SlideShare a Scribd company logo

Security Concerns in LANs.pptx

Download as PPTX, PDF
J
joko

Network Security

Technology
1 of 33
Security Concerns in LANs Enterprise Networking, Security, and Automation v7.0 (ENSA)
Switch Vulnerabilities  Switches are vulnerable to a variety of attacks including:  Password attacks  DoS attacks  CDP attacks  MAC address flooding  DHCP attacks  To mitigate against these attacks:  Disable unused ports  Disable CDP  Configure Port Security  Configure DHCP snooping 2
Disable Unused Ports and Assign to an Unused (Garbage) VLAN S1(config)#int range fa0/20 – 24 S1(config-if-range)# switchport access vlan 100 S1(config-if-range)# shutdown %LINK-5-CHANGED: Interface FastEthernet0/20, changed state to administratively down %LINK-5-CHANGED: Interface FastEthernet0/21, changed state to administratively down %LINK-5-CHANGED: Interface FastEthernet0/22, changed state to administratively down %LINK-5-CHANGED: Interface FastEthernet0/23, changed state to administratively down %LINK-5-CHANGED: Interface FastEthernet0/24, changed state to administratively down S1(config-if-range)# 4
Leveraging the Cisco Discovery Protocol  The Cisco Discovery Protocol is a Layer 2 Cisco proprietary protocol used to discover other directly connected Cisco devices.  It is designed to allow the devices to autoconfigure their connections.  If an attacker is listening to Cisco Discovery Protocol messages, it could learn important information, such as the device model or the running software version. 5
Leveraging the Cisco Discovery Protocol  Cisco recommends disabling CDP when it is not in use. Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE, RELEASE SOFTWARE (fc1)… 6
Disabling CDP S1(config)# no cdp run S1(config)# S1(config)# interface range fa0/1 – 24 S1(config-if-range)# no cdp enable S1(config-if-range)#exit S1(config)# 7
Layer 2 Switching Packet Tracer Topology In this scenario, the switch has just rebooted. Verify the content of the MAC address table. 192.168.1.0 /24 .10 .11 .12 .13 000a.f38e.74b3 00d0.ba07.8499 0090.0c23.ceca 0001.9717.22e0 F0/1 F0/3 F0/2 F0/4 Sw1# show mac-address-table Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- Sw1# 8
Layer 2 Switching PC-A pings PC-B. 192.168.1.0 /24 .12 .13 0090.0c23.ceca 0001.9717.22e0 F0/1 F0/3 F0/2 F0/4 PC-A> ping 192.168.1.11 Pinging 192.168.1.11 with 32 bytes of data: Reply from 192.168.1.11: bytes=32 time=62ms TTL=128 Reply from 192.168.1.11: bytes=32 time=62ms TTL=128 Reply from 192.168.1.11: bytes=32 time=63ms TTL=128 Reply from 192.168.1.11: bytes=32 time=63ms TTL=128 Ping statistics for 192.168.1.11: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 62ms, Maximum = 63ms, Average = 62ms PC-A> 9 .10 .11 00d0.ba07.8499 000a.f38e.74b3
Layer 2 Switching Sw1# show mac-address-table Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 1 000a.f38e.74b3 DYNAMIC Fa0/1 1 00d0.ba07.8499 DYNAMIC Fa0/2 Sw1# 10 192.168.1.0 /24 .12 .13 0090.0c23.ceca 0001.9717.22e0 F0/1 F0/3 F0/2 F0/4 .10 .11 00d0.ba07.8499 000a.f38e.74b3
Unicast Flooding 11 Unicast Mac Address Table Port MAC Address Mac Address Table 1.Learn – Examine Source MAC address In table: Reset 5 min timer Not in table: Add Source MAC address and port # to table 2.Forward – Examine Destination MAC address In table: Forward out that port. Not in table: Flood out all ports except incoming port. AAAA BBBB AAAA BBBB Not in table Unknown Unicast 1 2
12 MAC Flood Attack  If the attack is launched before the beginning of the day, the CAM table would be full as the majority of devices are powered on.  If the initial, malicious flood of invalid CAM table entries is a one-time event:  Can generate 155,000 MAC entries per minute  “Typical” switch can store 4,000 to 8,000 MAC entries  Eventually, the switch will age out older, invalid CAM table entries  New, legitimate devices will be able to create an entry in the CAM  Traffic flooding will cease  Intruder may never be detected (network seems normal).
Unicast Flooding 13 Unicast Mac Address Table Port MAC Address Mac Address Table 1.Learn – Examine Source MAC address In table: Reset 5 min timer Not in table: Add Source MAC address and port # to table 2.Forward – Examine Destination MAC address In table: Forward out that port. Not in table: Flood out all ports except incoming port. AAAA BBBB AAAA BBBB Not in table or table is full Unknown Unicast 1 2
Configure Port Security  Port security allows an administrator to limit the number of MAC addresses learned on a port.  If this is exceeded, a switch action can be configured.  Configure each access port to accept 1 MAC address only or a small group of MAC addresses.  Frames from any other MAC addresses are not forwarded.  By default, the port will shut down if the wrong device connects.  It has to be brought up again manually. 1 1 1 1 14
Configuring Port Security  Use the switchport port-security interface command to enable port security on a port.  It is used to:  Set a maximum number of MAC addresses.  Define violation actions.  MAC address(es) can be learned dynamically, entered manually, or learned and retained dynamically.  Set the aging time for dynamic and static secure address entries.  To verify port security status: show port-security switchport port-security [max value] [violation {protect | restrict | shutdown}] [mac-address mac-address [sticky]] [aging time value] Switch(config-if)# 15
Port Security: Secure MAC Addresses  The switch supports these types of secure MAC addresses:  Static  Configured using switchport port-security mac-address mac-address  Stored in the address table  Added to running configuration.  Dynamic  These are dynamically configured  Stored only in the address table  Removed when the switch restarts  Sticky  These are dynamically configured  Stored in the address table  Added to the running configuration.  If running-config saved to startup-config, when the switch restarts, the interface does not need to dynamically reconfigure them.  Note: When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. The interface adds all the sticky secure MAC addresses to the running configuration. 16
Port Security: Steps 17
Port Security Defaults  Secure MAC addresses can be configured as follows:  Dynamically (learned but not retained after a reboot)  Statically (prone to errors)  Sticky (learned dynamically and retained) Feature Default setting Port Security Disabled on a port Maximum # of Secure MAC Addresses 1 Violation Shutdown • The port shuts down when the maximum number of secure MAC addresses is exceeded, and an SNMP trap notification is sent. Sticky Address Learning Disabled 18
Dynamic Secure MAC address  Learned dynamically  S1(config-if)# switchport mode access  S1(config-if)# switchport port-security  By default, only 1 address is learned.  Put in MAC address table  Not shown in running configuration  It is not saved or in the configuration when switch restarts. 19
Static Secure MAC address  Static secure MAC address is manually configured in interface config mode S1(config-if)# switchport mode access S1(config-if)# switchport port-security mac-address 000c.7259.0a63  MAC address is stored in MAC address table  Shows in the running configuration  Can be saved with the configuration. 20
Sticky Secure MAC address  Dynamically learned and can be retained.  S1(config-if)# switchport mode access  S1(config-if)# switchport port-security mac-address sticky  You can choose how many can be learned (default 1).  Added to the running configuration  Saved only if you save running configuration.  Note:  When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.  The interface adds all the sticky secure MAC addresses to the running configuration. 21
22 interface FastEthernet0/2 switchport mode access  Sets the interface mode as access; an interface in the default mode (dynamic desirable) cannot be configured as a secure port. switchport port-security  Enables port security on the interface switchport port-security maximum 6  (Optional) Sets the maximum number of secure MAC addresses for the interface. The range is 1 to 132; the default is 1. switchport port-security aging time 5  Learned addresses are not aged out by default but can be with this command. Value from 1 to 1024 in minutes. switchport port-security mac-address 0000.0000.000b  (Optional) Enter a static secure MAC address for the interface, repeating the command as many times as necessary. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned. switchport port-security mac-address sticky  (Optional) Enable stick learning on the interface. switchport port-security violation shutdown  (Optional) Set the violation mode, the action to be taken when a security violation is detected. (Next) NOTE: switchport host command will disable channeling, and enable access/portfast Switch(config-if)# switchport host switchport mode will be set to access spanning-tree portfast will be enabled channel group will be disabled
Port Security: Steps 23
Port Security: Maximum of 1  The secure MAC addresses are stored in an address table.  Setting a maximum number of addresses to 1 and configuring the MAC address of an attached device ensures that the device has the full bandwidth of the port. Switch(config-if)# switchport port-security maximum 1 24
Port Security: Static Addresses  Restricts input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port.  The port does not forward packets with source addresses outside the group of defined addresses. Switch(config)# interface fa 0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 3 Switch(config-if)# switchport port-security mac-address 0000.0000.000a Switch(config-if)# switchport port-security mac-address 0000.0000.000b Switch(config-if)# switchport port-security mac-address 0000.0000.000c X 25
26 Port Security: Violation  Station attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs.
Port Security: Violation  By default, if the maximum number of connections is achieved and a new MAC address attempts to access the port, the switch must take one of the following actions:  Protect: Frames from the nonallowed address are dropped, but there is no log of the violation.  Restrict: Frames from the nonallowed address are dropped, a log message is created and Simple Network Management Protocol (SNMP) trap sent.  Shut down: If any frames are seen from a nonallowed address, the interface is errdisabled, a log entry is made, SNMP trap sent and manual intervention (no shutdown) or errdisable recovery must be used to make the interface usable. Switch(config-if)#switchport port-security violation {protect | restrict | shutdown} 27
DHCP Attacks  DHCP is a network protocol used to automatically assign IP information.  Two types of DHCP attacks are:  DHCP spoofing: A fake DHCP server is placed in the network to issue DHCP addresses to clients.  DHCP starvation: DHCP starvation is often used before a DHCP spoofing attack to deny service to the legitimate DHCP server. 28
DHCP Review 29
DHCP Spoof Attacks “I need an IP address/mask, default gateway, and DNS server.” “Here you go, I might be first!” (Rouge) “Here you go.” (Legitimate) “Got it, thanks!” “Already got the info.” All default gateway frames and DNS requests sent to Rogue. “I can now forward these on to my leader.” (Rouge) 30
Solution: Configure DHCP Snooping  DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests.  Ports are identified as trusted and untrusted.  Trusted ports: Host a DHCP server or can be an uplink toward the DHCP server and can source all DHCP messages, including DHCP offer and DHCP acknowledgement packets  Untrusted ports: Can source requests only. 31
DHCP Snooping S1(config)# ip dhcp snooping S1(config)# ip dhcp snooping vlan 10,20 S1(config)# interface gig 0/1 S1(config-if)# ip dhcp snooping trust S1(config)# interface fa 0/0 S1(config-if)# ip dhcp snooping limit rate 100 Fa0/0 Gig0/1 By default all interfaces are untrusted. Fa0/0 S1 32
DHCP Snooping “I need an IP address/mask, default gateway, and DNS server.” “Here you go, I might be first!” (Rouge) “Here you go.” (Legitimate) Switch: This is an untrusted port, I will block this DHCP Offer” “Thanks, got it.” Switch: This is a trusted port, I will allow this DHCP Offer” 33
Security Concerns in LANs.pptx

Recommended

Cap2 configuring switch
Cap2 configuring switchCap2 configuring switch
Cap2 configuring switchHector Camba Lainez
 
Switch security
Switch securitySwitch security
Switch securitynullowaspmumbai
 
Cisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch PortCisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch PortIPMAX s.r.l.
 
SRWE_Module_11.pptx
SRWE_Module_11.pptxSRWE_Module_11.pptx
SRWE_Module_11.pptxJosimar Caitano
 
Ch6
Ch6Ch6
Ch6scary5800
 
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...INFitunes
 
Network Security- port security.pptx
Network Security- port security.pptxNetwork Security- port security.pptx
Network Security- port security.pptxSulSya
 
Configuring dynamic switchport security
Configuring dynamic switchport securityConfiguring dynamic switchport security
Configuring dynamic switchport securityIT Tech
 

Recommended

Cap2 configuring switch
Cap2 configuring switchCap2 configuring switch
Cap2 configuring switchHector Camba Lainez
 
Switch security
Switch securitySwitch security
Switch securitynullowaspmumbai
 
Cisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch PortCisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch PortIPMAX s.r.l.
 
SRWE_Module_11.pptx
SRWE_Module_11.pptxSRWE_Module_11.pptx
SRWE_Module_11.pptxJosimar Caitano
 
Ch6
Ch6Ch6
Ch6scary5800
 
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...INFitunes
 
Network Security- port security.pptx
Network Security- port security.pptxNetwork Security- port security.pptx
Network Security- port security.pptxSulSya
 
Configuring dynamic switchport security
Configuring dynamic switchport securityConfiguring dynamic switchport security
Configuring dynamic switchport securityIT Tech
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacksdkaya
 
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and ConfigurationLAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and ConfigurationAbdelkhalik Mosa
 
Switchport port security explained with examples
Switchport port security explained with examplesSwitchport port security explained with examples
Switchport port security explained with examplesteameassefa
 
1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) 1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) Mohmed Abou Elenein Attia
 
CCNA Lab 2-Configuring a Switch Part II
CCNA Lab 2-Configuring a Switch Part IICCNA Lab 2-Configuring a Switch Part II
CCNA Lab 2-Configuring a Switch Part IIAmir Jafari
 
2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - ig2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - igAlex Ramirez
 
Chapter 14 - Sw Conf
Chapter 14 - Sw ConfChapter 14 - Sw Conf
Chapter 14 - Sw Confphanleson
 
Ccna 3 chapter 2 v4.0 answers 2011
Ccna 3 chapter 2 v4.0 answers 2011Ccna 3 chapter 2 v4.0 answers 2011
Ccna 3 chapter 2 v4.0 answers 2011Dân Chơi
 
CCNA Security 07-Securing the local area network
CCNA Security 07-Securing the local area networkCCNA Security 07-Securing the local area network
CCNA Security 07-Securing the local area networkAhmed Habib
 
Attack.pptx
Attack.pptxAttack.pptx
Attack.pptxISMT College
 
LAYER2_
LAYER2_LAYER2_
LAYER2_Nishad Dadhaniya
 
VLAN
VLANVLAN
VLANAnuj Kumar
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Securitydkaya
 
Cisco CCNA Port Security
Cisco CCNA Port SecurityCisco CCNA Port Security
Cisco CCNA Port SecurityHamed Moghaddam
 
Day 13.1..1 catalyst switch
Day 13.1..1 catalyst switchDay 13.1..1 catalyst switch
Day 13.1..1 catalyst switchCYBERINTELLIGENTS
 
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LANWebinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LANNetgear Italia
 
Cisco systems hacking layer 2 ethernet switches
Cisco systems hacking layer 2 ethernet switchesCisco systems hacking layer 2 ethernet switches
Cisco systems hacking layer 2 ethernet switchesKJ Savaliya
 
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.Sumutiu Marius
 
Hướng dẫn cài đặt switch planet layer 3
Hướng dẫn cài đặt switch planet layer 3Hướng dẫn cài đặt switch planet layer 3
Hướng dẫn cài đặt switch planet layer 33c telecom
 
Hacking L2 Switches
Hacking L2 SwitchesHacking L2 Switches
Hacking L2 SwitchesNavaneetha Sankar
 
manajemen-jaringan.ppt
manajemen-jaringan.pptmanajemen-jaringan.ppt
manajemen-jaringan.pptjoko
 
Latihan soal
Latihan soalLatihan soal
Latihan soaljoko
 

More Related Content

Similar to Security Concerns in LANs.pptx

Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacksdkaya
 
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and ConfigurationLAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and ConfigurationAbdelkhalik Mosa
 
Switchport port security explained with examples
Switchport port security explained with examplesSwitchport port security explained with examples
Switchport port security explained with examplesteameassefa
 
CCNA Lab 2-Configuring a Switch Part II
CCNA Lab 2-Configuring a Switch Part IICCNA Lab 2-Configuring a Switch Part II
CCNA Lab 2-Configuring a Switch Part IIAmir Jafari
 
2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - ig2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - igAlex Ramirez
 
Chapter 14 - Sw Conf
Chapter 14 - Sw ConfChapter 14 - Sw Conf
Chapter 14 - Sw Confphanleson
 
Ccna 3 chapter 2 v4.0 answers 2011
Ccna 3 chapter 2 v4.0 answers 2011Ccna 3 chapter 2 v4.0 answers 2011
Ccna 3 chapter 2 v4.0 answers 2011Dân Chơi
 
CCNA Security 07-Securing the local area network
CCNA Security 07-Securing the local area networkCCNA Security 07-Securing the local area network
CCNA Security 07-Securing the local area networkAhmed Habib
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Securitydkaya
 
Cisco CCNA Port Security
Cisco CCNA Port SecurityCisco CCNA Port Security
Cisco CCNA Port SecurityHamed Moghaddam
 
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LANWebinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LANNetgear Italia
 
Cisco systems hacking layer 2 ethernet switches
Cisco systems hacking layer 2 ethernet switchesCisco systems hacking layer 2 ethernet switches
Cisco systems hacking layer 2 ethernet switchesKJ Savaliya
 
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.Sumutiu Marius
 
Hướng dẫn cài đặt switch planet layer 3
Hướng dẫn cài đặt switch planet layer 3Hướng dẫn cài đặt switch planet layer 3
Hướng dẫn cài đặt switch planet layer 33c telecom
 

Similar to Security Concerns in LANs.pptx (20)

Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacks
 
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and ConfigurationLAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
 
Switchport port security explained with examples
Switchport port security explained with examplesSwitchport port security explained with examples
Switchport port security explained with examples
 
1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) 1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618)
 
CCNA Lab 2-Configuring a Switch Part II
CCNA Lab 2-Configuring a Switch Part IICCNA Lab 2-Configuring a Switch Part II
CCNA Lab 2-Configuring a Switch Part II
 
2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - ig2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - ig
 
Chapter 14 - Sw Conf
Chapter 14 - Sw ConfChapter 14 - Sw Conf
Chapter 14 - Sw Conf
 
Ccna 3 chapter 2 v4.0 answers 2011
Ccna 3 chapter 2 v4.0 answers 2011Ccna 3 chapter 2 v4.0 answers 2011
Ccna 3 chapter 2 v4.0 answers 2011
 
CCNA Security 07-Securing the local area network
CCNA Security 07-Securing the local area networkCCNA Security 07-Securing the local area network
CCNA Security 07-Securing the local area network
 
Attack.pptx
Attack.pptxAttack.pptx
Attack.pptx
 
LAYER2_
LAYER2_LAYER2_
LAYER2_
 
VLAN
VLANVLAN
VLAN
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Security
 
Cisco CCNA Port Security
Cisco CCNA Port SecurityCisco CCNA Port Security
Cisco CCNA Port Security
 
Day 13.1..1 catalyst switch
Day 13.1..1 catalyst switchDay 13.1..1 catalyst switch
Day 13.1..1 catalyst switch
 
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LANWebinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
 
Cisco systems hacking layer 2 ethernet switches
Cisco systems hacking layer 2 ethernet switchesCisco systems hacking layer 2 ethernet switches
Cisco systems hacking layer 2 ethernet switches
 
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
 
Hướng dẫn cài đặt switch planet layer 3
Hướng dẫn cài đặt switch planet layer 3Hướng dẫn cài đặt switch planet layer 3
Hướng dẫn cài đặt switch planet layer 3
 
Hacking L2 Switches
Hacking L2 SwitchesHacking L2 Switches
Hacking L2 Switches
 

More from joko

manajemen-jaringan.ppt
manajemen-jaringan.pptmanajemen-jaringan.ppt
manajemen-jaringan.pptjoko
 
Latihan soal
Latihan soalLatihan soal
Latihan soaljoko
 
Uni fi controller_ug
Uni fi controller_ugUni fi controller_ug
Uni fi controller_ugjoko
 
Session#1 pengantar akuntansi dan bisnis
Session#1 pengantar akuntansi dan bisnisSession#1 pengantar akuntansi dan bisnis
Session#1 pengantar akuntansi dan bisnisjoko
 
15843 15841-1-pb
15843 15841-1-pb15843 15841-1-pb
15843 15841-1-pbjoko
 
Layer 3
Layer 3Layer 3
Layer 3joko
 
Networking media
Networking mediaNetworking media
Networking mediajoko
 
Network devices
Network devicesNetwork devices
Network devicesjoko
 
Networking media
Networking mediaNetworking media
Networking mediajoko
 
Ip address
Ip addressIp address
Ip addressjoko
 
Dfd
DfdDfd
Dfdjoko
 
Inventory
InventoryInventory
Inventoryjoko
 
Card file
Card fileCard file
Card filejoko
 
Accounts
AccountsAccounts
Accountsjoko
 
Session 6
Session 6Session 6
Session 6joko
 
Session 4
Session 4Session 4
Session 4joko
 
Session 3
Session 3Session 3
Session 3joko
 
Session 3
Session 3Session 3
Session 3joko
 
Session 5
Session 5Session 5
Session 5joko
 
Session 4
Session 4Session 4
Session 4joko
 

More from joko (20)

manajemen-jaringan.ppt
manajemen-jaringan.pptmanajemen-jaringan.ppt
manajemen-jaringan.ppt
 
Latihan soal
Latihan soalLatihan soal
Latihan soal
 
Uni fi controller_ug
Uni fi controller_ugUni fi controller_ug
Uni fi controller_ug
 
Session#1 pengantar akuntansi dan bisnis
Session#1 pengantar akuntansi dan bisnisSession#1 pengantar akuntansi dan bisnis
Session#1 pengantar akuntansi dan bisnis
 
15843 15841-1-pb
15843 15841-1-pb15843 15841-1-pb
15843 15841-1-pb
 
Layer 3
Layer 3Layer 3
Layer 3
 
Networking media
Networking mediaNetworking media
Networking media
 
Network devices
Network devicesNetwork devices
Network devices
 
Networking media
Networking mediaNetworking media
Networking media
 
Ip address
Ip addressIp address
Ip address
 
Dfd
DfdDfd
Dfd
 
Inventory
InventoryInventory
Inventory
 
Card file
Card fileCard file
Card file
 
Accounts
AccountsAccounts
Accounts
 
Session 6
Session 6Session 6
Session 6
 
Session 4
Session 4Session 4
Session 4
 
Session 3
Session 3Session 3
Session 3
 
Session 3
Session 3Session 3
Session 3
 
Session 5
Session 5Session 5
Session 5
 
Session 4
Session 4Session 4
Session 4
 

Recently uploaded

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

Security Concerns in LANs.pptx

  • 1. Security Concerns in LANs Enterprise Networking, Security, and Automation v7.0 (ENSA)
  • 2. Switch Vulnerabilities  Switches are vulnerable to a variety of attacks including:  Password attacks  DoS attacks  CDP attacks  MAC address flooding  DHCP attacks  To mitigate against these attacks:  Disable unused ports  Disable CDP  Configure Port Security  Configure DHCP snooping 2
  • 3. Disable Unused Ports and Assign to an Unused (Garbage) VLAN S1(config)#int range fa0/20 – 24 S1(config-if-range)# switchport access vlan 100 S1(config-if-range)# shutdown %LINK-5-CHANGED: Interface FastEthernet0/20, changed state to administratively down %LINK-5-CHANGED: Interface FastEthernet0/21, changed state to administratively down %LINK-5-CHANGED: Interface FastEthernet0/22, changed state to administratively down %LINK-5-CHANGED: Interface FastEthernet0/23, changed state to administratively down %LINK-5-CHANGED: Interface FastEthernet0/24, changed state to administratively down S1(config-if-range)# 4
  • 4. Leveraging the Cisco Discovery Protocol  The Cisco Discovery Protocol is a Layer 2 Cisco proprietary protocol used to discover other directly connected Cisco devices.  It is designed to allow the devices to autoconfigure their connections.  If an attacker is listening to Cisco Discovery Protocol messages, it could learn important information, such as the device model or the running software version. 5
  • 5. Leveraging the Cisco Discovery Protocol  Cisco recommends disabling CDP when it is not in use. Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE, RELEASE SOFTWARE (fc1)… 6
  • 6. Disabling CDP S1(config)# no cdp run S1(config)# S1(config)# interface range fa0/1 – 24 S1(config-if-range)# no cdp enable S1(config-if-range)#exit S1(config)# 7
  • 7. Layer 2 Switching Packet Tracer Topology In this scenario, the switch has just rebooted. Verify the content of the MAC address table. 192.168.1.0 /24 .10 .11 .12 .13 000a.f38e.74b3 00d0.ba07.8499 0090.0c23.ceca 0001.9717.22e0 F0/1 F0/3 F0/2 F0/4 Sw1# show mac-address-table Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- Sw1# 8
  • 8. Layer 2 Switching PC-A pings PC-B. 192.168.1.0 /24 .12 .13 0090.0c23.ceca 0001.9717.22e0 F0/1 F0/3 F0/2 F0/4 PC-A> ping 192.168.1.11 Pinging 192.168.1.11 with 32 bytes of data: Reply from 192.168.1.11: bytes=32 time=62ms TTL=128 Reply from 192.168.1.11: bytes=32 time=62ms TTL=128 Reply from 192.168.1.11: bytes=32 time=63ms TTL=128 Reply from 192.168.1.11: bytes=32 time=63ms TTL=128 Ping statistics for 192.168.1.11: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 62ms, Maximum = 63ms, Average = 62ms PC-A> 9 .10 .11 00d0.ba07.8499 000a.f38e.74b3
  • 9. Layer 2 Switching Sw1# show mac-address-table Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 1 000a.f38e.74b3 DYNAMIC Fa0/1 1 00d0.ba07.8499 DYNAMIC Fa0/2 Sw1# 10 192.168.1.0 /24 .12 .13 0090.0c23.ceca 0001.9717.22e0 F0/1 F0/3 F0/2 F0/4 .10 .11 00d0.ba07.8499 000a.f38e.74b3
  • 10. Unicast Flooding 11 Unicast Mac Address Table Port MAC Address Mac Address Table 1.Learn – Examine Source MAC address In table: Reset 5 min timer Not in table: Add Source MAC address and port # to table 2.Forward – Examine Destination MAC address In table: Forward out that port. Not in table: Flood out all ports except incoming port. AAAA BBBB AAAA BBBB Not in table Unknown Unicast 1 2
  • 11. 12 MAC Flood Attack  If the attack is launched before the beginning of the day, the CAM table would be full as the majority of devices are powered on.  If the initial, malicious flood of invalid CAM table entries is a one-time event:  Can generate 155,000 MAC entries per minute  “Typical” switch can store 4,000 to 8,000 MAC entries  Eventually, the switch will age out older, invalid CAM table entries  New, legitimate devices will be able to create an entry in the CAM  Traffic flooding will cease  Intruder may never be detected (network seems normal).
  • 12. Unicast Flooding 13 Unicast Mac Address Table Port MAC Address Mac Address Table 1.Learn – Examine Source MAC address In table: Reset 5 min timer Not in table: Add Source MAC address and port # to table 2.Forward – Examine Destination MAC address In table: Forward out that port. Not in table: Flood out all ports except incoming port. AAAA BBBB AAAA BBBB Not in table or table is full Unknown Unicast 1 2
  • 13. Configure Port Security  Port security allows an administrator to limit the number of MAC addresses learned on a port.  If this is exceeded, a switch action can be configured.  Configure each access port to accept 1 MAC address only or a small group of MAC addresses.  Frames from any other MAC addresses are not forwarded.  By default, the port will shut down if the wrong device connects.  It has to be brought up again manually. 1 1 1 1 14
  • 14. Configuring Port Security  Use the switchport port-security interface command to enable port security on a port.  It is used to:  Set a maximum number of MAC addresses.  Define violation actions.  MAC address(es) can be learned dynamically, entered manually, or learned and retained dynamically.  Set the aging time for dynamic and static secure address entries.  To verify port security status: show port-security switchport port-security [max value] [violation {protect | restrict | shutdown}] [mac-address mac-address [sticky]] [aging time value] Switch(config-if)# 15
  • 15. Port Security: Secure MAC Addresses  The switch supports these types of secure MAC addresses:  Static  Configured using switchport port-security mac-address mac-address  Stored in the address table  Added to running configuration.  Dynamic  These are dynamically configured  Stored only in the address table  Removed when the switch restarts  Sticky  These are dynamically configured  Stored in the address table  Added to the running configuration.  If running-config saved to startup-config, when the switch restarts, the interface does not need to dynamically reconfigure them.  Note: When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. The interface adds all the sticky secure MAC addresses to the running configuration. 16
  • 17. Port Security Defaults  Secure MAC addresses can be configured as follows:  Dynamically (learned but not retained after a reboot)  Statically (prone to errors)  Sticky (learned dynamically and retained) Feature Default setting Port Security Disabled on a port Maximum # of Secure MAC Addresses 1 Violation Shutdown • The port shuts down when the maximum number of secure MAC addresses is exceeded, and an SNMP trap notification is sent. Sticky Address Learning Disabled 18
  • 18. Dynamic Secure MAC address  Learned dynamically  S1(config-if)# switchport mode access  S1(config-if)# switchport port-security  By default, only 1 address is learned.  Put in MAC address table  Not shown in running configuration  It is not saved or in the configuration when switch restarts. 19
  • 19. Static Secure MAC address  Static secure MAC address is manually configured in interface config mode S1(config-if)# switchport mode access S1(config-if)# switchport port-security mac-address 000c.7259.0a63  MAC address is stored in MAC address table  Shows in the running configuration  Can be saved with the configuration. 20
  • 20. Sticky Secure MAC address  Dynamically learned and can be retained.  S1(config-if)# switchport mode access  S1(config-if)# switchport port-security mac-address sticky  You can choose how many can be learned (default 1).  Added to the running configuration  Saved only if you save running configuration.  Note:  When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.  The interface adds all the sticky secure MAC addresses to the running configuration. 21
  • 21. 22 interface FastEthernet0/2 switchport mode access  Sets the interface mode as access; an interface in the default mode (dynamic desirable) cannot be configured as a secure port. switchport port-security  Enables port security on the interface switchport port-security maximum 6  (Optional) Sets the maximum number of secure MAC addresses for the interface. The range is 1 to 132; the default is 1. switchport port-security aging time 5  Learned addresses are not aged out by default but can be with this command. Value from 1 to 1024 in minutes. switchport port-security mac-address 0000.0000.000b  (Optional) Enter a static secure MAC address for the interface, repeating the command as many times as necessary. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned. switchport port-security mac-address sticky  (Optional) Enable stick learning on the interface. switchport port-security violation shutdown  (Optional) Set the violation mode, the action to be taken when a security violation is detected. (Next) NOTE: switchport host command will disable channeling, and enable access/portfast Switch(config-if)# switchport host switchport mode will be set to access spanning-tree portfast will be enabled channel group will be disabled
  • 23. Port Security: Maximum of 1  The secure MAC addresses are stored in an address table.  Setting a maximum number of addresses to 1 and configuring the MAC address of an attached device ensures that the device has the full bandwidth of the port. Switch(config-if)# switchport port-security maximum 1 24
  • 24. Port Security: Static Addresses  Restricts input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port.  The port does not forward packets with source addresses outside the group of defined addresses. Switch(config)# interface fa 0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 3 Switch(config-if)# switchport port-security mac-address 0000.0000.000a Switch(config-if)# switchport port-security mac-address 0000.0000.000b Switch(config-if)# switchport port-security mac-address 0000.0000.000c X 25
  • 25. 26 Port Security: Violation  Station attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs.
  • 26. Port Security: Violation  By default, if the maximum number of connections is achieved and a new MAC address attempts to access the port, the switch must take one of the following actions:  Protect: Frames from the nonallowed address are dropped, but there is no log of the violation.  Restrict: Frames from the nonallowed address are dropped, a log message is created and Simple Network Management Protocol (SNMP) trap sent.  Shut down: If any frames are seen from a nonallowed address, the interface is errdisabled, a log entry is made, SNMP trap sent and manual intervention (no shutdown) or errdisable recovery must be used to make the interface usable. Switch(config-if)#switchport port-security violation {protect | restrict | shutdown} 27
  • 27. DHCP Attacks  DHCP is a network protocol used to automatically assign IP information.  Two types of DHCP attacks are:  DHCP spoofing: A fake DHCP server is placed in the network to issue DHCP addresses to clients.  DHCP starvation: DHCP starvation is often used before a DHCP spoofing attack to deny service to the legitimate DHCP server. 28
  • 29. DHCP Spoof Attacks “I need an IP address/mask, default gateway, and DNS server.” “Here you go, I might be first!” (Rouge) “Here you go.” (Legitimate) “Got it, thanks!” “Already got the info.” All default gateway frames and DNS requests sent to Rogue. “I can now forward these on to my leader.” (Rouge) 30
  • 30. Solution: Configure DHCP Snooping  DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests.  Ports are identified as trusted and untrusted.  Trusted ports: Host a DHCP server or can be an uplink toward the DHCP server and can source all DHCP messages, including DHCP offer and DHCP acknowledgement packets  Untrusted ports: Can source requests only. 31
  • 31. DHCP Snooping S1(config)# ip dhcp snooping S1(config)# ip dhcp snooping vlan 10,20 S1(config)# interface gig 0/1 S1(config-if)# ip dhcp snooping trust S1(config)# interface fa 0/0 S1(config-if)# ip dhcp snooping limit rate 100 Fa0/0 Gig0/1 By default all interfaces are untrusted. Fa0/0 S1 32
  • 32. DHCP Snooping “I need an IP address/mask, default gateway, and DNS server.” “Here you go, I might be first!” (Rouge) “Here you go.” (Legitimate) Switch: This is an untrusted port, I will block this DHCP Offer” “Thanks, got it.” Switch: This is a trusted port, I will allow this DHCP Offer” 33