Minimizing Service Loss and Data Theft in a Switched - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

Minimizing Service Loss and Data Theft in a Switched

Description:

Title: PowerPoint Presentation Created Date: 7/27/2003 5:48:43 PM Document presentation format: (4:3) Company: Cabrillo College – PowerPoint PPT presentation

Number of Views:52
Avg rating:3.0/5.0
Slides: 15
Provided by: kowonDon2
Category:

less

Transcript and Presenter's Notes

Title: Minimizing Service Loss and Data Theft in a Switched


1
Minimizing Service Loss and Data Theft in a
Switched
  • BCMSN Module 8 Sec 2

2
Understanding Switch Security IssuesProtecting
against AttacksProtecting against Spoof
AttacksDescribing STP Security
MechanismPreventing STP Forwarding
LoopsSecuring Network Switches
3
Describing a DHCP Spoof Attack
  • The DHCP spoofing device replies to client DHCP
    requests.
  • The legitimate server may reply as well, but if
    the spoofing device is on the same segment as the
    client, its reply to the client may arrive first.
  • The intruders DHCP reply offers an IP address
    and supporting information that designates the
    intruder as the default gateway or Domain Name
    System (DNS) server.
  • In the case of a gateway, the clients forward
    packets to the attacking device, which in turn
    sends them to the desired destination

4
DHCP Spoof Attacks
Here you go, I might be first! (Rouge)
I need an IP address/mask, default gateway, and
DNS server.
I can now forward these on to my leader. (Rouge)
Got it, thanks!
Already got the info.
Here you go. (Legitimate)
All default gateway frames and DNS requests sent
to Rogue.
5
Describing DHCP Snooping
  • Cisco Catalyst feature that determines which
    switch ports can respond to DHCP requests.
  • Trusted ports can source all DHCP messages,
  • while untrusted ports can source requests only.
    should not send any DHCP server responses, such
    as DHCPOFFER, DHCPACK, or DHCPNAK
  • If a rogue device on an untrusted port attempts
    to send a DHCP response packet into the network,
    the port is shut down.

6
DHCP Option 82
  • DHCP Option 82
  • port-to-port DHCP broadcast isolation is achieved
    when the client ports are within a single VLAN.
  • Client Agent (port ) ?? DHCP Server (port )
  • The relay agent uses this information to identify
    which port connects to the requesting client and
    avoids forwarding the reply to the entire VLAN.

7
DHCP Snooping
Switch(config) ip dhcp snooping
  • Enables DHCP snooping globally

Switch(config) ip dhcp snooping
information option
  • Enables DHCP Option 82 data insertion

Switch(config-if) ip dhcp snooping trust
  • Configures a trusted interface

Switch(config) ip dhcp snooping limit rate rate
  • Number of packets per second accepted on a port

Switch(config) ip dhcp snooping
vlan number number
  • Enables DHCP snooping on your VLANs

8
Verifying DHCP Snooping
9
IP Source Guard
  • Supports only the Layer 2 ports, including both
    access and trunk.
  • For each untrusted Layer 2 port, IP traffic
    security filtering.
  • Source IP address filter Only IP traffic with a
    source IP address that matches the IP source
    binding entry is permitted.
  • Switch(config)ip source binding ip-addr ip vlan
    number interface interface
  • Source IP and MAC address filter Only IP traffic
    with source IP and MAC addresses matching the IP
    source binding entry are permitted.

10
ARP Spoofing
  • The ARP reply from the attacker causes the sender
    to store the MAC address of the attacking system
    in its ARP cache.
  • All packets destined for those IP addresses will
    be forwarded through the attacker system.

11
Dynamic ARP Inspection (DAI)
  • To prevent ARP spoofing
  • DAI prevents these attacks by intercepting and
    validating all ARP requests and responses.
  • Each intercepted ARP reply is verified for valid
    MAC addresstoIP address bindings before it is
    forwarded to a PC to update the ARP cache.
  • ARP replies coming from invalid devices are
    dropped.
  • DAI determines the validity of an ARP packet
    based on valid MAC address-to-IP-address bindings
    database built by DHCP snooping.

12
Dynamic ARP Inspection
Switch(config)ip arp inspection vlan
vlan_id,vlan_id
  • Enables DAI on a VLAN or range of VLANs

Switch(config-if)ip arp inspection trust
  • Enables DAI on an interface and sets the
    interface as a trusted interface

Switch(config-if)ip arp inspection validate
src-mac dst-mac ip
  • Configures DAI to drop ARP packets when the IP
    addresses are invalid

13
Protecting Against ARP Spoofing Attacks
  • To mitigate the chances of ARP spoofing
  • Step 1 Implement protection against DHCP
    spoofing.
  • Step 2 Enable dynamic ARP inspection.

14
Configuring Dynamic ARP Inspection
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Minimizing Service Loss and Data Theft in a Switched" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!