Saturday, 29 September 2012

Implementing Basic Cisco Switch Security Part 2

DHCP Snooping

Rogue DHCP Servers most of the times are used to provide fake Gateway information to users pointing to the attackers device or to a compromised host .

DHCP Snooping has two port modes :
  • Trusted : a port that has a DHCP Server connected , thus DHCP Replies are allowed .
  • Untrusted (default) : a port that has no DHCP Server attached  .

DHCP Snooping is very easy to configure , all you have to do is to enable it in global configuration mode and define which ports are trusted ( ports that have a legitimate DHCP Server connected ) , by default all ports are untrusted .

switch(config)# ip dhcp snooping  // enables the dhcp snooping
switch(config-if)# ip dhcp snooping trust  // set the port to trusted mode

Dynamic ARP Inspection ( DAI )

 DAI mitigates arp poisoning attacks , the attacker sends unsolicited ARP messages stating that the default gateways mac address is the attackers layer 2 address forcing the users of the network to send packets intended for the Gateway ( packets for an another subnet ) to pass through the attacker.

Before you can enable DAI the DHCP Snooping feature should be enabled first.
DAI also uses trusted and untrusted ports , ports to other switches should be trusted.
switch(config)# ip arp inspection vlan 10  // it enables DAI for the vlan 10
// for the interfaces that are connected to other switches
switch(config-if)#  ip arp inspection trust  // set the interface as trusted ( DAI does not inspect traffic )


Spanning tree is used in our networks to thwart layer 2 loops , but an attacker can leverage this protocol for eavesdropping , MiTM attacks and more.

The attacker can connect a rogue switch that it is configured with low bridge id to force a spanning tree election , the attackers switch becomes the Root bridge of your network and the traffic flows through the rogue machine allowing attacks to be executed. The attacker can also use a computer with software to perform that kind of attack as well using a penetration testing tool . ex Yersinia .



For better security , unused ports should :
  • Operate at Access mode assigned to a bogus vlan ( Blackhole vlan )
  • Shutdown
  • Turn off the negotiation Feature using the nonegotiate command under interface configuration

Note : there are more features concerning the topics covered , this article presents the basic functions only .

No comments:

Post a Comment