Simple Ways to Prevent MitM Attacks

[Fred]

If you're running Cisco switches at the access-layer, you may be missing out on some simple ways that you can prevent man in the middle attacks.  I've implemented this at multiple large companies with few issues, and they'll make your pen testers' lives much more difficult.

There are four key technologies that are easy to recommend (better would be 802.1x, but that's a much larger project]:
dhcp snooping - Only allow DHCP responses from known DHCP servers.
port-security - Limit the number of MAC addresses allowed on each port.
dynamic arp inspection - Do some sanity checking on PC's ARP requests and responses.
source guard - Verify that arp responses come from the DHCP-assigned IP addresses.

There's one important prerequisite: All hosts must be assigned IP addresses via DHCP.  For most people, this means reconfiguring all of the printers.  In the end, this becomes a boon: set up the printers for DHCP and use hostname registration for your print queues, and everything will be secured.  If that's not an option, use static leases to assign IP's to printers.

Let's examine each in turn:

DHCP Snooping
With DHCP snooping, the switch will inspect DHCP requests and response to make sure they come from trusted sources.  This prevents somebody from plugging in a linksys router and taking down your network. More importantly, it prevents somebody from plugging in a rogue dhcp server and intercepting traffic.  It's actually very easy to set up.

Do the following in configuration mode:

Code Select Expand


! Enable DHCP snooping globally:
ip dhcp snooping
! Specify the VLANs to inspect:
ip dhcp snooping vlan 1-2,20,30
! Configure your uplinks/trunks as trusted
int port-channel1
ip dhcp snooping trust
exit
! Configure your DHCP server's interface as trusted:
int fa0/0
ip dhcp snooping trust
exit
! Set up a repository for DHCP information on your TFTP server
ip dhcp snooping database tftp://mytftp.server/switchname.dhcp.dat
! If you don't have a DHCP server, you can save it to flash:
! ip dhcp snooping database flash://dhcp.snooping.dat


That's it!  No more rogue DHCP servers.

Port-Security
Port Security is, imo, one of the worst named features of Cisco IOS.  But it's also one of the easiest to set up.  This feature limits the number of MAC addresses that can be associated with a port.  It does not prevent unauthorized devices from plugging into your network, but it does protect your switch from CAM overflows.  (And if you recall, if your CAM table overflows, then all packets end up being flooded out all interfaces, turning your expensive switch into a cheap hub, and sacrificing security in the process).

Here's my recommended port security configuration for access interfaces with a phone:

Code Select Expand


int Gi0/20
switchport mode access
switchport access vlan 20 ! or whatever your data vlan is
switchport voice vlan 30 ! or whatever your voice vlan is
switchport port-security
switchport port-security violation restrict ! Extra MAC addresses are squelched
switchport port-security maximum 2 ! only allow 2 MAC addresses total
switchport port-security maximum 1 vlan voice ! only 1 on the voice vlan
switchport port-security maximum 1 vlan access ! only 1 on the data vlan

Note: On some older versions, the phone's mac address will register on the access vlan first, and you can run into a bug.  For those, you need to increase teh port maximum to 3 and the access maximum to 2.

But it's that easy. You can test that it's working by starting up a VM.  It should not get network access.  This is important, since some developers run vmware workstation and will need extra allotments.

Dynamic ARP Inspection (DAI)
Before enabling Dynamic ARP Inspection (or source guard) please ensure that DHCP snooping is working correctly.  You can run 'show ip dhcp snooping database' to see the bindings that the switch is aware of.  Once that's working, these next two are easy.

Dynamic ARP Inspection prevents machines from broadcasting an invalid ARP response.  It also rate limits ARP responses to keep from DOS'ing the switch itself.  In my experience, the default rate limit for ARP inspection is set too low for Windows 7 and higher.  So we'll override it below.

Here's the config to enable it globally.  Once this is done, you may have an outage while you configure individual ports (so probably do those first):

Code Select Expand

ip arp inspection vlan 20 ! apply to all interfaces on vlan 20
errdisable recovery cause arp-inspection ! recover automatically after a short timeout (5 minutes?)
Obviously, repeat for the other VLANs you're inspecting.

IP ARP inspection is applied to all ports on the VLAN.  Due to the caveat above, I recommend increasing the rate limit on access ports:

Code Select Expand

int gi0/20
description Access Port
ip arp inspection limit 90

Default is 15 arp requests per second on an untrusted interface.  You can get away with 60 in most cases for Windows machines, but you might run into problems occasionally.  I've settled on 90 as a nice 'no false positives' limit.

You also need to configure your trunks, and anything that might do scans of the network (e.g. servers that do antivirus, security scanners, etc)

Code Select Expand


int po2
description Uplink port
ip arp inspection trust


It's that easy.

Source Guard
Lastly, you can do source guard.  This makes sure that a host is only responding to ARP requests for it's own IP address.  Make sure you trust any hosts that may ARP in response to another server (such as a router running VRRP, HSRP, or GLBP).

If you've done the above (and verified that DHCP snooping is working), configuration is easy.  Unlike DAI, Source Guard is disabled by default, so you have to enable it on all access ports.  To do so, it's easy:

Code Select Expand


int gi0/20
description Access Port
ip verify source


That's it. 

If you do all 4 of these measures, you will stop almost all the wired MitM attacks on your network, and your users probably won't notice.  You need to make accommodations to those users who run VM's on their machines by increasing the port-security threshold, and you have to insist that all addresses are DHCP (and probably build up redundancy in your DHCP services, as well).  But it's really not hard, and should not be very scary.

And if you do this, you will stop a lot of attackers in their tracks.

[Netwörkheäd]

Because this is "simple ways" to prevent man-in-the-middle attacks, I'll just mention here that a full Network Access Control system is needed to prevent unauthorized devices from connecting to the network. Using 802.1X can validate devices on initial connection, but there is a MitM attack that can penetrate an 802.1X system that does not include endpoint inspection. Even limiting access on a port to a specific MAC address will not stop this attack.

One more simple way to prevent MitM attacks is the "shutdown" command. In datacenter environments, core and distribution switches, and secure access switches, it's a good idea to shut down ports that aren't being used.