topic RE: SERIOUS SECURITY LAPSE IN EXTREME SUMMIT SWITCHES. MANINMIDDLE ATTACK, GATEWAY SPOOFING. in ExtremeSwitching (EXOS/Switch Engine)

SERIOUS SECURITY LAPSE IN EXTREME SUMMIT SWITCHES. MANINMIDDLE ATTACK, GATEWAY SPOOFING.

Anonymous — Thu, 26 Jun 2014 15:46:00 GMT

SERIOUS SECURITY LAPSE IN EXTREME SUMMIT SWITCHES. We have a Summit X450e-48p switch, in which we have created a Vlan that is acting as a gateway for the hosts. The switch is configured to forward the traffic to the router (internet). However this has caused a serious security issue which is as follows. A host has entered the IP address of the gateway and is getting all the traffic routed through his host machine to the router. Is there any way to stop such a situation, I think its called gateway spoofing. note: The IPs are being assigned manually to the host machines (no dhcp). Please help!!!!!!

also note:
1.)also note there is no way to make a policy (egress) to stop this.
2.)there no way to bind ip address to a port.

RE: SERIOUS SECURITY LAPSE IN EXTREME SUMMIT SWITCHES. MANINMIDDLE ATTACK, GATEWAY SPOOFING.

Paul_Russo — Thu, 26 Jun 2014 17:14:00 GMT

Hello Ashish

This sounds like a man in the middle attack. Please look at the concepts guide for 15.4 page 879

From the guide:
To protect against this type of attack, the router sends out its own gratuitous ARP request to override
the attacker whenever a gratuitous ARP request broadcast packet with the router's IP address as the
source is received on the network.
If you enable both DHCP secured ARP and gratuitous ARP protection, the switch protects its own IP
address and those of the hosts that appear as secure entries in the ARP table.

Since you are statically assigned IP addresses that makes it harder to protect against this attack as the switch cant use DHCP snooping, Trusted DHCP server or DHCP secured ARP whichhelps to prevent people setting static addresses on the network.

Enabling Gratuitous ARP protection and CPU DoS Protection will help.

Thanks
P

RE: SERIOUS SECURITY LAPSE IN EXTREME SUMMIT SWITCHES. MANINMIDDLE ATTACK, GATEWAY SPOOFING.

Jason_Parker — Thu, 26 Jun 2014 19:41:00 GMT

Ashish

I can look into this and maybe put some commands together with the folowing idea.

I think using DHCPSnooping/ArpInspection may be the way to go.
Making your up link ports facing the DHCP server as trusted ports as well as "AP" ports
if you are bridging traffic locally on the AP's

Does this sound like something that you would like to try?

Someone may provide this information to you before I put it together.

you may need to create a case and have someone review your configuration just to make sure this is something that will not cause any issues

Jason

RE: SERIOUS SECURITY LAPSE IN EXTREME SUMMIT SWITCHES. MANINMIDDLE ATTACK, GATEWAY SPOOFING.

Sumit_Tokle — Thu, 26 Jun 2014 21:34:00 GMT

Ashish,

If you know any other security methods that is supported by other vendor(L3 switch) then Let us know If there is any similar way thern I could guide your on Extreme Devices.

Sumit