L2 security
(after paul browning, switch simplified)
note: how he ever came up with that title, i'll never know; this book is loaded...
note: how he ever came up with that title, i'll never know; this book is loaded...
secures switch ports, protects the CAM
by limiting the amount of macs learned by a port
two essential attacks
CAM overflow
targets the fixed memory space by
flooding it with randomly generated packets
MAC spoofing
spoofs the source MAC, tricks the
switch that a host is connected to 2 ports, causes rewrites of mac
table entries resulting in a DoS on
legitimate hosts
port security implementation
static secure Mac's stored in the
Mac table and switch config
dynamic secure mac's learned by the
switch and stored in the Mac table
sticky secure Mac's, a mix of static
and dynamic, stored in the Mac table and switch config
violation results
protect – discards frames
shutdown - err-disable send syslog
message, increment violation counter
restrict – when address limit is
reached, drop frames, send syslog message, increment violation
DAI (dynamic arp inspection)
validates network ARP packets with
IP to Mac binding inspection, dropping inspection failures
ARP spoofing happens during ARP
request and reply between hosts
can be used in DHCP and non-DHCP
environments
associates trust states with each
switchport
trusted interfaces bypass inspection
all untrusted interfaces suffer DAI
inspection
DHCP snooping and IP source guard
spoofing and starving dhcp address
pool to exhaust resources
snooping uses trusted and untrusted
interfaces
packets received on untrusted ports
are dropped with invalid bindings
IP source guard typically employed
with DHCP snooping
IP source guard restricts IP traffic
on untrusted ports, and filters based on the binding database
for untrusted ports, filtering modes
are source IP, and source IP and Mac address
Vlan hopping
attempts to bypass L3 communication
between Vlans
switch spoofing – impersonates a
switch by emulating a trunk, exploits the native Vlan
mitigation – disable DTP,
disable trunk capabilities on non-trunks, prevent user data from
traversing native Vlan
double tagging – tags frames with
2 dot1q tags
mitigation – ensure trunk
native Vlan is different from user access Vlan
configure native Vlan to tag all
traffic
IBNS (Identity Based Networking
Services)
access control and policy
enforcement that is identity based
uses 802.1x, EAP and RADIUS
PVLANS
segregates traffic at L2, makes a
broadcast segment NBMA
3 types of ports – community,
isolated and promiscuos
3 types of Vlans – Primary Vlan,
Isolated Vlans, and Community Vlan
3 elements – the PVLAN, secondary
Vlans (Community and Isolated) and the promiscuous port
Port ACL's and Vlan ACL's
PACL's are supported physically and
on Etherchannel interfaces, perform access control only for
ingress in hardware only (not routed in
software, creates an ACL TCAM entry
VACL's control both bridged and
routed packets, apply to both ingress and egress indiscriminately
OTHER
Storm Control protects networks from
stroms and floods
Protected ports are similar to Pvlans
Port Blocking blocks unknown Unicasts
and Multicats
No comments:
Post a Comment