© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v3.08-1 Minimizing Service Loss and Data Theft in a Campus Network Protecting Against Spoof Attacks.

Презентация:



Advertisements
Похожие презентации
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Layer 2 Security Configuring DHCP Snooping.
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Minimizing Service Loss and Data Theft in a Campus Network Describing STP Security Mechanisms.
© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Module Summary Key switch security issues should be identified on a switched network and.
© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Minimizing Service Loss and Data Theft in a Campus Network Preventing STP Forwarding Loops.
© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Implementing Inter-VLAN Routing Enabling Routing Between VLANs on a Multilayer Switch.
© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Minimizing Service Loss and Data Theft in a Campus Network Understanding Switch Security.
© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Minimizing Service Loss and Data Theft in a Campus Network Securing Network Switches.
© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Implementing High Availability in a Campus Environment Configuring Layer 3 Redundancy with.
© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Minimizing Service Loss and Data Theft in a Campus Network Protecting Against VLAN Attacks.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Layer 2 Security Examining Layer 2 Attacks.
© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Implementing High Availability in a Campus Environment Configuring Layer 3 Redundancy with.
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Manipulating Routing Updates Implementing Advanced Cisco IOS Features: Configuring DHCP.
© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing LAN and WLAN Devices Mitigating Layer 2 Attacks.
© 2006 Cisco Systems, Inc. All rights reserved.BCMSN v Defining VLANs Propagating VLAN Configurations with VTP.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v BGP Overview Establishing BGP Sessions.
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Secure IP Telephony Hardening the IP Phone.
© 2006 Cisco Systems, Inc. All rights reserved.BCMSN v Implementing Spanning Tree Configuring Link Aggregation with EtherChannel.
© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Module Summary An external router can be configured to route packets between the VLANs on.
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Implementing Multicast IGMP and Layer 2 Issues.
© 2006 Cisco Systems, Inc. All rights reserved.BCMSN v Defining VLANs Implementing Trunks.
Транксрипт:

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Minimizing Service Loss and Data Theft in a Campus Network Protecting Against Spoof Attacks

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v DHCP Spoof Attacks Attacker activates DHCP server on VLAN. Attacker replies to valid client DHCP requests. Attacker assigns IP configuration information that establishes rogue device as client default gateway. Attacker establishes man-in-the-middle attack.

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v DHCP Snooping DHCP snooping allows the configuration of ports as trusted or untrusted. Untrusted ports cannot process DHCP replies. Configure DHCP snooping on uplinks to a DHCP server. Do not configure DHCP snooping on client ports.

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Securing Against DHCP Snooping Attacks Switch(config)# ip dhcp snooping limit rate [rate] Enables DHCP Option 82 data insertion Switch(config)# ip dhcp snooping information option Number of packets per second accepted on a port Enables DHCP snooping globally Switch(config)# ip dhcp snooping Switch(config-if)# ip dhcp snooping trust Configures a trusted interface Switch(config)# ip dhcp snooping vlan number [number] Enables DHCP snooping on your VLANs

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Verifying DHCP Snooping Verifies the DHCP snooping configuration Switch# show ip dhcp snooping Switch DHCP snooping is enabled DHCP Snooping is configured on the following VLANs: Insertion of option 82 information is enabled. Interface Trusted Rate limit (pps) FastEthernet2/1 yes none FastEthernet2/2 yes none FastEthernet3/1 no 20 Switch#

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v IP source guard is configured on untrusted L2 interfaces IP Source Guard

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Configuring IP Source Guard on a Switch Enables DHCP snooping on a specific VLAN Switch(config)# ip dhcp snooping vlan number [number] Enables DHCP snooping globally Switch(config)# ip dhcp snooping Switch(config-if)# ip verify source vlan dhcp-snooping port-security Enables IP Source Guard, source IP, and source MAC address filter on a port

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v ARP Spoofing

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v DAI associates each interface with a trusted state or an untrusted state. Trusted interfaces bypass all DAI. Untrusted interfaces undergo DAI validation. Dynamic ARP Inspection

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Switch(config)#ip arp inspection vlan vlan_id[,vlan_id] Enables DAI on a VLAN or range of VLANs Switch(config-if)#ip arp inspection trust Enables DAI on an interface and sets the interface as a trusted interface Switch(config-if)#ip arp inspection validate {[src-mac] [dst-mac] [ip]} Configures DAI to drop ARP packets when the IP addresses are invalid Configuring DAI

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Protection from ARP Spoofing Configure to protect against rogue DHCP servers. Configure for dynamic ARP inspection.

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Summary DHCP spoof attacks send unauthorized replies to DHCP queries. DHCP snooping is used to counter a DHCP spoof attack. DHCP snooping is easily implemented on a Cisco Catalyst switch. ARP spoofing can be used to redirect traffic to an unauthorized device on the network. Dynamic ARP inspection in conjunction with DHCP snooping can be used to counter ARP spoofing attacks. Configuration commands for dynamic ARP inspection are simple to understand. Dynamic APR inspection and DHCP snooping can protect against ARP spoofing attacks.

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v