DHCP Security DHCP Snooping and Security David Mitchell 03/19/2008.

Slides:

Advertisements

Similar presentations

Mitigating Layer 2 Attacks

Advertisements

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

CIM 2465 IP Addressing Scheme1 IP Addressing Scheme (Topic 4) Textbook: Networking Basics, CCNA 1 Companion Guide, Cisco Press Cisco Networking Academy.

Implementing Inter-VLAN Routing

An Attack at Indiana University ARP Poison Routing David A. Greenberg, GSEC, GCWN, GCFA Principal Security Engineer University Information Security Office.

Switching Topic 4 Inter-VLAN routing. Agenda Routing process Routing VLANs – Traditional model – Router-on-a-stick – Multilayer switches EtherChannel.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

Neutering Ettercap in Cisco Switched Networks For fun and Profit.

DHCP Dynamic Host Configuration Part 7 NVCC Professional Development TCP/IP.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.

Wireless and Switch Security NETS David Mitchell.

Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.

History DHCP was first defined as a standards track protocol in RFC 1531 in October 1993, as an extension to the Bootstrap Protocol (BOOTP). The motivation.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Networking Components

Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.

DHCP Dynamic Host Configuration Protocol. What is DHCP?  It does name resolution (one more?!) DNS resolves IP numbers and FQDN WINS resolves NetBIOS.

Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Network Redundancy Multiple paths may exist between systems. Redundancy is not a requirement of a packet switching network. Redundancy was part of the.

InterVLAN Routing Design and Implementation. What Routers Do Intelligent, dynamic routing protocols for packet transport Packet filtering capabilities.

Connecting Networks © 2004 Cisco Systems, Inc. All rights reserved. Exploring How IP Address Protocols Work INTRO v2.0—4-1.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.

COEN 252 Computer Forensics Collecting Network-based Evidence.

CHAPTER 3 PLANNING INTERNET CONNECTIVITY. D ETERMINING INTERNET CONNECTIVITY REQUIREMENTS Factors to be considered in internet access strategy: Sufficient.

Lecture2 Secured Network Design W.Lilakiatsakun.  ARP  Problems with ARP / Countermeasures  VLAN  Attacking on VLAN / Countermeasures Topics.

By: Aleksandr Movsesyan Advisor: Hugh Smith. OSI Model.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 5: Managing and Monitoring DHCP.

BCP for ARP/ND Scaling for Large Data Centers

Chapter 23: ARP, ICMP, DHCP CS332, IS333 Spring 2014.

Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

Sem 2v2 Chapter 13 Troubleshooting the Network. Examples of problems in each layer might include:  Layer 1 - incorrect cable used  Layer 2 - interface.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Defense-in-Depth using Network Virtualization and Network Admission.

The University of Bolton School of Games Computing & Creative Technologies LCT2516 Network Architecture CCNA Exploration LAN Switching and Wireless Chapter.

Security fundamentals Topic 10 Securing the network perimeter.

Chapter 6: Securing the Local Area Network

Chapter 3.  Upon completion of this chapter, you should be able to:  Select and install network cards to meet network connection requirements  Connect.

Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://

Firewall Matthew Prestifilippo, Bill Kazmierski, Pat Sparrow.

Network Management CCNA 4 Chapter 7. Monitoring the Network Connection monitoring takes place every day when users log on Ping only shows that the connection.

1 Interview Questions - What is the difference between TCP and UDP? - What is Nagle's Algorithm? - Describe the TCP handshaking process. - What is Slow.

End-host IP: MAC: 11:11:11:11:11 gateway IP: MAC: 22:22:22:22:22 Google server IP: interne t interface DNS server IP:

انجمن سیسکو به پارسی آشنایی با برخی حملات در لایه 2 آشنایی با برخی حملات در لایه 2 علیرضا.

Cisco Routers Routers collectively provide the main feature of the network layer—the capability to forward packets end-to-end through a network. routers.

SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.

Networking and firewall

Chapter 05 Exam Review CCNA Discovery 01 – Computer and Network Fundamentals Presented by: Phillip Place Cisco Academy Instructor Lake Michigan College.

Instructor Materials Chapter 5: Network Security and Monitoring

Layer 2 Attacks and Security

N5 Building Switches (4500) in Ist Floor L3 In N4 Building

Virtual Local Area Networks or VLANs

Affinity Depending on the application and client requirements of your Network Load Balancing cluster, you can be required to select an Affinity setting.

Examcollection VCE Download

Switch Setup Connectivity to Other locations Via MPLS/LL etc

Prepared By : Pina Chhatrala

Host Configuration: BOOTP and DHCP

BOOTP and DHCP Objectives

Introduction to Networking

Introduction to Networking

Chapter 2: Basic Switching Concepts and Configuration

Pass4itsure Cisco Dumps

Host Configuration: BOOTP and DHCP

AbbottLink™ - IP Address Overview

Sécurisation au niveau 2 pour certains matériels Cisco

Presentation transcript:

DHCP Security DHCP Snooping and Security David Mitchell 03/19/2008

DHCP Snooping What is the danger How do we mitigate it How it works What NETS will need Futures

What is the danger The DHCP server on a subnet performs some important tasks from a security point of view. Defines the default route. A malicious server could intercept all traffic leaving the subnet by providing the wrong server Defines the DNS server. A malicious server could redirect traffic to incorrect web sites.

How do we mitigate it Prevent every port on a subnet from being a valid source for DHCP server packets. Can be done with a simple Vlan Access List (VACL)‏ Can also be done intelligently via DHCP Snooping

Futures Once DHCP snooping is working and binding tables are up to date, the screws can be tightened. Switch can inspect all ARP responses to ensure that their contents match the DHCP lease for that port. (Some) switches can inspect all packets to ensure source MAC and IP match DHCP lease.

More Info /dm-cisco-networkers notes/wednesday.html Includes notes on layer 2 attacks and their mitigations /dm-cisco-networkers notes/wednesday.html

How It Works Switch installs a VACL to intercept all DHCP packets and send them to the processor for interpretation. Snooping is enabled per-vlan on each switch. Ports in a VLAN are defined as trusted or untrusted depending on whether or not they are allowed to act as a DHCP server

How It Works Continued Switch tracks all DHCP requests and responses. Builds a table which defines which IP address and MAC binding is valid on each port. Optionally add the switch name and port to DHCP requests so the DHCP server will have that information.

What NETS Will Need Primarily a list of what subnets are doing DHCP and what ports have DHCP servers connected to them. List of what hosts are using static IP addresses.  NETS may be able to autogenerate this to some extent.  Increased usage of DHCP will reduce the need for this