CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

Slides:



Advertisements
Similar presentations
Mitigating Layer 2 Attacks
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
Implementing Inter-VLAN Routing
Cisco 3 - Switch Perrine. J Page 15/8/2015 Chapter 8 What happens to the member ports of a VLAN when the VLAN is deleted? 1.They become inactive. 2.They.
Neutering Ettercap in Cisco Switched Networks For fun and Profit.
DHCP Dynamic Host Configuration Part 7 NVCC Professional Development TCP/IP.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing & Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing and Switching Essentials.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.
DHCP (Dynamic Host Configuration Protocol) RD-CSY /09.
Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.
Dynamic Host Configuration Protocol (DHCP)
Secure LAN Switching Layer 2 security Introduction Port-level controls
ARP Scenarios CIS 81 and CST 311 Rick Graziani Fall 2005.
23-Support Protocols and Technologies Dr. John P. Abraham Professor UTPA.
1 Dynamic Host Configuration Protocol (DHCP) Relates to Lab 7. Module about dynamic assignment of IP addresses with DHCP.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching.
Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing & Switching.
Common Devices Used In Computer Networks
– Chapter 5 – Secure LAN Switching
Network Security1 – Chapter 5 – Secure LAN Switching Layer 2 security –Port security –IP permit lists –Protocol filtering –Controlling LAN floods (using.
DHCP Security DHCP Snooping and Security David Mitchell 03/19/2008.
NUS.SOC.CS2105 Ooi Wei Tsang Application Transport Network Link Physical you are here.
1 of 18 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 4 v3.0: Module 1; 1.2.
Lecture2 Secured Network Design W.Lilakiatsakun.  ARP  Problems with ARP / Countermeasures  VLAN  Attacking on VLAN / Countermeasures Topics.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicBSCI Module 6 1 Basic Switch Concept Prepared by: Akhyari Nasir Resources form Internet.
BAI513 - PROTOCOLS DHCP BAIST – Network Management.
DHCP/BOOTP Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically.
FIRST TC 2002 John Kristoff - DePaul University 1 Local Network Attacks John Kristoff DePaul University Chicago, IL
CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 8 Virtual LANs Cisco Networking Academy.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Defense-in-Depth using Network Virtualization and Network Admission.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Basic Switch Configurations.
1 Network Address Translation (NAT) and Dynamic Host Configuration Protocol (DHCP) Relates to Lab 7. Module about private networks and NAT.
W&L Page 1 CCNA CCNA Training 2.7 Configure and verify trunking on Cisco switches Jose Luis Flores / Amel Walkinshaw Aug, 2015.
Chapter 6: Securing the Local Area Network
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against VLAN Attacks.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
BAI513 - PROTOCOLS DHCP BAIST – Network Management.
Address Resolution Protocol Yasir Jan 20 th March 2008 Future Internet.
Chapter 4: server services. The Complete Guide to Linux System Administration2 Objectives Configure network interfaces using command- line and graphical.
LAN Switching Virtual LANs. Virtual LAN Concepts A LAN includes all devices in the same broadcast domain. A broadcast domain includes the set of all LAN-connected.
CCNP Routing and Switching Exam Pass4sure.
© 2003, Cisco Systems, Inc. All rights reserved. 2-1 Understanding Switch Security.
© 2003, Cisco Systems, Inc. All rights reserved. 2-1 Understanding Switch Security.
Cisco Implementing Cisco IP Switched Networks (SWITCH )
Layer 2 Attacks and Security
MAC Address Tables on Connected Switches
Link Layer 5.1 Introduction and services
Campus Network Security
Instructor Materials Chapter 5: Ethernet
Introduction to Networking
Introduction to Networking
Chapter 2: Basic Switching Concepts and Configuration
Instructor: Mr Malik Zaib
Chapter 5: Network Security and Monitoring
Net 431 D: ADVANCED COMPUTER NETWORKS
Routing and Switching Essentials v6.0
CCNA 3 v3 JEOPARDY Module 8 CCNA3 v3 Module 8 K. Martin.
CCNA 3 v3 JEOPARDY Module 8 CCNA3 v3 Module 8 K. Martin.
Allocating IP Addressing by Using Dynamic Host Configuration Protocol
LAN Switching and Wireless – Chapter 2
Network hardening Chapter 14.
Configuring Cisco 2650 Router By John Teissonniere Manny Jacome
Sécurisation au niveau 2 pour certains matériels Cisco
Presentation transcript:

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 2 2 Understanding Switch Security Issues Protecting against Attacks Protecting against Spoof Attacks Describing STP Security Mechanism Preventing STP Forwarding Loops Securing Network Switches

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 3  The DHCP spoofing device replies to client DHCP requests.  The legitimate server may reply as well, but if the spoofing device is on the same segment as the client, its reply to the client may arrive first.  The intruder’s DHCP reply offers an IP address and supporting information that designates the intruder as the default gateway or Domain Name System (DNS) server.  In the case of a gateway, the clients forward packets to the attacking device, which in turn sends them to the desired destination Describing a DHCP Spoof Attack

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 4 4 DHCP Spoof Attacks “I need an IP address/mask, default gateway, and DNS server.” “Here you go, I might be first!” (Rouge) “Here you go.” (Legitimate) “Got it, thanks!” “Already got the info.” All default gateway frames and DNS requests sent to Rogue. “I can now forward these on to my leader.” (Rouge)

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 5  Cisco Catalyst feature that determines which switch ports can respond to DHCP requests.  Trusted ports can source all DHCP messages,  while untrusted ports can source requests only. should not send any DHCP server responses, such as DHCPOFFER, DHCPACK, or DHCPNAK  If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down. Describing DHCP Snooping

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 6  DHCP Option 82 –port-to-port DHCP broadcast isolation is achieved when the client ports are within a single VLAN. –Client – Agent (port #)  DHCP Server (port #) –The relay agent uses this information to identify which port connects to the requesting client and avoids forwarding the reply to the entire VLAN. DHCP Option 82

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 7 DHCP Snooping Switch(config)# ip dhcp snooping limit rate [rate] Enables DHCP Option 82 data insertion Switch(config)# ip dhcp snooping information option Number of packets per second accepted on a port Enables DHCP snooping globally Switch(config)# ip dhcp snooping Switch(config-if)# ip dhcp snooping trust Configures a trusted interface Switch(config)# ip dhcp snooping vlan number [number] Enables DHCP snooping on your VLANs

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 8 Verifying DHCP Snooping

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 9  Supports only the Layer 2 ports, including both access and trunk.  For each untrusted Layer 2 port, IP traffic security filtering.  Source IP address filter: Only IP traffic with a source IP address that matches the IP source binding entry is permitted. Switch(config)#ip source binding ip-addr ip vlan number interface interface  Source IP and MAC address filter: Only IP traffic with source IP and MAC addresses matching the IP source binding entry are permitted. IP Source Guard

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 10 ARP Spoofing The ARP reply from the attacker causes the sender to store the MAC address of the attacking system in its ARP cache. All packets destined for those IP addresses will be forwarded through the attacker system.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 11 Dynamic ARP Inspection (DAI)  To prevent ARP spoofing –DAI prevents these attacks by intercepting and validating all ARP requests and responses. –Each intercepted ARP reply is verified for valid MAC address–to–IP address bindings before it is forwarded to a PC to update the ARP cache. –ARP replies coming from invalid devices are dropped.  DAI determines the validity of an ARP packet based on valid MAC address-to-IP-address bindings database built by DHCP snooping.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 12 Switch(config)#ip arp inspection vlan vlan_id[,vlan_id] Enables DAI on a VLAN or range of VLANs Switch(config-if)#ip arp inspection trust Enables DAI on an interface and sets the interface as a trusted interface Switch(config-if)#ip arp inspection validate {[src-mac] [dst-mac] [ip]} Configures DAI to drop ARP packets when the IP addresses are invalid Dynamic ARP Inspection

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 13  To mitigate the chances of ARP spoofing  Step 1 Implement protection against DHCP spoofing.  Step 2 Enable dynamic ARP inspection. Protecting Against ARP Spoofing Attacks

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 14 Configuring Dynamic ARP Inspection

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.