Attacks and Mitigation – ahmedhussein

Dot1x Authentication Configuration

Configuration Example:
interface Vlan1
ip address 192.168.1.10 255.255.255.0
!
aaa new-model
!
dot1x system-auth-control
!
aaa authentication dot1x default group radius
!
radius-server host 192.168.1.100 auth-port 1645 key cisco123
!
interface FastEthernet0/2
switchport mode access
authentication port-control auto
dot1x pae authenticator
!
interface FastEthernet0/3
switchport mode access
authentication port-control auto
dot1x pae authenticator
!
interface FastEthernet0/4
switchport mode access
authentication port-control auto
dot1x pae authenticator

AAA server configuration

DHCP Spoofing Attack Review

The goal of a DHCP starvation attack is to an attack tool such as Gobbler to create a Denial of Service (DoS) for connecting clients.

Recall that DHCP starvation attacks can be effectively mitigated by using port security because Gobbler uses a unique source MAC address for each DHCP request sent. However, mitigating DHCP spoofing attacks requires more protection.

Gobbler could be configured to use the actual interface MAC address as the source Ethernet address, but specify a different Ethernet address in the DHCP payload. This would render port security ineffective because the source MAC address would be legitimate.

DHCP spoofing attacks can be mitigated by using DHCP snooping on trusted ports.

DHCP Snooping

DHCP snooping filters DHCP messages and rate-limits DHCP traffic on untrusted ports.

Devices under administrative control (e.g., switches, routers, and servers) are trusted sources.
Trusted interfaces (e.g., trunk links, server ports) must be explicitly configured as trusted.
Devices outside the network and all access ports are generally treated as untrusted sources.

A DHCP table is built that includes the source MAC address of a device on an untrusted port and the IP address assigned by the DHCP server to that device.

The MAC address and IP address are bound together.
Therefore, this table is called the DHCP snooping binding table.

Steps to Implement DHCP Snooping

Use the following steps to enable DHCP snooping:

Step 1. Enable DHCP snooping by using the ip dhcp snooping global configuration command.

Step 2. On trusted ports, use the ip dhcp snooping trust interface configuration command.

Step 3: On untrusted interfaces, limit the number of DHCP discovery messages that can be received using the ip dhcp snooping limit rate packets-per-second interface configuration command.

Step 4. Enable DHCP snooping by VLAN, or by a range of VLANs, by using the ip dhcp snooping vlan global configuration command.

DHCP Snooping Configuration Example

DHCP snooping settings

#show ip dhcp snooping
#show ip dhcp snooping binding

Dynamic ARP Inspection

In a typical ARP attack, a threat actor can send unsolicited ARP replies to other hosts on the subnet with the MAC Address of the threat actor and the IP address of the default gateway. To prevent ARP spoofing and the resulting ARP poisoning, a switch must ensure that only valid ARP Requests and Replies are relayed.

Dynamic ARP inspection (DAI) requires DHCP snooping and helps prevent ARP attacks by:

Not relaying invalid or gratuitous ARP Replies out to other ports in the same VLAN.
Intercepting all ARP Requests and Replies on untrusted ports.
Verifying each intercepted packet for a valid IP-to-MAC binding.
Dropping and logging ARP Replies coming from invalid to prevent ARP poisoning.

Error-disabling the interface if the configured DAI number of ARP packets is exceeded

DAI Implementation Guidelines

To mitigate the chances of ARP spoofing and ARP poisoning, follow these DAI implementation guidelines:

Enable DHCP snooping globally.
Enable DHCP snooping on selected VLANs.
Enable DAI on selected VLANs.
Configure trusted interfaces for DHCP snooping and ARP inspection.

It is generally advisable to configure all access switch ports as untrusted and to configure all uplink ports that are connected to other switches as trusted.

Mitigate STP Attacks

Recall that network attackers can manipulate the Spanning Tree Protocol (STP) to conduct an attack by spoofing the root bridge and changing the topology of a network.

To mitigate STP attacks, use PortFast and Bridge Protocol Data Unit (BPDU) Guard:

PortFast

PortFast immediately brings a port to the forwarding state from a blocking state, bypassing the listening and learning states.
Apply to all end-user access ports.

BPDU Guard

BPDU guard immediately error disables a port that receives a BPDU.
Like PortFast, BPDU guard should only be configured on interfaces attached to end devices.

Configure PortFast

37

Created on December 05, 2022

Switch Security Quiz

1 / 10

Which two features on a Cisco Catalyst switch can be used to mitigate DHCP starvation and DHCP spoofing attacks? (Choose two.)

extended ACL

strong password on DHCP servers

DHCP server failover

port security

DHCP snooping

2 / 10

An administrator who is troubleshooting connectivity issues on a switch notices that a switch port configured for port security is in the err-disabled state. After verifying the cause of the violation, how should the administrator re-enable the port without disrupting network operation?

Reboot the switch.

Issue the shutdown command followed by the no shutdown command on the interface.

Issue the no switchport port-security command, then re-enable port security.

Issue the no switchport port-security violation shutdown command on the interface.

3 / 10

What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol?

VLAN hopping

ARP poisoning

ARP spoofing

DHCP spoofing

4 / 10

Which two commands can be used to enable PortFast on a switch? (Choose two.)

S1(config)# enable spanning-tree portfast default

S1(config)# spanning-tree portfast default

S1(config-if)# spanning-tree portfast

S1(config-line)# spanning-tree portfast

S1(config-if)# enable spanning-tree portfast

5 / 10

A network administrator is configuring DAI on a switch. Which command should be used on the uplink interface that connects to a router?

spanning-tree portfast

ip dhcp snooping

ip arp inspection trust

ip arp inspection vlan

6 / 10

Which procedure is recommended to mitigate the chances of ARP spoofing?

Enable IP Source Guard on trusted ports.

Enable DHCP snooping on selected VLANs.

Enable DAI on the management VLAN.

Enable port security globally

7 / 10

Which security feature should be enabled in order to prevent an attacker from overflowing the MAC address table of a switch?

port security

root guard

BPDU filter

storm control

8 / 10

A network administrator is configuring DHCP snooping on a switch. Which configuration command should be used first?

ip dhcp snooping

ip dhcp snooping trust

ip dhcp snooping limit rate

ip dhcp snooping vlan

9 / 10

Where are dynamically learned MAC addresses stored when sticky learning is enabled with the switchport port-security mac-address sticky command?

NVRAM

ROM

RAM

flash

10 / 10

What are two types of switch ports that are used on Cisco switches as part of the defense against DHCP spoofing attacks? (Choose two.)

untrusted port

established DHCP port

unknown port

authorized DHCP port

unauthorized port

trusted DHCP port

Your score is
0%