140 likes | 262 Views
Minimizing Service Loss and Data Theft in a Switched. BCMSN Module 8 – Sec 2. Understanding Switch Security Issues Protecting against Attacks Protecting against Spoof Attacks Describing STP Security Mechanism Preventing STP Forwarding Loops Securing Network Switches.
E N D
Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2
Understanding Switch Security IssuesProtecting against AttacksProtecting against Spoof AttacksDescribing STP Security MechanismPreventing STP Forwarding LoopsSecuring Network Switches
Describing a DHCP Spoof Attack • The DHCP spoofing device replies to client DHCP requests. • The legitimate server may reply as well, but if the spoofing device is on the same segment as the client, its reply to the client may arrive first. • The intruder’s DHCP reply offers an IP address and supporting information that designates the intruder as the default gateway or Domain Name System (DNS) server. • In the case of a gateway, the clients forward packets to the attacking device, which in turn sends them to the desired destination
DHCP Spoof Attacks “Here you go, I might be first!” (Rouge) “I need an IP address/mask, default gateway, and DNS server.” “I can now forward these on to my leader.” (Rouge) “Got it, thanks!” “Already got the info.” “Here you go.” (Legitimate) All default gateway frames and DNS requests sent to Rogue.
Describing DHCP Snooping • Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. • Trusted ports can source all DHCP messages, • while untrusted ports can source requests only. should not send any DHCP server responses, such as DHCPOFFER, DHCPACK, or DHCPNAK • If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down.
DHCP Option 82 • DHCP Option 82 • port-to-port DHCP broadcast isolation is achieved when the client ports are within a single VLAN. • Client – Agent (port #) DHCP Server (port #) • The relay agent uses this information to identify which port connects to the requesting client and avoids forwarding the reply to the entire VLAN.
DHCP Snooping Switch(config)# ip dhcp snooping • Enables DHCP snooping globally Switch(config)# ip dhcp snooping information option • Enables DHCP Option 82 data insertion Switch(config-if)# ip dhcp snooping trust • Configures a trusted interface Switch(config)# ip dhcp snooping limit rate [rate] • Number of packets per second accepted on a port Switch(config)# ip dhcp snooping vlan number [number] • Enables DHCP snooping on your VLANs
IP Source Guard • Supports only the Layer 2 ports, including both access and trunk. • For each untrusted Layer 2 port, IP traffic security filtering. • Source IP address filter: Only IP traffic with a source IP address that matches the IP source binding entry is permitted. Switch(config)#ip source binding ip-addr ip vlan number interface interface • Source IP and MAC address filter: Only IP traffic with source IP and MAC addresses matching the IP source binding entry are permitted.
ARP Spoofing • The ARP reply from the attacker causes the sender to store the MAC address of the attacking system in its ARP cache. • All packets destined for those IP addresses will be forwarded through the attacker system.
Dynamic ARP Inspection (DAI) • To prevent ARP spoofing • DAI prevents these attacks by intercepting and validating all ARP requests and responses. • Each intercepted ARP reply is verified for valid MAC address–to–IP address bindings before it is forwarded to a PC to update the ARP cache. • ARP replies coming from invalid devices are dropped. • DAI determines the validity of an ARP packet based on valid MAC address-to-IP-address bindings databasebuilt by DHCP snooping.
Dynamic ARP Inspection Switch(config)#ip arp inspection vlan vlan_id[,vlan_id] • Enables DAI on a VLAN or range of VLANs Switch(config-if)#ip arp inspection trust • Enables DAI on an interface and sets the interface as a trusted interface Switch(config-if)#ip arp inspection validate {[src-mac][dst-mac] [ip]} • Configures DAI to drop ARP packets when the IP addresses are invalid
Protecting Against ARP Spoofing Attacks • To mitigate the chances of ARP spoofing • Step 1 Implement protection against DHCP spoofing. • Step 2 Enable dynamic ARP inspection.