Lan Network Security

Common threats at the data link layer include MAC address diffusion, DHCP server spoofing and address depletion, IP Address Spoofing and ARP attacks and spoofing.

Next, let's take a look at the relevant principles and defense measures.

I,MAC address Diffusion

1,Principle: MAC address diffusion uses the switch forwarding principle to attack hosts constantly using fake mac addresses for communication, so that the MAC address table of the switch overflows. When the switch receives normal data frames, the entry corresponding to the destination address in the data frame cannot be found in the MAC address table. The data frame will be broadcast and forwarded, and attackers will obtain normal data communication.

When MAC addresses are used to spread attacks, the CPU usage is high.Show processes cpuCommand to view the cpu usage.

2,Defense Measures: Only vswitches with application port security levels above 2960 are supported)

Port Security is a kind of network access verification. Only those that comply with the set rules can access the LAN, avoiding unauthorized client access to the network. By default, only the MAC address of the first access switch can communicate normally in the network.

1)Enable vswitch Port Security

Switchconfig-if) # switchport port-security

The port security-enabled interface must be in access or trunk mode.

2), Configure the policy for MAC address violations

Switchconfig-if) # switchport port-sectory violation {protect | restrict | shutdown}

Portect: discards illegal MAC address groups and does not record illegal groups.

Restrict: discards illegal MAC address groups and records illegal groups.

Shutdown by default): the port is in the err-disabled status, which is equivalent to closing the port.

3), Configure the maximum number of active addresses allowed by the interface

Switchconfig-if) # switchport port-security maximumMax-addr

4)Configure the static bound MAC address

Switchconfig-if) # switchport port-security mac-addressMac-addr

5), Configure the aging time

Switchconfi-if) # switchport port-security aging timeTime

Switchconfi-if) # switchport port-security aging typeAbsolute | inactivity

Absolute: After the aging time expires, delete all MAC addresses and re-learn

Inactivity: If no traffic passes during the aging period of the Client Connected to the port, delete the MAC address from the MAC address table.

6)Configure sticky for Port Security)

Switchconfi-if) # switchport port-security mac-address sticky

7)View the port security status

Switch # show port-security int f0/0

8)Clear the MAC address of the interface or cache of all ports

Switch # clear port-security dynamic {addressMac-addr| InterfaceF0/0}

9)Delete static bound MAC addresses

Switchconfi-if) # switchport port-security aging static

Ii. DHCP server spoofing and address depletion

1. Principle:

DHCP server spoofing: the client configures itself as the DHCP server to assign fake IP addresses and their information, or directly responds to the DHCP request.

DHCP address depletion: the client constantly impersonates a new client to send DHCP requests, and requests the server to assign an IP address for itself. In this way, the IP address configured for DHCP is quickly exhausted, so that normal access users cannot obtain the IP address.

2. Defense Measures: DHCP listener

DHCP listeners divide vswitch ports into two types:

Untrusted port: the port connecting to the terminal device. The client can only send DHCP request packets and discard all other DHCP packets from the port.

Trusted port: Valid DHCP server or aggregation Port

A DHCP binding table is created for the DHCP listener, which includes the IP address, MAC address, port number, VLAN, binding type, and lease period of the client on the untrusted port. DHCP binding table is the basis for further deploying IP source protection and dynamic ARP detection.

1)Enable DHCP listening

Switchconfig) # ip dhcp snooping

Switchconfig) # ip dhcp snooping vlanNumbe

2)Configure port Trust

Switchconfig-if) # ip dhcp snooping trust

3)The insert 82 option in the message is enabled by default)

Switchconfig) # ip dhcp snooping information option

4)Configuration to prevent DHCP depletion attacks

Switchconfig-if) # ip dhcp snooping limit rateRatepps)

Enable MAC address verification to avoid DHCP depletion attacks

Switchconfig) # ip dhcp snooping verify mac-address

After the mac address verification function is enabled, the switch checks whether the source MAC address in the DHCP request packet received from the untrusted port is the same as the destination mac address in the DHCP request packet, prevents false mac addresses from requesting IP addresses for DHCP depletion attacks

5)Configure port auto recovery

Switchconfig) # errdisable recovery cause dhcp-rate-limit

Switchconfig) # errdisable recovery intervalTime

6)DHCP listener status query

Switch # show ip dhcp snooping

Switch # show ip dhcp snooping binding

7)Option 82 of the DHCP packet is used for DHCP relay, and option 82 of the DHCP listener is used to add client information. Allow DHCP packets with option 82 information inserted but without relay information to pass

Switchconfig-if) # ip dhcp relay information trusted

Or switchconfig) # ip dhcp relay information trust-all

Iii. IP Address Spoofing

1. Principle: IP Address Spoofing means that the client uses its own IP address to impersonate another client or network administrator, and carries out illegal operations on other users, devices, and servers.

2. Preventive measures: IP Source Protection

IP source protection is a port traffic Filtering Technology Based on IP/MAC. It is based on DHCP listening technology. An IP source binding table is generated based on the DHCP listener binding table. Based on the IP source binding table, IP Source Protection automatically loads the corresponding policy on the port to detect traffic. The nonconforming data is discarded. After IP source protection is enabled, the default port allows DHCP packets to pass. Only switches of the cisco3560 series and above support IP source protection.

1)To enable IP source protection, enable DHCP listening in the vlan first)

Enable source IP address filtering for IP Source Protection

Switchconfig-if) # ip verify source // cisco 3560 series switches

Switchconfig-if) # ip verify source vlan dhcp-snooping // cisco 45/65 vswitch command

Enable source IP address and source MAC address filtering for IP Source Protection first enable port security)

Switchconfig-if) # ip verify source port-security // cisco 3560 series switches

Switchconfig-if) # ip verify source vlan dhcp-snooping port-security // cisco 45/65 vswitch command

2)Configure static IP source binding

Switchconfig) # ip source bindingMac-addressVlanVlan-numberIp-addressInf f0/0

3)View the IP source protection status and binding table

Switch # show ip source binding

Switch # show ip verify source

Iv. ARP attacks and Spoofing

1. Principle

Principle of ARP attack: the attack host generates a false ARP response and sends it to all hosts except the attacked host in the LAN. The ARP response contains the IP address of the attacked host and the fake MAC address.

The attack host generates a false ARP response and sends it to the attacked host. The ARP response packet contains the IP addresses and fake mac addresses of all hosts except the attacked host.

ARP spoofing principle: by impersonating a gateway or another host, the traffic destined for the gateway or host is forwarded by attacking the host to control the traffic or obtain confidential information.

2. Preventive measures: Dynamic ARP detection DAI)

The DAI technology detects ARP packets based on the DHCP listener binding table generated by the DHCP listener and the static IP source binding table configured in the IP source protection. Only layer-3 switches are supported)

1)Start DAI on the specified vlan

Switchconfig) # ip arp inspection vlanNumber

2), Configure the trust Port

Switchconfig-if) # ip arp inspection trust

3)Limits the inbound ARP packet rate

Switchconfig-if) # ip arp inspection limit rateRate

4)View the configuration and status of DAI

View the port and trust status of DAI Enabled

Switch # show ip arp inspection interface

View information about the vlan that enables DAI

Switch # show ip arp inspection vlan 10

View the packet information in the vlan where DAI is enabled

Switch # show ip arp inspection statistics vlan 10

Switch # show ip arp inspection