1 MAC address spoof
http://www.acnow.net/ 1b
At present, many networks are connected using HUB, which is well known that the packet is transmitted to other network segments through HUB, and HUB simply copies the packet to other ports. Therefore, for the network consisting of Hub, there is no security, the data package is easily intercepted by the user to intercept the analysis and implement network attacks (MAC address spoofing, IP address spoofing, and higher level information fraud, etc.). In order to prevent the unlimited spread of this packet, people tend to use a switch to build a network, the switch has a MAC address learning function, and the user can isolate the users through the VLAN and other techniques to ensure a certain network security.
http://www.acnow.net/ 1b
The switch team is clearly copied to other ports like HUB, but only onto the corresponding specific port. As with a general computer needs to maintain an ARP high-speed buffer table, there is also a buffer table that maintains a MAC address (sometimes MAC address and VLAN) and port mapping relationship. It is relying on this. Table, the switch can send the data to the corresponding port.
http://www.acnow.net/ 1b
The address table is generally constructed by the switch. The learning process is as follows:
http://www.acnow.net/ 1b
(1) The switch takes out the source MAC address of each packet. Find the corresponding location by the algorithm. If it is a new address, create an address entries, fill in the corresponding port information, life cycle time, etc .;
http://www.acnow.net/ 1b
(2) If this address already exists, the corresponding port number is also the same, then refreshs life cycle time;
http://www.acnow.net/ 1b
(3) If this address already exists, the corresponding port number is different, generally rewritten the port number, refresh the life cycle time;
http://www.acnow.net/ 1b
(4) If an address item is not refreshed during the life cycle, it will be deleted.
http://www.acnow.net/ 1b
As the ARP buffer table has an address spoof, this MAC address table in the switch also has an address spoofing problem. In practical applications, people have found many switches in the early design, with the Cisco2912 switch as an example, clarify how MAC address spoofs.
http://www.acnow.net/ 1b
As shown, two users PCA and PCB are connected to the porta and portb of Cisco2912, respectively.
http://www.acnow.net/ 1b
Portc 00.00.cc.cc.cc.cc internet
http://www.acnow.net/ 1b
|
http://www.acnow.net/ 1b
|
http://www.acnow.net/ 1b
Cisco2912
http://www.acnow.net/ 1b
Porta / / portb
http://www.acnow.net/ 1b
/ /
http://www.acnow.net/ 1b
Hub Hub
http://www.acnow.net/ 1b
| | |
http://www.acnow.net/ 1b
PCA PCB
http://www.acnow.net/ 1b
00.00.aa.aa.aa.a 00.00.bb.bb.bb.bbhttp://www.acnow.net/ 7zotktpe
Assume that the address of the PCA's Mac is 00.00.Aa.aa.aa.aa
http://www.acnow.net/ 1b
The address of the PCB's Mac is 00.Bb.bb.bb.bb
http://www.acnow.net/ 1b
In normal case, the following pair of mappings are saved in Cisco2912:
http://www.acnow.net/ 1b
(00.Aa.aa.aa.aa) <-> porta
http://www.acnow.net/ 1b
(00.bb.bb.bb.bb) <-> portb
http://www.acnow.net/ 1b
(00.cc.cc.cc.cc) <-> portc
http://www.acnow.net/ 1b
According to this mapping relationship, Cisco2912 issued the package from the PORTC to the PCA through Porta without issuing from the portb. But if we change this mapping relationship through some means, Cisco2912 forwards the packet to the port that should not go, causing users to access Internet services. The most simple method is that the user PCB constructs a packet that the source MAC address is no longer its own MAC address 00.00.bb.bb.bb.bb, but the PCA's MAC address 00.00.aa.aa. AA.AA, can be seen from the above address learning process, Cisco2912 will be wrong to think that the MAC address 00.00.aa.aa.aa.aa is from portb, so the mapping relationship is also changed:
http://www.acnow.net/ 1b
(00.Aa.aa.aa.aa) <-> portb
http://www.acnow.net/ 1b
(00.bb.bb.bb.bb) <-> portb
http://www.acnow.net/ 1b
In this way, Cisco2912 is incorrectly issued by PORTB packets from the PORTC's destination address to Mac A, and no longer issued to Porta. Obviously, if the PCB has been sending this specially constructed package. User PCA cannot access the Internet via Cisco2912. More seriously, if the user PCB constructs the MAC address of the PORTC Uplink (such as router) (00.00.cc.cc.cc.cc), it will cause all users under Cisco 2912 to not access Internet.
http://www.acnow.net/ 1b
2 security strategy
http://www.acnow.net/ 1b
The above problems in the network focus on the Layer 2 switch, so the design of the Layer 2 switch must take into account this potential security hazard learned by MAC address. In this regard, the following safety strategies are proposed.
http://www.acnow.net/ 1b
(1) The MAC address is bound to the port. Based on IP address spoof, people generally use IP addresses to bind with MAC addresses. The MAC address is considered to be a hardware address, which is generally not changed, so it is a feasible way to manage the IP address with MAC addresses to join, but it is considered that the MAC address as a host cannot change this point of view. It is actually wrong. As mentioned earlier, it is easy to use the network tool or modify the registry to change the MAC address of a host. So, in order to prevent MAC address spoofing, prevent MAC address mapping tables in the switch, the most effective way is to implement the binding of the MAC address and the switch port. Thus, the user cannot perform some malicious attack or effectively preventing the MAC address caused by some loops from being repeated by changing the MAC address. Binding can achieve manual static binding or automatic static binding. Implementing manual static binding requires network administrator to manually enter the user's MAC address and port number to go to the network. For a large-scale network, this work is obviously not easy enough, and it is very easy to make mistakes. For automatic static binding, it can be implemented as follows: When the switch is started, the binding command is not set, but is automatically learned by the switch, establish a MAC address and port number mapping relationship, and other networks, after the network is stable, Configure the bind command through the network management interface. Once the binding command takes effect, the switch automatically binds the original mapping relationship, and the mapping relationship has always exists when the release command is not received. In this way, only the network managers can implement all the static binding relationships of all MAC addresses through a command, and no longer need to manually enter the input of a MAC address. Of course, with the continuous addition of later users, you can choose to make this binding command operation in a certain period of time, thereby saving manpower and ensuring network security. Through the above, we can see that the most effective measure to solve the IP address fraud is to bind the three ports, MAC addresses, and IP addresses. http://www.acnow.net/ 1b
(2) In general, the MAC address mapping table of the Layer 2 switch is dynamically updated, there is a problem with lifecycle (aging), within a certain life cycle, if the packet sent by the MAC address is not received Then, the MAC address is not existed with the port mapping relationship and will be released. If you continue to receive the package from the MAC address during this lifecycle, the life cycle will continue. Suppose the MAC address (00.Aa.aa.aa.aa) is originally from Porta, there is such a mapping relationship in the switch:
http://www.acnow.net/ 1b
(00.Aa.aa.aa.aa) <-> porta
http://www.acnow.net/ 1b
However, if the MAC address (00.aa.aa.aa.aa) is moved to the portb, the general exchange opportunity is about to be mapped in the event:
http://www.acnow.net/ 1b
(00.Aa.aa.aa.aa) <-> portb
http://www.acnow.net/ 1b
This type of port immediately updates the policy to the MAC address spoofed with the machine, the MAC address spoof is also using this to change the address of the switch and port in the switch. Imagine, if this strategy is taken in the reiler: When the MAC address (00.aa.aa.aa.aa) is from another port portb, there is already a mapping relationship with Porta in the mapping table, at this time The MAC address (00.00.Aa.aa.aa.aa) does not pay attention to the original mapping relationship, so that the deception of the MAC address cannot succeed. Of course, when the user PCA is not packed to the porta, after the end of its lifecycle, the MAC address (00.aa.aa.aa.aa) is also released, and the user's PCB implements MAC spoofing is still successful. If the user has been spoofing in MAC address, the user's PCA may not access the Internet. By changing address learning strategies can resist MAC address spoofing behavior to a certain extent, as long as the user's PCA has been online, the user's PCB's MAC address spoof is not able to succeed. http://www.acnow.net/ 1b
(3) The address priority of the port can be given different address learning priorities in different locations in the network according to the various segments of the switch. As shown, the PORTC port is most important because users of all other ports are accessed by it, if the port corresponding to the port (00.00.cc.cc.cc.cc) is deceived, then All users are not accessible to the Internet. So you can assign a higher address learning priority to this port. The principle is that the priority high port learning MAC address is prioritized, if a MAC address is moved from the high-priority port to the higher port, then the MAC address The mapping relationship will not be updated immediately, but the new address mapping relationship after a certain life cycle is ended. In this way, it is also possible to prevent the mac address spoofing behavior to some extent. But when allocating priority, it may be difficult, such as how the port priority between users is assigned.
http://www.acnow.net/ 1b
Through the above analysis, we can see that for the Layer 2 switch, the largest security hazard exists in the learning process of the MAC address. In order to effectively prevent some malicious attacks from spoofing, we must consider certain security strategies when performing switch design.
http://www.acnow.net/ 1b
