SlideShare a Scribd company logo

Layer Two ( 2 ) Security of Cisco switch

Download as PPTX, PDF
S
ssuserb1479b

The document discusses security measures for Layer 2 networks, emphasizing the importance of isolating untrusted users with VLANs, securing port access, and employing mechanisms like DHCP snooping and Dynamic ARP Inspection to prevent attacks. It outlines various threats such as CAM table overflow, VLAN hopping, and ARP spoofing, alongside corresponding mitigation strategies such as configuring port security, disabling unnecessary services, and ensuring proper VLAN configurations. The document provides insights on managing configuration commands for Cisco devices to enhance network security.

Education
1 of 30
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
L2 Security-Part I DR ADNAN HAIDER
“If the attacker can interrupt, copy, redirect, or confuse the Layer 2 forwarding of data, that same attacker can also disrupt any type of upper-layer protocols that are being used.”
Guests and Employees  Guests are not trusted  If you have to grant them access to certain network services (e.g. internet, etc.), then isolate them using VLANs  VLANS are used to create multiple isolated networks within the same network.
Port Access Security  Unused ports could be used by unauthorized people  Any used port with assigned privileges can be accessed by unauthorized device.  Attackers can send thousands of frames with different MAC addresses to flood switch CAM tables (CAM table overflow attack).  Users can connect switches or AP to their PC ports.  Solution:  Administratively shutdown any unused port  Use port security command in cisco devices to limit the number of traversed MAC addresses. prevent unauthorized devices
Port Access | Number of MAC Addresses  Typical devices use only 1 MAC address.  If you have IP phone, then 2 MAC addresses will be connected to the same switch port.  What if you have Virtual Machine.  Configuration:  SW2(config-if)# switchport port-security maximum 5
Native VLAN  A native VLAN is a special VLAN whose traffic traverses on the 802.1Q trunk without any VLAN tag.  Problem?  What if an attacker tag the frame sent through native VLAN port? Risky, right?  Resolution:  Change Native VLAN to anything other than 1  Do not use it for any traffic  Avoid using VLAN 1 anywhere (because it is the default VLAN)
Port-Security Feature | Cisco Devices  Specify the Maximum number of MAC addresses  Choose whether to remember accepted learned MAC addresses (so that same previously working devices are the only ones accepted ) or not  Set violation action  Configure Action Recovery  Maximum 1 MAC address:  SW2(config-if)# switchport port-security  Maximum more than 1 MAC addresses  SW2(config-if)# switchport port-security maximum 5  Save learned MAC addresses into running config  SW2(config-if)# switchport port-security mac-address sticky  Violation actions:  SW2(config-if)# switchport port-security violation protect
VLAN | Trunk <DTP>  Automatic negotiation allows dynamic VLAN port type assignment (access or trunk) but it is risky  Problem:  Anyone can negotiate Trunk and sniff all VLANs’ traffics  An attacker can tag any traffic to access the target VLAN.  Solution:  Make all ports as an access VLAN ports  Next, Only those ports connected to trusted switches should be configured as Trunk ports manually. Disable VLAN port type negotiation
VLAN | Trunk | Physical Access  Fixed VLAN Trunk role is good but what if an attacker can access the port.  Therefore, ensure that trunk ports are secured (switches and cables).  Port status changes should be monitored and investigated
VLAN Hopping  VLAN hopping attack allows frames from one VLAN to pass into another VLAN.  VLAN hopping Methods  Switch spoofing: utilize specific DTP modes (i.e. "dynamic desirable", "dynamic auto" or "trunk" mode.) to negotiate trunk and send traffics to any desired VLAN by illegally tagging the frame accordingly  Double tagging: tag the frame sent through native VLAN port so that switches on the other sides is tricked by the tagging on the frame. This exploits require that an attacker is connected to native-VLAN port and the destination is on another switch. The traffic in this exploit is one way.
VLAN Hopping | Mitigation  Change Native VLAN to anything other than 1  Do not use it for any traffic  Avoid using VLAN 1 anywhere  Don’t configure any port with "dynamic desirable“ or "dynamic auto“ DTP modes.  Manually configure all ports as access ports with disabled DTP features. switchport mode access switchport mode nonegotiate  Shutdown all unused interfaces.
VLAN | Configuration  Shutdown all ports  Assign all ports to unused VLAN  Assign each used port to its designated VLAN  Bring the port up.
Loop | DoS  An attacker can create a L2 loop by connecting two sockets with each other instead of to a PC  L2 Loop presents a denial of service condition.  Solution:  STP  RSTP (better)  RPVSTP (better for …?)  MSTP (best for large number of VLANs)
STP  Main problem is performance (Time to forwarding)  Solutions:  Implement Rapid STP, RPVSTP or MSTP based on the number of VLANs in your network  PortFast, UplinkFast, and BackboneFast are fatures available in cisco switches to reduce the time to forwarding on the port
STP | Threats & Mitigation  PortFast enabled ports goes immediately to forwarding states.  What if an attacker utilized this and started to generate BPDU packets  Use BPDU Guard feature in cisco devices whenever you enable port fast feature to automatically disable the port if BPDU is seen.  SW2(config-if)# spanning-tree bpduguard enable  Switches might be connected to other switches that belong to a different network you don’t control. In this case those other switches can tamper with your existing topology.  Use Root Guard to control which ports are not allowed to become root ports to remote root switches.  SW1(config-if)# spanning-tree guard root
STP | Lab Rapid Per-VLAN STP  SW2(config)# spanning-tree mode rapid-pvst Port-Fast feature  enable it per interface  SW2(config-if)# spanning-tree portfast  Or enable globally then disable it on trunk ports  SW2(config-if)# spanning-tree portfast default Debug STP config  SW2# show spanning-tree vlan 10
L2 Discovery Protocol | CDP & LLDP  CDP (Cisco Discovery Protocol) is a Cisco proprietary protocol  LLDP (Link Layer Discovery Protocol) is a standard protocol  Network devices uses CDP and LLDP to advertise themselves and their capabilities.  CDP/LLDP are used to gather information about attached equipment.  CDP/LLDP can be enabled or disabled globally or per port.
CDP/LLDP | Threat Mitigation  Turn off CDP/LLDP on ports facing untrusted or unknown networks that do not require CDP for anything positive.  CDP/LLDP operates at Layer 2 and may provide attackers information we would rather not disclose.
Challenges When protecting Layer 2 networks, VLAN assignment, and trunking protocols
DHCP Attack | Rouge DHCP Server | DHCP Snooping  Rogue DHCP Server:  is a DHCP server on a network which is not under the administrative control of the network staff.  Can be used to establish network attacks  DHCP Attack:  Man-in-the-Middle attack: Offers attacker’s IP address as a gateway so that all traffic goes through the attacker  DHCP Pool Exhausting (DoS): Send lots of DHCP discover messages to get all IP addresses in DHCP Pool.
DHCP Attack  DHCP Attacks:  Man-in-the-Middle attack: Offers attacker’s IP address as a gateway so that all traffic goes through the attacker  DHCP Pool Exhausting (DoS): Send lots of DHCP discover messages to get all IP addresses in DHCP Pool.
DHCP Security | DHCP Snooping  DHCP Snooping tracks all the DHCP Discover and DHCP Offer messages coming from “untrusted” ports.  Trusted ports are the ports that is set as verified at the beginning, This means that, any DHCP messages are accepted from this interface.  Untrusted ports are the ports that is set as unverified at the beginning. This means that, “be careful for the packets coming from this interface”.  DHCP Snooping Maintains a list of DHCP Address Binding (by Inspecting traffics between DHCP clients and server)
DHCP Security | DHCP Snooping  DHCP Snooping:  Validates DHCP messages received from untrusted sources and filters out invalid messages  Rate-limits DHCP traffic from trusted and untrusted sources  Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses (MAC Address, Leased IP address, Leased time, Binding type, VLAN, Interface)  Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts
DHCP Snooping | Cisco Configuration  Define and configure the DHCP server.  Enable DHCP snooping globally  Enable DHCP snooping on at least one VLAN.  By default, DHCP snooping is inactive on all VLANs.  Ensure that the DHCP server is connected through a trusted interface.  By default, the trust state of all interfaces is untrusted  Configure the DHCP snooping database agent.  This step ensures that database entries are restored after a restart or switchover. sw2(config)# ip dhcp snooping sw2(config)# ip dhcp snooping vlan 10 sw2(config-if)# ip dhcp snooping trust sw2(config)# ip dhcp snooping database tftp://10.1.1.1/directory/file Minimum Configuration: Extra Configuration: Router(config-if)# ip dhcp snooping limit rate 100 (i.e. maximum 100 pps on an interface is allowed)
ARP | Threats  ARP spoofing attacks  refers to an attacker impersonating another machine's MAC address  ARP cache poisoning (ARP table corruption)  Refers to the act of corrupting the ARP tables on one or more victim machines.  Attack Mechanism - broadcasting forged ARP responses  Attack Effect:  Is not permanent (ARP table entries ages out in minutes)  The traffic could be sent to either  the attacker’s machine (Man-in-the-Middle Attack)  A nonexistent location (DoS)  What is the scope of ARP spoofing attacks?
ARP Spoofing Attacks | Mitigation  Static ARP table (Edge-side)  Dynamic ARP Inspection (Switch Side)  Encryption (and traffic padding)  Network Isolation Prevention mechanism Render data not useful for an attacker reduce the scope of attack within a small broadcast domain (VLAN)
Dynamic ARP Inspection (DAI)  Dynamic ARP inspection (DAI) is a security feature that validates ARP packets in a network.  DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings  DHCP snooping binding database is used for validating ARP packets (IP-to- MAC address bindings)  On untrusted interfaces, the switch forwards the packet only if it is valid.
DAI | Cisco Configuration  Enable DAI on VLAN 10  Configure an Interface as a Trusted DAI Interface sw2(config)# ip arp inspection vlan 10 sw2(config-if)# ip arp inspection trust
IP Source Guard (IPSG)  IPSG is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic  IPSG filter traffic based on  the DHCP snooping binding database  manually configured IP source bindings.
Layer Two ( 2 ) Security of Cisco switch

More Related Content

PPTX
Layer 2 Attacks and Defense Techniques.pptx
ssuser46e032
 
PPT
Network Security - Layer 2
samis
 
PPTX
Introduction to layer 2 attacks & mitigation
Rishabh Dangwal
 
PPT
Mitigating Layer2 Attacks
dkaya
 
PPT
Ch6
scary5800
 
PPTX
Nexus 1000v part ii
Krunal Shah
 
PDF
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
Netgear Italia
 
PPT
Hacking Cisco
guestd05b31
 
Layer 2 Attacks and Defense Techniques.pptx
ssuser46e032
 
Network Security - Layer 2
samis
 
Introduction to layer 2 attacks & mitigation
Rishabh Dangwal
 
Mitigating Layer2 Attacks
dkaya
 
Ch6
scary5800
 
Nexus 1000v part ii
Krunal Shah
 
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
Netgear Italia
 
Hacking Cisco
guestd05b31
 

Similar to Layer Two ( 2 ) Security of Cisco switch (20)

PPT
Cisco Training CCNA and Routing Switching.ppt
AniruddhSharma65
 
PDF
Examen final ccna2
Juli Yaret
 
PPTX
Switch security
nullowaspmumbai
 
DOCX
CCNP Study Guide
Steve Simeus, MBA,CCNA
 
PDF
Network security
Telematika Open Session
 
PPT
Cisco Switch Security
dkaya
 
PPTX
Attacks and their mitigations
Mukesh Chaudhari
 
PPTX
Security policy
Abdullah Bakhashwain
 
PPTX
packet sniffing with Wireshark and its implementation.pptx
RohitAhuja58
 
PDF
VLAN
Anuj Kumar
 
PPTX
Hacking L2 Switches
Navaneetha Sankar
 
PPT
Floodlight OpenFlow DDoS
Yoav Francis
 
PDF
Cisco commands List for Beginners (CCNA, CCNP)
DH Da Lat
 
PDF
CCNA R&S 2 3 4 All Commands
MohamedZiadi5
 
PPTX
Dynamic ARP Inspection (DAI)
NetProtocol Xpert
 
PPTX
lab 2 (1)bbbbhbbbvvvvvvccccbbvvvccc.pptx
BinyamBekeleMoges
 
PPTX
FlowER Erlang Openflow Controller
Holger Winkelmann
 
PPT
Lec21 22
namish_maheshwari
 
PPTX
Introduction to firewalls and virtual private networks
DhavalPatel171802
 
TXT
Copy of a simple tcp spoofing attack
Vishal Gurujuwada
 
Cisco Training CCNA and Routing Switching.ppt
AniruddhSharma65
 
Examen final ccna2
Juli Yaret
 
Switch security
nullowaspmumbai
 
CCNP Study Guide
Steve Simeus, MBA,CCNA
 
Network security
Telematika Open Session
 
Cisco Switch Security
dkaya
 
Attacks and their mitigations
Mukesh Chaudhari
 
Security policy
Abdullah Bakhashwain
 
packet sniffing with Wireshark and its implementation.pptx
RohitAhuja58
 
VLAN
Anuj Kumar
 
Hacking L2 Switches
Navaneetha Sankar
 
Floodlight OpenFlow DDoS
Yoav Francis
 
Cisco commands List for Beginners (CCNA, CCNP)
DH Da Lat
 
CCNA R&S 2 3 4 All Commands
MohamedZiadi5
 
Dynamic ARP Inspection (DAI)
NetProtocol Xpert
 
lab 2 (1)bbbbhbbbvvvvvvccccbbvvvccc.pptx
BinyamBekeleMoges
 
FlowER Erlang Openflow Controller
Holger Winkelmann
 
Lec21 22
namish_maheshwari
 
Introduction to firewalls and virtual private networks
DhavalPatel171802
 
Copy of a simple tcp spoofing attack
Vishal Gurujuwada
 
Ad

Recently uploaded (20)

PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
PDF
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PDF
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PDF
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PDF
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
PDF
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PPTX
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
PDF
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
PPTX
Lesson notes of climatology university.
sgladness67
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
Classroom Observation Tools for Teachers
Nicaramirez
 
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
Lesson notes of climatology university.
sgladness67
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
Ad

Layer Two ( 2 ) Security of Cisco switch

  • 1. L2 Security-Part I DR ADNAN HAIDER
  • 2. “If the attacker can interrupt, copy, redirect, or confuse the Layer 2 forwarding of data, that same attacker can also disrupt any type of upper-layer protocols that are being used.”
  • 3. Guests and Employees  Guests are not trusted  If you have to grant them access to certain network services (e.g. internet, etc.), then isolate them using VLANs  VLANS are used to create multiple isolated networks within the same network.
  • 4. Port Access Security  Unused ports could be used by unauthorized people  Any used port with assigned privileges can be accessed by unauthorized device.  Attackers can send thousands of frames with different MAC addresses to flood switch CAM tables (CAM table overflow attack).  Users can connect switches or AP to their PC ports.  Solution:  Administratively shutdown any unused port  Use port security command in cisco devices to limit the number of traversed MAC addresses. prevent unauthorized devices
  • 5. Port Access | Number of MAC Addresses  Typical devices use only 1 MAC address.  If you have IP phone, then 2 MAC addresses will be connected to the same switch port.  What if you have Virtual Machine.  Configuration:  SW2(config-if)# switchport port-security maximum 5
  • 6. Native VLAN  A native VLAN is a special VLAN whose traffic traverses on the 802.1Q trunk without any VLAN tag.  Problem?  What if an attacker tag the frame sent through native VLAN port? Risky, right?  Resolution:  Change Native VLAN to anything other than 1  Do not use it for any traffic  Avoid using VLAN 1 anywhere (because it is the default VLAN)
  • 7. Port-Security Feature | Cisco Devices  Specify the Maximum number of MAC addresses  Choose whether to remember accepted learned MAC addresses (so that same previously working devices are the only ones accepted ) or not  Set violation action  Configure Action Recovery  Maximum 1 MAC address:  SW2(config-if)# switchport port-security  Maximum more than 1 MAC addresses  SW2(config-if)# switchport port-security maximum 5  Save learned MAC addresses into running config  SW2(config-if)# switchport port-security mac-address sticky  Violation actions:  SW2(config-if)# switchport port-security violation protect
  • 8. VLAN | Trunk <DTP>  Automatic negotiation allows dynamic VLAN port type assignment (access or trunk) but it is risky  Problem:  Anyone can negotiate Trunk and sniff all VLANs’ traffics  An attacker can tag any traffic to access the target VLAN.  Solution:  Make all ports as an access VLAN ports  Next, Only those ports connected to trusted switches should be configured as Trunk ports manually. Disable VLAN port type negotiation
  • 9. VLAN | Trunk | Physical Access  Fixed VLAN Trunk role is good but what if an attacker can access the port.  Therefore, ensure that trunk ports are secured (switches and cables).  Port status changes should be monitored and investigated
  • 10. VLAN Hopping  VLAN hopping attack allows frames from one VLAN to pass into another VLAN.  VLAN hopping Methods  Switch spoofing: utilize specific DTP modes (i.e. "dynamic desirable", "dynamic auto" or "trunk" mode.) to negotiate trunk and send traffics to any desired VLAN by illegally tagging the frame accordingly  Double tagging: tag the frame sent through native VLAN port so that switches on the other sides is tricked by the tagging on the frame. This exploits require that an attacker is connected to native-VLAN port and the destination is on another switch. The traffic in this exploit is one way.
  • 11. VLAN Hopping | Mitigation  Change Native VLAN to anything other than 1  Do not use it for any traffic  Avoid using VLAN 1 anywhere  Don’t configure any port with "dynamic desirable“ or "dynamic auto“ DTP modes.  Manually configure all ports as access ports with disabled DTP features. switchport mode access switchport mode nonegotiate  Shutdown all unused interfaces.
  • 12. VLAN | Configuration  Shutdown all ports  Assign all ports to unused VLAN  Assign each used port to its designated VLAN  Bring the port up.
  • 13. Loop | DoS  An attacker can create a L2 loop by connecting two sockets with each other instead of to a PC  L2 Loop presents a denial of service condition.  Solution:  STP  RSTP (better)  RPVSTP (better for …?)  MSTP (best for large number of VLANs)
  • 14. STP  Main problem is performance (Time to forwarding)  Solutions:  Implement Rapid STP, RPVSTP or MSTP based on the number of VLANs in your network  PortFast, UplinkFast, and BackboneFast are fatures available in cisco switches to reduce the time to forwarding on the port
  • 15. STP | Threats & Mitigation  PortFast enabled ports goes immediately to forwarding states.  What if an attacker utilized this and started to generate BPDU packets  Use BPDU Guard feature in cisco devices whenever you enable port fast feature to automatically disable the port if BPDU is seen.  SW2(config-if)# spanning-tree bpduguard enable  Switches might be connected to other switches that belong to a different network you don’t control. In this case those other switches can tamper with your existing topology.  Use Root Guard to control which ports are not allowed to become root ports to remote root switches.  SW1(config-if)# spanning-tree guard root
  • 16. STP | Lab Rapid Per-VLAN STP  SW2(config)# spanning-tree mode rapid-pvst Port-Fast feature  enable it per interface  SW2(config-if)# spanning-tree portfast  Or enable globally then disable it on trunk ports  SW2(config-if)# spanning-tree portfast default Debug STP config  SW2# show spanning-tree vlan 10
  • 17. L2 Discovery Protocol | CDP & LLDP  CDP (Cisco Discovery Protocol) is a Cisco proprietary protocol  LLDP (Link Layer Discovery Protocol) is a standard protocol  Network devices uses CDP and LLDP to advertise themselves and their capabilities.  CDP/LLDP are used to gather information about attached equipment.  CDP/LLDP can be enabled or disabled globally or per port.
  • 18. CDP/LLDP | Threat Mitigation  Turn off CDP/LLDP on ports facing untrusted or unknown networks that do not require CDP for anything positive.  CDP/LLDP operates at Layer 2 and may provide attackers information we would rather not disclose.
  • 19. Challenges When protecting Layer 2 networks, VLAN assignment, and trunking protocols
  • 20. DHCP Attack | Rouge DHCP Server | DHCP Snooping  Rogue DHCP Server:  is a DHCP server on a network which is not under the administrative control of the network staff.  Can be used to establish network attacks  DHCP Attack:  Man-in-the-Middle attack: Offers attacker’s IP address as a gateway so that all traffic goes through the attacker  DHCP Pool Exhausting (DoS): Send lots of DHCP discover messages to get all IP addresses in DHCP Pool.
  • 21. DHCP Attack  DHCP Attacks:  Man-in-the-Middle attack: Offers attacker’s IP address as a gateway so that all traffic goes through the attacker  DHCP Pool Exhausting (DoS): Send lots of DHCP discover messages to get all IP addresses in DHCP Pool.
  • 22. DHCP Security | DHCP Snooping  DHCP Snooping tracks all the DHCP Discover and DHCP Offer messages coming from “untrusted” ports.  Trusted ports are the ports that is set as verified at the beginning, This means that, any DHCP messages are accepted from this interface.  Untrusted ports are the ports that is set as unverified at the beginning. This means that, “be careful for the packets coming from this interface”.  DHCP Snooping Maintains a list of DHCP Address Binding (by Inspecting traffics between DHCP clients and server)
  • 23. DHCP Security | DHCP Snooping  DHCP Snooping:  Validates DHCP messages received from untrusted sources and filters out invalid messages  Rate-limits DHCP traffic from trusted and untrusted sources  Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses (MAC Address, Leased IP address, Leased time, Binding type, VLAN, Interface)  Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts
  • 24. DHCP Snooping | Cisco Configuration  Define and configure the DHCP server.  Enable DHCP snooping globally  Enable DHCP snooping on at least one VLAN.  By default, DHCP snooping is inactive on all VLANs.  Ensure that the DHCP server is connected through a trusted interface.  By default, the trust state of all interfaces is untrusted  Configure the DHCP snooping database agent.  This step ensures that database entries are restored after a restart or switchover. sw2(config)# ip dhcp snooping sw2(config)# ip dhcp snooping vlan 10 sw2(config-if)# ip dhcp snooping trust sw2(config)# ip dhcp snooping database tftp://10.1.1.1/directory/file Minimum Configuration: Extra Configuration: Router(config-if)# ip dhcp snooping limit rate 100 (i.e. maximum 100 pps on an interface is allowed)
  • 25. ARP | Threats  ARP spoofing attacks  refers to an attacker impersonating another machine's MAC address  ARP cache poisoning (ARP table corruption)  Refers to the act of corrupting the ARP tables on one or more victim machines.  Attack Mechanism - broadcasting forged ARP responses  Attack Effect:  Is not permanent (ARP table entries ages out in minutes)  The traffic could be sent to either  the attacker’s machine (Man-in-the-Middle Attack)  A nonexistent location (DoS)  What is the scope of ARP spoofing attacks?
  • 26. ARP Spoofing Attacks | Mitigation  Static ARP table (Edge-side)  Dynamic ARP Inspection (Switch Side)  Encryption (and traffic padding)  Network Isolation Prevention mechanism Render data not useful for an attacker reduce the scope of attack within a small broadcast domain (VLAN)
  • 27. Dynamic ARP Inspection (DAI)  Dynamic ARP inspection (DAI) is a security feature that validates ARP packets in a network.  DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings  DHCP snooping binding database is used for validating ARP packets (IP-to- MAC address bindings)  On untrusted interfaces, the switch forwards the packet only if it is valid.
  • 28. DAI | Cisco Configuration  Enable DAI on VLAN 10  Configure an Interface as a Trusted DAI Interface sw2(config)# ip arp inspection vlan 10 sw2(config-if)# ip arp inspection trust
  • 29. IP Source Guard (IPSG)  IPSG is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic  IPSG filter traffic based on  the DHCP snooping binding database  manually configured IP source bindings.

Editor's Notes

  • #3: CCNP and CCIE Security Core SCOR 350-701, Omar
  • #7: If an attacker tag the frame sent through native VLAN port and the frame moves through trunk cable without being untagged, the switch on the other side will think that this frame belon to the tagged VLAN (not the native VLAN).
  • #14: STP flasvors: https://www.ciscopress.com/articles/article.asp?p=2832407&seqNum=5
  • #26: ARP poisoning scope is within L2 network (subnet). VLAN help reducing the range of effect.