© 2007 Cisco Systems, Inc. All rights reserved.SNRS v2.01-1 Layer 2 Security Configuring DHCP Snooping.

Презентация:



Advertisements
Похожие презентации
© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Minimizing Service Loss and Data Theft in a Campus Network Protecting Against Spoof Attacks.
Advertisements

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Layer 2 Security Examining Layer 2 Attacks.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Module Summary Company ABC is unsecured and vulnerable to attack. There are many types of Layer.
© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Implementing Inter-VLAN Routing Enabling Routing Between VLANs on a Multilayer Switch.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Cisco Network Foundation Protection Securing the Management Plane.
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Manipulating Routing Updates Implementing Advanced Cisco IOS Features: Configuring DHCP.
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Operating and Configuring Cisco IOS Devices Configuring a Router.
Cisco Internetwork Troubleshooting Creating Network Configuration Documentation © 2005 Cisco Systems, Inc. All rights reserved. CIT v
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Adaptive Threat Defense Examining Company ABC Secured.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Implementation Configuring an MP-BGP Session Between PE Routers.
© 2006 Cisco Systems, Inc. All rights reserved.SNRS v Layer 2 Security Examining Company ABC Unsecured.
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Operating and Configuring Cisco IOS Devices Starting a Switch.
© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Minimizing Service Loss and Data Theft in a Campus Network Understanding Switch Security.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Implementation Configuring VRF Tables.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Complex MPLS VPNs Using Advanced VRF Import and Export Features.
© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing LAN and WLAN Devices Mitigating Layer 2 Attacks.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Implementation Configuring Small-Scale Routing Protocols Between PE and CE Routers.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring Rules Configuring Rules Common to Windows and UNIX.
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Module Summary The Cisco Discovery Protocol is an information-gathering tool used by network.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v Completing ISDN Calls Configuring ISDN BRI and PRI.
Транксрипт:

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Layer 2 Security Configuring DHCP Snooping

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v DHCP Attacks DHCP Server DHCP requests with spoofed MAC addresses Attacker attempting to starve DHCP server Attacker attempting to set up rogue DHCP server Untrusted

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v DHCP Snooping Rouge DHCP Attacker Client Legitimate DHCP Server DHCP snooping allows the configuration of ports as trusted or untrusted. Untrusted ports cannot process DHCP replies. Configure DHCP snooping on uplinks to a DHCP server. Do not configure DHCP snooping on client ports.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Mitigating DHCP Attacks Here are two ways to mitigate DHCP spoofing and starvation attacks: Port security DHCP snooping

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuration Guidelines Globally enable first Not active until enabled on a VLAN Configure DHCP server and relay agent first Configure DHCP addresses and options first DHCP option 82 not supported if relay agent is enabled but snooping is disabled

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Commands to Mitigate DHCP Starvation Attacks switch(config)# ip dhcp snooping switch(config)# ip dhcp snooping vlan 90 switch(config)# interface FastEthernet 0/5 switch(config-if)# ip dhcp snooping trust switch(config-if)# ip dhcp snooping limit rate 300 switch(config-if)# end Fa0/5 DHCP Server Any port configured for unauthenticated access VLAN 90

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Verifying DHCP Snooping switch# show ip dhcp snooping switch# show ip dhcp snooping binding switch# show ip dhcp snooping binding Fa0/5 DHCP Server

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Examples switch# show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 90 Insertion of option 82 is enabled Interface Trusted Rate limit (pps) FastEthernet0/5 yes 300

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Examples (Cont.) switch# show ip dhcp binding IP address Hardware address Lease expiration Type a de Feb :00 AM Automatic switch# show ip dhcp binding IP address Hardware address Lease expiration Type c7.f Infinite Manual By IP Address By Subnet switch # show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Type Hardware address/ User name / f.2d64. Mar :36 AM Automatic 656d d47. 4c4f c

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Summary DHCP attacks are another type of Layer 2 (switch) attack. DHCP snooping is a DHCP security feature that provides network security. Two ways to mitigate DHCP attacks are port security and DHCP snooping. There are several guidelines for configuring DHCP snooping. You must first globally enable DHCP snooping. There are two commands given to verify DHCP snooping configuration and operation.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v