ARP permit arp-inspection host 10.0.0.2 yy:yy:yy:yy
; Pre-define MAC address on ARP table

Switch>(enable) set security acl ip ARP permit arp-inspection any any
Switch>(enable) set security acl ip ARP permit ip any any
Switch>(enable) commit security acl ARP

 

Another way to prevent data link threat would be using private VLAN.

We see often security hole at networks devices configuration.

1. STP(Spanning Tree Protocol) Attack

; Simply, attacker intercept BPDU(Bridge Port Data Unit) frame and send bad BPDU to root switch to make change traffic flow. To prevent this, prohibit sending and receiving BPDU unless it is uplink.

Switch(config)#spanning-tree portfast bpduguard
; Prevent STP attack by BPDU Guard setup.

Switch(config)#spanning-tree guard root(or rootguard)
; Prevent STP attack by Root Guard setup on root switch

 

2. VLAN Hopping attack

This threat is using weakness of switch confiruation with default value. Switch port mode is auto as default. Attacker hook his devcie to a port on switch and make link as trunk and then send an alteration frame which has duplicate VLAN headers. It will cross the network trunk and attack nodes. To prevent this, change to access mode or shutdown a port that is not being used.

Switch(config)#interface fastethernet 1
Switch(config-if)#switchport mode access
;Trunk mode is off

List of action Items to prevent Layer 2 threats

1. Do not using VLAN 1
2. Do not use VLAN for unused ports
3. Use SSH instead Telnet
4. Use SNMP verizon 3
5. Use enhanced Traceroute

 

Network Layer’s threats

IP alteration and DHCP attak are famous on Network layer. If MAC address alteration is Social Security Identifier alteration, IP alteration would be an address alteration. To prevent the threat, use below (make sure IP cef is enabled)

Router(config)#interface Fastethernet
Router(config-if)#ip verify unicast reverse-path

To verify, use "show IP traffic"

Transport Layer’s threats

Well-known attacks on Transport layer are TCP, UDP Flooding attacks. These threats performs sending massive UDP traffic to a certain target, or reqeusting TCP 3 handshaking after alternated source IP address. Especially, it affects serious demage on network devices and servers on overwhelming loads.

 

Application Layer’s threats

It can be warms and virus, and also some threats attack into weakness of OS and application.