© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.

Slides:



Advertisements
Similar presentations
Mitigating Layer 2 Attacks
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implement VTP LAN Switching and Wireless – Chapter 4.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Inter- VLAN Routing LAN Switching and Wireless – Chapter 6.
Implementing Inter-VLAN Routing
Chapter 6: Securing the Campus Infrastructure
Switching Topic 4 Inter-VLAN routing. Agenda Routing process Routing VLANs – Traditional model – Router-on-a-stick – Multilayer switches EtherChannel.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
Cisco 3 - Switch Perrine. J Page 15/8/2015 Chapter 8 What happens to the member ports of a VLAN when the VLAN is deleted? 1.They become inactive. 2.They.
Neutering Ettercap in Cisco Switched Networks For fun and Profit.
DHCP Dynamic Host Configuration Part 7 NVCC Professional Development TCP/IP.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing & Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implement VTP LAN Switching and Wireless – Chapter 4.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing and Switching Essentials.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—6-1 Implementing Layer 3 High Availability Configuring Layer 3 Redundancy with HSRP.
Network Security Network Attacks and Mitigation 張晃崚 CCIE #13673, CCSI #31340 區域銷售事業處 副處長 麟瑞科技.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.
Securing the Local Area Network
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.
Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Configuring PVLANs.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Applying Best Practices for VLAN Topologies.
Secure LAN Switching Layer 2 security Introduction Port-level controls
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.
© 2006 Cisco Systems, Inc. All rights reserved.1 Microsoft Network Load Balancing Support Vivek V
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing & Switching.
DHCP Security DHCP Snooping and Security David Mitchell 03/19/2008.
Network Infrastructure Configuration for MAB Port Configuration Interface fastethernet 0/1 description Trustsec:802.1X+MAB+MultiAuth switchport access.
Lecture2 Secured Network Design W.Lilakiatsakun.  ARP  Problems with ARP / Countermeasures  VLAN  Attacking on VLAN / Countermeasures Topics.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicBSCI Module 6 1 Basic Switch Concept Prepared by: Akhyari Nasir Resources form Internet.
CCNA 3 Week 9 VLAN Trunking. Copyright © 2005 University of Bolton Origins Dates back to radio and telephone Trunk carries multiple channels over a single.
© 2015 Mohamed Samir YouTube channel All rights reserved. Samir Part V: Monitoring Campus Networks.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
FIRST TC 2002 John Kristoff - DePaul University 1 Local Network Attacks John Kristoff DePaul University Chicago, IL
Enabling Port Security
CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change.
Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 8 Virtual LANs Cisco Networking Academy.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Defense-in-Depth using Network Virtualization and Network Admission.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Basic Switch Configurations.
W&L Page 1 CCNA CCNA Training 2.7 Configure and verify trunking on Cisco switches Jose Luis Flores / Amel Walkinshaw Aug, 2015.
Chapter 6: Securing the Local Area Network
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against VLAN Attacks.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 9 VLAN Trunking Protocol Cisco Networking Academy.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implement VTP LAN Switching and Wireless – Chapter 4.
Cisco 3 - Switch Perrine. J Page 12/4/2016 Chapter 9 Which protocol is Cisco proprietary and designed to carry traffic from multiple VLANs? A Q.
انجمن سیسکو به پارسی آشنایی با برخی حملات در لایه 2 آشنایی با برخی حملات در لایه 2 علیرضا.
CHAPTER 10: DHCP Routing & Switching. Objectives 10.0 Introduction 10.1 Dynamic Host Configuration Protocol v Dynamic Host Configuration Protocol.
Cisco Exam Questions IMPLEMENTING CISCO IOS NETWORK SECURITY (IINS V2.0) VERSION: Presents: 1.
CCNP Routing and Switching Exam Pass4sure.
© 2003, Cisco Systems, Inc. All rights reserved. 2-1 Understanding Switch Security.
© 2003, Cisco Systems, Inc. All rights reserved. 2-1 Understanding Switch Security.
1 © 2003, Cisco Systems, Inc. All rights reserved. VLAN Maps.
Cisco Implementing Cisco IP Switched Networks (SWITCH )
InterVLAN Routing 1. InterVLAN Routing 2. Multilayer Switching.
Instructor Materials Chapter 5: Network Security and Monitoring
Layer 2 Attacks and Security
Campus Network Security
حملات به شبکه های محلی و راه های مقابله
Chapter 2: Basic Switching Concepts and Configuration
Pass4itsure Cisco Dumps
Chapter 5: Network Security and Monitoring
2018 Huawei H Real Questions Killtest
Net 412 (Practical Part) LAB 5-port security
Sécurisation au niveau 2 pour certains matériels Cisco
Presentation transcript:

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-2 Cisco Catalyst Integrated Security Features

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-3 DHCP Spoofing Attacks  An attacker activates a DHCP server on the VLAN.  An attacker replies to a valid client DHCP request.  An attacker assigns IP configuration information that establishes a rogue device as client default gateway.  An attacker floods the DHCP server with requests.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-4 DHCP Messages

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-5 DHCP Snooping Protects Against Rogue and Malicious DHCP Servers  DHCP requests (discover) and responses (offer) are tracked.  Rate-limiting requests on untrusted interfaces limit DoS attacks on DHCP servers.  Deny responses (offers) on untrusted interfaces to stop malicious or errant DHCP servers.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-6 DHCP Snooping  DHCP snooping allows the configuration of ports as trusted or untrusted.  Untrusted ports cannot forward DHCP replies.  Configure DHCP trust on the uplinks to a DHCP server.  Do not configure DHCP trust on client ports.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-7 Configuring DHCP Snooping  Enable DHCP snooping globally.  Enable DHCP snooping on selected VLANs.  Configure trusted interfaces (untrusted is default).  Configure DHCP rate limit on untrusted interfaces. switch(config)# ip dhcp snooping switch(config)# ip dhcp snooping information option switch(config)# ip dhcp snooping vlan 10,20 switch(config)# interface fastethernet 0/1 switch(config-if)# description Access Port switch(config-if)# ip dhcp limit rate 50 switch(config)# interface fastethernet 0/24 switch(config-if)# description Uplink switch(config-if)# switchport mode trunk switch(config-if)# switchport trunk allowed vlan 10,20 switch(config-if)# ip dhcp snooping trust

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-8 Verifying DHCP Snooping switch# show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 10,20 DHCP snooping is operational on following VLANs: 10,20 DHCP snooping is configured on the following L3 Interfaces: Insertion of option 82 is enabled circuit-id default format: vlan-mod-port remote-id: 001a.e372.ab00 (MAC) Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Verification of giaddr field is enabled DHCP snooping trust/rate is configured on the following Interfaces: Interface Trusted Allow option Rate limit (pps) FastEthernet0/1 no no 50 FastEthernet0/24 yes yes unlimited

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-9 ARP Poisoning

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-10 DAI Protection Against ARP Poisoning  Protects against ARP poisoning (ettercap, dsniff, or arpspoof)  Uses the DHCP snooping binding table  Tracks IP-to-MAC bindings from DHCP transactions  Drops gratuitous ARPs  Stops ARP poisoning and man-in-the-middle attacks  Rate-limits ARP requests from client ports; stops port scanning

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-11 About DAI  DAI associates each interface with a trusted state or an untrusted state.  Trusted interfaces bypass DAI.  Untrusted interfaces undergo DAI validation.  DHCP snooping is required to build a table with MAC-to-IP bindings for DAI validation.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-12 Configuring DAI  Enable DHCP snooping globally.  Enable DHCP snooping on selected VLANs.  Enable ARP inspection on selected VLANs.  Configure trusted interfaces (untrusted is default). switch(config)# ip dhcp snooping switch(config)# ip dhcp snooping vlan 10,20 switch(config)# ip arp inspection vlan 10,20 switch(config)# interface fastethernet 0/1 switch(config-if)# ip dhcp limit rate 50 switch(config)# interface fastethernet 0/24 switch(config-if)# description Uplink switch(config-if)# switchport mode trunk switch(config-if)# switchport trunk allowed vlan 10,20 switch(config-if)# ip dhcp snooping trust switch(config-if)# ip arp inspection trust

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-13 IP Source Guard Protection Against Spoofed IP Addresses  Protects against spoofed IP addresses  Uses the DHCP snooping binding table  Tracks IP addresses to port associations  Dynamically programs port ACLs to drop traffic not originating from an IP address assigned via DHCP

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-14 IP Source Guard  DHCP snooping must be configured to verify source IP addresses.  Port security with DHCP snooping allows verification of source IP and MAC addresses.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-15 Catalyst Integrated Security Configuration sw(config)# ip dhcp snooping sw(config)# ip dhcp snooping vlan 10,20 sw(config)# ip arp inspection vlan 10,20 sw(config)# interface fastethernet 0/1 sw(config-if)# description Access Port sw(config-if)# switchport mode access sw(config-if)# switchport access vlan 10 sw(config-if)# switchport port-security maximum 2 sw(config-if)# switchport port-security violation restrict sw(config-if)# switchport port-security sw(config-if)# ip dhcp limit rate 50 sw(config-if)# ip verify source port-security sw(config)# interface fastethernet 0/24 sw(config-if)# description Uplink sw(config-if)# switchport mode trunk sw(config-if)# switchport trunk allowed vlan 10,20 sw(config-if)# ip dhcp snooping trust sw(config-if)# ip arp inspection trust

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-16 Summary  DHCP spoofing attacks send unauthorized replies to DHCP queries.  DHCP snooping is used to counter a DHCP spoofing attack.  DHCP snooping is easily implemented on a Cisco Catalyst switch.  ARP spoofing can be used to redirect traffic to an unauthorized device on the network.  DAI in conjunction with DHCP snooping can be used to counter ARP spoofing attacks.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-17

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.