Minimizing Service Loss and Data Theft in a Switched - PowerPoint PPT Presentation

1 / 14

About This Presentation

Title:

Minimizing Service Loss and Data Theft in a Switched

Description:

Title: PowerPoint Presentation Created Date: 7/27/2003 5:48:43 PM Document presentation format: (4:3) Company: Cabrillo College – PowerPoint PPT presentation

Number of Views:59

Avg rating:3.0/5.0

Slides: 15

Provided by: kowonDon2

Category:

more less

Transcript and Presenter's Notes

Title: Minimizing Service Loss and Data Theft in a Switched

1
Minimizing Service Loss and Data Theft in a
Switched

BCMSN Module 8 Sec 2

2
Understanding Switch Security IssuesProtecting
against AttacksProtecting against Spoof
AttacksDescribing STP Security
MechanismPreventing STP Forwarding
LoopsSecuring Network Switches
3
Describing a DHCP Spoof Attack

The DHCP spoofing device replies to client DHCP
requests.
The legitimate server may reply as well, but if
the spoofing device is on the same segment as the
client, its reply to the client may arrive first.
The intruders DHCP reply offers an IP address
and supporting information that designates the
intruder as the default gateway or Domain Name
System (DNS) server.
In the case of a gateway, the clients forward
packets to the attacking device, which in turn
sends them to the desired destination

4
DHCP Spoof Attacks
Here you go, I might be first! (Rouge)
I need an IP address/mask, default gateway, and
DNS server.
I can now forward these on to my leader. (Rouge)
Got it, thanks!
Already got the info.
Here you go. (Legitimate)
All default gateway frames and DNS requests sent
to Rogue.
5
Describing DHCP Snooping

Cisco Catalyst feature that determines which
switch ports can respond to DHCP requests.
Trusted ports can source all DHCP messages,
while untrusted ports can source requests only.
should not send any DHCP server responses, such
as DHCPOFFER, DHCPACK, or DHCPNAK
If a rogue device on an untrusted port attempts
to send a DHCP response packet into the network,
the port is shut down.

6
DHCP Option 82

DHCP Option 82
port-to-port DHCP broadcast isolation is achieved
when the client ports are within a single VLAN.
Client Agent (port ) ?? DHCP Server (port )
The relay agent uses this information to identify
which port connects to the requesting client and
avoids forwarding the reply to the entire VLAN.

7
DHCP Snooping
Switch(config) ip dhcp snooping

Enables DHCP snooping globally

Switch(config) ip dhcp snooping
information option

Enables DHCP Option 82 data insertion

Switch(config-if) ip dhcp snooping trust

Configures a trusted interface

Switch(config) ip dhcp snooping limit rate rate

Number of packets per second accepted on a port

Switch(config) ip dhcp snooping
vlan number number

Enables DHCP snooping on your VLANs

8
Verifying DHCP Snooping
9
IP Source Guard

Supports only the Layer 2 ports, including both
access and trunk.
For each untrusted Layer 2 port, IP traffic
security filtering.
Source IP address filter Only IP traffic with a
source IP address that matches the IP source
binding entry is permitted.
Switch(config)ip source binding ip-addr ip vlan
number interface interface
Source IP and MAC address filter Only IP traffic
with source IP and MAC addresses matching the IP
source binding entry are permitted.

10
ARP Spoofing

The ARP reply from the attacker causes the sender
to store the MAC address of the attacking system
in its ARP cache.
All packets destined for those IP addresses will
be forwarded through the attacker system.

11
Dynamic ARP Inspection (DAI)

To prevent ARP spoofing
DAI prevents these attacks by intercepting and
validating all ARP requests and responses.
Each intercepted ARP reply is verified for valid
MAC addresstoIP address bindings before it is
forwarded to a PC to update the ARP cache.
ARP replies coming from invalid devices are
dropped.
DAI determines the validity of an ARP packet
based on valid MAC address-to-IP-address bindings
database built by DHCP snooping.

12
Dynamic ARP Inspection
Switch(config)ip arp inspection vlan
vlan_id,vlan_id