Presentation is loading. Please wait.

Presentation is loading. Please wait.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

Published byBathsheba Fox Modified over 9 years ago

Similar presentations

Presentation on theme: "CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2."— Presentation transcript:

1 CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2

2 CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 2 2 Understanding Switch Security Issues Protecting against Attacks Protecting against Spoof Attacks Describing STP Security Mechanism Preventing STP Forwarding Loops Securing Network Switches

3 CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 3  The DHCP spoofing device replies to client DHCP requests.  The legitimate server may reply as well, but if the spoofing device is on the same segment as the client, its reply to the client may arrive first.  The intruder’s DHCP reply offers an IP address and supporting information that designates the intruder as the default gateway or Domain Name System (DNS) server.  In the case of a gateway, the clients forward packets to the attacking device, which in turn sends them to the desired destination Describing a DHCP Spoof Attack

4 CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 4 4 DHCP Spoof Attacks “I need an IP address/mask, default gateway, and DNS server.” “Here you go, I might be first!” (Rouge) “Here you go.” (Legitimate) “Got it, thanks!” “Already got the info.” All default gateway frames and DNS requests sent to Rogue. “I can now forward these on to my leader.” (Rouge)

5 CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 5  Cisco Catalyst feature that determines which switch ports can respond to DHCP requests.  Trusted ports can source all DHCP messages,  while untrusted ports can source requests only. should not send any DHCP server responses, such as DHCPOFFER, DHCPACK, or DHCPNAK  If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down. Describing DHCP Snooping

6 CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 6  DHCP Option 82 –port-to-port DHCP broadcast isolation is achieved when the client ports are within a single VLAN. –Client – Agent (port #)  DHCP Server (port #) –The relay agent uses this information to identify which port connects to the requesting client and avoids forwarding the reply to the entire VLAN. DHCP Option 82

7 CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 7 DHCP Snooping Switch(config)# ip dhcp snooping limit rate [rate] Enables DHCP Option 82 data insertion Switch(config)# ip dhcp snooping information option Number of packets per second accepted on a port Enables DHCP snooping globally Switch(config)# ip dhcp snooping Switch(config-if)# ip dhcp snooping trust Configures a trusted interface Switch(config)# ip dhcp snooping vlan number [number] Enables DHCP snooping on your VLANs

8 CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 8 Verifying DHCP Snooping

9 CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 9  Supports only the Layer 2 ports, including both access and trunk.  For each untrusted Layer 2 port, IP traffic security filtering.  Source IP address filter: Only IP traffic with a source IP address that matches the IP source binding entry is permitted. Switch(config)#ip source binding ip-addr ip vlan number interface interface  Source IP and MAC address filter: Only IP traffic with source IP and MAC addresses matching the IP source binding entry are permitted. IP Source Guard

10 CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 10 ARP Spoofing The ARP reply from the attacker causes the sender to store the MAC address of the attacking system in its ARP cache. All packets destined for those IP addresses will be forwarded through the attacker system.

11 CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 11 Dynamic ARP Inspection (DAI)  To prevent ARP spoofing –DAI prevents these attacks by intercepting and validating all ARP requests and responses. –Each intercepted ARP reply is verified for valid MAC address–to–IP address bindings before it is forwarded to a PC to update the ARP cache. –ARP replies coming from invalid devices are dropped.  DAI determines the validity of an ARP packet based on valid MAC address-to-IP-address bindings database built by DHCP snooping.

12 CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 12 Switch(config)#ip arp inspection vlan vlan_id[,vlan_id] Enables DAI on a VLAN or range of VLANs Switch(config-if)#ip arp inspection trust Enables DAI on an interface and sets the interface as a trusted interface Switch(config-if)#ip arp inspection validate {[src-mac] [dst-mac] [ip]} Configures DAI to drop ARP packets when the IP addresses are invalid Dynamic ARP Inspection

13 CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 13  To mitigate the chances of ARP spoofing  Step 1 Implement protection against DHCP spoofing.  Step 2 Enable dynamic ARP inspection. Protecting Against ARP Spoofing Attacks

14 CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 14 Configuring Dynamic ARP Inspection

Download ppt "CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2."

Similar presentations

Mitigating Layer 2 Attacks

Mitigating Layer 2 Attacks
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
Implementing Inter-VLAN Routing

Implementing Inter-VLAN Routing
Cisco 3 - Switch Perrine. J Page 15/8/2015 Chapter 8 What happens to the member ports of a VLAN when the VLAN is deleted? 1.They become inactive. 2.They.

Cisco 3 - Switch Perrine. J Page 15/8/2015 Chapter 8 What happens to the member ports of a VLAN when the VLAN is deleted? 1.They become inactive. 2.They.
Neutering Ettercap in Cisco Switched Networks For fun and Profit.

Neutering Ettercap in Cisco Switched Networks For fun and Profit.
DHCP Dynamic Host Configuration Part 7 NVCC Professional Development TCP/IP.

DHCP Dynamic Host Configuration Part 7 NVCC Professional Development TCP/IP.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing & Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing and Switching Essentials.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing and Switching Essentials.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.
DHCP (Dynamic Host Configuration Protocol) RD-CSY2001-2008/09.

DHCP (Dynamic Host Configuration Protocol) RD-CSY /09.
Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.

Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.
Dynamic Host Configuration Protocol (DHCP)

Dynamic Host Configuration Protocol (DHCP)
Secure LAN Switching Layer 2 security Introduction Port-level controls

Secure LAN Switching Layer 2 security Introduction Port-level controls
ARP Scenarios CIS 81 and CST 311 Rick Graziani Fall 2005.

ARP Scenarios CIS 81 and CST 311 Rick Graziani Fall 2005.
23-Support Protocols and Technologies Dr. John P. Abraham Professor UTPA.

23-Support Protocols and Technologies Dr. John P. Abraham Professor UTPA.
1 Dynamic Host Configuration Protocol (DHCP) Relates to Lab 7. Module about dynamic assignment of IP addresses with DHCP.

1 Dynamic Host Configuration Protocol (DHCP) Relates to Lab 7. Module about dynamic assignment of IP addresses with DHCP.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching.
Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.

Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.

Similar presentations

Ads by Google