Minimizing Service Loss and Data Theft in a Switched - PowerPoint PPT Presentation
1 / 13
Title:
Minimizing Service Loss and Data Theft in a Switched
Description:
Title: PowerPoint Presentation Created Date: 7/27/2003 5:48:43 PM Document presentation format: (4:3) Company: Cabrillo College – PowerPoint PPT presentation
Number of Views:48
Avg rating:3.0/5.0
Title: Minimizing Service Loss and Data Theft in a Switched
1
Minimizing Service Loss and Data Theft in a
Switched
- BCMSN Module 8 Sec 2
2
Understanding Switch Security IssuesProtecting
against AttacksProtecting against Spoof
AttacksDescribing STP Security
MechanismPreventing STP Forwarding
LoopsSecuring Network Switches
3
Describing a DHCP Spoof Attack
- DHCP spoofing ??? client? DHCP requests? ??.
- ???? ??? ??? ????, ?? spoofing ??? ?????? ??
????? ???, ? ???? ??? ?? ?????? ??? ???. - ???? DHCP ??? ???? ??? ????? ?? DNS ??? ???? IP
??? ????? ????. - ?? ???? ?????? ??? ??, ?????? ??? ??????? ????
??? ???? ??? ????.
4
DHCP Spoof Attacks
Here you go, I might be first! (Rouge)
I need an IP address/mask, default gateway, and
DNS server.
I can now forward these on to my leader. (Rouge)
Got it, thanks!
Already got the info.
Here you go. (Legitimate)
All default gateway frames and DNS requests sent
to Rogue.
5
Describing DHCP Snooping
- ??? Catalyst ???? ?? ??? ??? DHCP ??? ??? ? ????
???? ??? ????. - Trusted ??? ?? DHCP ???? ?? ? ??.
- Untrusted ??? ?? ??? ? ?? ? ??. ??? DHCPOFFER,
DHCPACK, ?? DHCPNAK ?? DHCP ?? ?? ???? ???? ???. - ?? untrusted ??? ?? ???? ??? DHCP ?? ??? ???, ?
??? ???(shut down).
6
DHCP Option 82
- ????? ??? DPCH ??? ??? ?? VLAN ?? ?? ?
Port-to-port DHCP ??? ??? ??? ??? ??. - ????? ?? ????
- Client Agent (port ) ?? DHCP Server (port )
- ?? ???(relay agent)? ?? ??? ???? ?????? ???? ??
?? ???? ?? ? ??(????)? ????. ??? VLAN ??? ??? ???
?? ?? ? ??.
7
DHCP Snooping
Switch(config) ip dhcp snooping
- Enables DHCP snooping globally
Switch(config) ip dhcp snooping
information option
- Enables DHCP Option 82 data insertion
Switch(config-if) ip dhcp snooping trust
- Configures a trusted interface
Switch(config) ip dhcp snooping limit rate rate
- Number of packets per second accepted on a port
Switch(config) ip dhcp snooping
vlan number number
- Enables DHCP snooping on your VLANs
8
Verifying DHCP Snooping
9
IP Source Guard
- ??? ??? ??? ??? ????, ?? 2 ?? ? ????.
- ? untrusted ?? 2 ??? ??, IP ??? ??? ?? ??.
- Source IP address filter ?? IP ??? ??(IP source
binding) ??? ???? ??? IP ??? ?? IP ??? ? ????. - Switch(config)ip source binding ip-addr ip vlan
number interface interface - Source IP and MAC address filter ?? IP ???
??(IP source binding) ??? ???? ??? IP ??? MAC ???
?? IP ??? ? ????.
10
ARP Spoofing
- ???? ??? ARP ??? ?? ???? MAC ??? ???(ARP ?? ???
???)? ??? ARP ??? ????? ??. - ?? ??(ARP ??? IP ??)? ??? ?? ??? ?? ???? ??? ???
???.
11
Dynamic ARP Inspection (DAI)
- ARP spoofing ??? ???? ???
- DAI? ?? ARP ?? ? ?? ??? ???? ?????? ?? ??? ?? ?
??. - ? ??? ARP ??? APR ??? ????? PC? ?? ?? ?? ?? MAC
??-IP ?? ??? ????. - ???? ?? ????? ?? APR ??? ????.
- DAI? DHCP snooping? ??? ??? ??? MAC ??-IP ?? ??
??? ???? ???? ARP ??? ???? ????.
12
Dynamic ARP Inspection
Switch(config)ip arp inspection vlan
vlan_id,vlan_id
- Enables DAI on a VLAN or range of VLANs
Switch(config-if)ip arp inspection trust
- Enables DAI on an interface and sets the
interface as a trusted interface
Switch(config-if)ip arp inspection validate
src-mac dst-mac ip
- Configures DAI to drop ARP packets when the IP
addresses are invalid
13
Protecting Against ARP Spoofing Attacks
- ARP spoofing? ??? ???? ???
- STEP 1 DHCP Spoofing? ??? ??? ????.
- STEP 2 Dynamic ARP Inspection? ?????.
Recommended
CrystalGraphics Presentations
