CCSP--SECURE-2 LAN security

Netyourlife.net

DHCP snooping

DHCP workflow:

1. The host sends a broadcast packet to the network to confirm whether a DHCP server exists and to confirm the IP address of the DHCP server.

2. Each DHCP server responds to the host and the corresponding packet contains the allocated information.

3. The host sends a request packet to the desired DHCP server.

4. The requesting DHCP server receives the request packet and replies to the ACK or Nak packet. the undesirable DHCP server deletes the Information allocated in step 2.

 

DHCP Spoofing Attack Process:

1. eliminate the server, send a large number of request packets to the real DHCP server, and exhaust its address pool-DHCP hunger attack (because when there are multiple DHCP servers in a network, the client recognizes the first response, and the hunger attack ensures the attack is successful)

2. spoof the client, direct its gateway to itself, run a soft route, and conduct man-in-the-middle attacks

3. implement data listening, tampering, and session hijacking

 

Solution:

DHCP snooping

1. After DHCP snooping is enabled, all ports are untrusted by default, and the port connecting to the DHCP server is set as a trusted port. The untrusted port cannot receive DHCP response packets.

2. Control the number of DHCP requests per unit time to prevent hunger attacks

Configuration:

Ip dhcp snooping limit rate 2 3750 interface with the maximum rate of DHCP Application reception

Show ip dhcp snooping

Show ip dhcp snooping binding

 

After DHCP snooping is configured, an 82 option is forcibly inserted into all DHCP requests sent through this switch (relay proxy option-relay Proxy: Cross-vlan dhcp request address ).

The DHCP server does not respond to this request packet because the request packet contains the 82 option. (Must be disabled)

For solutions, seeRssec.doc

All DHCP Application records that pass the vswitch are recorded in the binding table.

 

 

ARP Control

Solution:

ARP Inspection

1. Enable ARP audit to discard ARP packets sent by devices connected to the untrusted port by setting trust or untrusted mode (default non-Trust ).

2. Limit the number of ARP packets sent by each port within or outside the unit time

 

ARP inspection (ARP Review Technology): prevents ARP spoofing. Divided into Dai (Dynamic ARP review, DHCP environment is required, and DHCP snooping function is enabled, because DHCP binding table is required), Sai (static ARP review, available in all environments ).

 

Show ip arp Inspection

 

ARP review only examines ARP Processes

ErrdisableInterface logic down

Shutdown and no shutdown are required for recovery.

You can set Automatic Recovery (in global mode ):

Errdisable recovery cause... interval...

 

Sai deployment:

1. Manually write the ARP review table

2. Bind The prepared ARP review table to the specified VLAN.

Dai uses the DHCP binding table, so you do not need to manually create an ARP review table. Therefore, you only need ip arp inspection VLAN 10.

Next, you can set the number of ARP packets sent by the trusted port and each port/s.

 

You can manually write the DHCP binding table for the following purposes:

A port has multiple hosts, which require some hosts to transmit data through ARP review or other technologies. If all hosts are configured with DHCP, all hosts are used. If both hosts are configured with static hosts, none of them are used.

 

 

IPSource Address Control

IP source GUARD: If the source IP address and source MAC address of the current traffic access port packet are the same as those in the DHCP snooping binding table, the packet is forwarded. If the source IP address is different from the source MAC address, the packet is discarded.

DHCP snooping examines DHCP packets, ARP inspection reviews ARP packets, and IP source address control reviews true packets.User data packets.

 

Source IP address filtering: filters IP traffic based on IP addresses. IP traffic is permitted only when the source IP address matches the IP source binding entry.

 

Show IP verify source

This table is generated based on the DHCP snooping binding table.

 

Under the Protection of DHCP snooping, the DHCP server can communicate with all devices, and devices that successfully request through the DHCP address can also communicate with other devices, however, devices that do not use the IP Address requested by the DHCP server cannot communicate with other devices.

 

It not only inherits the DHCP snooping binding table, but also inherits the trust relationship of DHCP snooping. Devices under a trusted port can communicate with other devices.

 

A port can be bound to multiple hosts, so you do not have to deploy this policy on the access port.

 

The principle is that when DHCP assigns a table item to a user, the dynamic binding function adds a table item to allow the user to access the network. In this way, the user's own IP address traffic will not be able to pass through this switch.

 

When the PC does not send a DHCP request, the switch port connected to the PC rejects packets other than the DHCP request by default.

 

In IP + mac mode, the port security violation handling function will be disabled. Illegal layer-2 packets are basically discarded. Dai must be used to prevent ARP attacks.

 

For configuration, seeRssec.doc

In addition to configuring the above three technologiesPort-security.Port-Security provides access control to prevent Mac flood.

 

 

STP Protection

Setting portfast for a port is to stop the port from using the STP algorithm.

Portfast configuration (interface mode ):

Spanning-tree portfast

 

The BPDU guard function is to set the port to error-disabled immediately when it receives any BPDU. It is used by network designers to strengthen STP domain boundaries.

BPDU guard Configuration:

Spanning-tree portfast bpduguard default is configured in global mode. bpduguard is enabled on ports with portfast enabled.

Spanning-tree bpduguard enable mode configuration, enable bpduguard without enabling the portfast feature

 

Root GUARD: prevents the newly added vswitch (with a lower root bridge ID) from affecting a stable (with a root bridge already exists) Switching Network, and prevents unauthorized vswitches from becoming the root bridge.

Working principle: When a port starts this feature and receives a BPDU packet with a higher priority than the root bridge, it immediately blocks the port, make it impossible to form a loop. This port feature is dynamic. If you do not receive a better package, the port will change to the forwarding status.

Root guard is performed on the specified port of the DP (designated port), and the port will not change. It will only be DP, which can prevent the newly added switch from becoming root, the port becomes a permanent DP. If the newly added vswitch wants to become root, its port cannot work until the new vswitch requests complete Rp. Show spanning-tree inconsistentport

Root guard configuration (interface mode ):

Spanning-tree root guard (3750: spanning-tree guard root)

This feature must be configured on all interfaces that never become the root switch.

 

The BPDU guard is deployed on the ports of each sub-host connected to the switch. The root guard is deployed on the next connection and will never become the port of the root switch.

CCSP--SECURE-2 LAN security