Security2006 Eric Vyncke 2

Layer 2 Security
Eric Vyncke
Distinguished Consulting Engineer
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1
Caveats
All attacks and mitigation techniques assume a switched Ethernet

network running IPv4
All testing was done on Cisco Ethernet Switches
Ethernet switching attack resilience varies widely from vendor to vendor
This is not a comprehensive talk on configuring Ethernet switches

for security or NAC or IEEE 802.1x:
the focus is mostly access L2 attacks and their mitigation
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 2
Agenda
Layer 2 Attack Landscape

Attacks and Counter Measures
MAC Attacks
DHCP Attacks
ARP Attacks
Spoofing Attacks
General Attacks
Summary
Why Worry About Layer 2 Security?
OSI Was Built to Allow Different Layers to Work
Without the Knowledge of Each Other
Host A Host B
Application Stream
Application Application
Presentation Presentation
Session Session
Transport Protocols/Ports Transport
Network IP Addresses Network
Data Link MAC Addresses Data Link
Physical Links
Physical Physical
Lower Levels Affect Higher Levels
Unfortunately this means if one layer is hacked, communications are compromised
without the other layers being aware of the problem
Security is only as strong as the weakest link
When it comes to networking, layer 2 can be a very weak link
Application Stream
Application Compromised Application
POP3, IMAP, IM,
Presentation SSL, SSH Presentation
Session Session
Transport Protocols/Ports Transport
Network IP Addresses Network

Initial
MACCompromise
Addresses
Data Link Data Link
Physical Links
Physical Physical
NetOPS/SecOPS, Whose Problem Is It?
Questions: Most NetOPS Most SecOPS
What is your stance • There are L2 security • I handle security

on L2 security issues? issues at L3 and
issues? above
Do you use VLANs • I use VLANs all • I have no idea if we are
often? the time using VLANs
Do you ever put • Routing in and out of • Why would I care what
different security the same switch is OK the network
levels on the same by me! That’s what guy does with
switch using VLANs? VLANs are for the switch?
What is the process • The security guy asks • I ask NetOPs for a
for allocating me for a new segment, segment, they give me
addresses for I create a VLAN and ports and addresses
segments? assign him an address
space
Agenda

MAC Attacks
DHCP Attacks
ARP Attacks
Spoofing Attacks
General Attacks
Summary
CAM Table Review
CAM table stands for Content Addressable Memory

The CAM table stores information such as MAC
addresses available on physical ports with their
associated VLAN parameters
CAM tables have a fixed size
Normal CAM Behavior 1/3
MAC Port
A 1
rB
C 3 Port 2
fo
MAC B
P
R
A
ARP for B
Port 1
MAC A Port 3
A
R
P
fo
B Is Unknown—
rB
Flood the Frame
MAC C
MAC Port
A 1
B 2
B
C
A
Port 2
M
C 3
MAC B
m
IA
I Am MAC B
Port 1
MAC A Port 3
A Is on Port 1
Learn:
B Is on Port 2
MAC C
MAC Port
A 1
B 2
B
Port 2
Æ
C 3
A
MAC B
fic
af
Tr
Traffic A Æ B
Port 1
MAC A Port 3
B Is on Port 2
Does Not See MAC C

Traffic to B
CAM Overflow 1/2
Macof tool since 1999

About 100 lines of perl
Included in “dsniff”
Attack successful by exploiting the size limit on CAM

tables
Yersinia—Flavor of the month attack tool
CAM Overflow 2/2
MAC Port
A 1
Assume CAM Table Now Full
Y 3
Z
B 3
2
B
Æ
C 3 Port 2
A
Y Is on Port 3 MAC B
fic
af
Tr
Traffic A ÆB
Port 1
MAC A Port 3
IA
Im
TAr
Z Is on Port 3
am
Mf
fAiMc
CAA
YCÆ
Z
B
MAC C
I See Traffic to B!
CAM Table Full
Once the CAM table is full, traffic without a CAM entry

is flooded out every port on that VLAN
but NOT traffic with an existing CAM entry
This will turn a VLAN on a switch basically
into a hub
This attack will also fill the CAM tables of adjacent
switches
BTW Cisco switches never overwrites an existing entry
Idle entries are removed
10.1.1.22 -> (broadcast) ARP C Who is 10.1.1.1, 10.1.1.1 ?
10.1.1.22 -> (broadcast) ARP C Who is 10.1.1.19, 10.1.1.19 ?
10.1.1.26 -> 10.1.1.25 ICMP Echo request (ID: 256 Sequence number: 7424) Å OOPS
10.1.1.25 -> 10.1.1.26 ICMP Echo reply (ID: 256 Sequence number: 7424) Å OOPS
Countermeasures for MAC Attacks
Port Security Limits the Amount of MAC’s
on an Interface
00:0e:00:aa:aa:aa Only One MAC
00:0e:00:bb:bb:bb Addresses
Allowed on the
Port: Shutdown
132,000
Bogus MACs
Solution:
Port security limits MAC flooding
attack and locks down port and
sends an SNMP trap
Building the Layers
Port Security prevents

CAM attacks and DHCP
starvation attacks
Port Security
Agenda

MAC Attacks
DHCP Attacks
ARP Attacks
Spoofing Attacks
General Attacks
Summary
DHCP: quick overview
DHCP Server
Client
DHCP Discover (Broadcast)
IP Address: 10.10.10.101
DHCP Offer (Unicast) Default Routers: 10.10.10.1
DNS Servers: 192.168.10.4,
192.168.10.5
DHCP Request (Broadcast)
DHCP Ack (Unicast)
DHCP Defined by RFC 2131

DHCP Attack Types
DHCP Starvation Attack e
v ic
Client e r
Sf
o
ial
en
Gobbler D DHCP
Server
DHCP Discovery) x (Size of Scope)
DHCP Offer x (Size of DHCPScope)
DHCP Request x (Size of Scope)
DHCP Ack x (Size of Scope)
Gobbler/DHCPx looks at the entire DHCP scope and tries to lease all of
the DHCP addresses available in the DHCP scope
This is a Denial of Service DoS attack using DHCP leases
Countermeasures for DHCP Attacks
DHCP Starvation Attack = Port Security
Client
Gobbler DHCP
Server
Gobbler uses a new MAC address to request a new DHCP
lease
Restrict the number of MAC addresses on an port with port
security
Else use option 82 of DHCP
DHCP server can track which port has already got one IP
address
DHCP Attack Types
Rogue DHCP Server Attack
Client
Vlan 5 Vlan 165
Vlan 5
DHCP
Rogue Server Server
DHCP Discovery (Broadcast)
2 DHCP Offers (Unicast) (1 from Rogue, 1 genuine)
DHCP Request (Broadcast) to 1st offer
DHCP Ack (Unicast) from Rogue Sever
DHCP Attack Types
Rogue DHCP Server Attack
What can the attacker do if he is the DHCP server?

IP Address: 10.10.10.101
Subnet Mask: 255.255.255.0
Default Routers: 10.10.10.1
DNS Servers: 192.168.10.4, 192.168.10.5
Lease Time: 10 days
Here is Your Configuration
What do you see as a potential problem with incorrect

information?
Wrong Default Gateway—Attacker is the gateway
Wrong DNS server—Attacker is DNS server
Wrong IP Address—Attacker does DOS with incorrect IP
Rogue DHCP Server = DHCP Snooping
Client DHCP Snooping Enabled
Untrusted Trusted
Untrusted
OK DHCP DHCP
Rogue Server Responses:
offer, ack, nak
Server
BAD DHCP IOS

Responses: Global Commands
offer, ack, nak ip dhcp snooping vlan 4,104
no ip dhcp snooping information option
ip dhcp snooping
DHCP Snooping Untrusted Client DHCP Snooping Trusted Server

or Uplink
Interface Commands
no ip dhcp snooping trust (Default) Interface Commands
ip dhcp snooping limit rate 10 (pps) ip dhcp snooping trust
By default all ports in the VLAN are untrusted

Rogue DHCP Server = DHCP Snooping
Client DHCP Snooping Enabled
Untrusted Trusted
Untrusted
OK DHCP DHCP
Rogue Server Responses:
offer, ack, nak
Server
BAD DHCP
Responses:
offer, ack, nak
DHCP Snooping Binding Table

sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18
Table is built by “Snooping” the DHCP reply to the client

Entries stay in table until DHCP lease time expires
Building the Layers
Port security prevents

DHCP
starvation attacks Snooping
DHCP snooping prevents

rogue DHCP server attacks Port Security
Agenda

MAC Attacks
DHCP Attacks
ARP Attacks
Spoofing Attacks
General Attacks
Summary
ARP Function Review
Before a station can talk to another station it must do an

ARP request to map the IP address to the MAC
address
All computers on the subnet will receive and process
the ARP request; the station that matches the IP
address in the request will send an ARP reply
I Am
10.1.1.4
MAC A
Who Is
10.1.1.4?
ARP Function Review
According to the ARP RFC, a client is allowed to send

an unsolicited ARP reply; this is called a gratuitous
ARP;
ARP other hosts on the same subnet can store this
information in their ARP tables
Anyone can claim to be the owner of any IP/MAC
address they like
ARP attacks use this to redirect traffic
You Are I Am You Are You Are

10.1.1.1 10.1.1.1 10.1.1.1 10.1.1.1
MAC A MAC A MAC A MAC A
ARP Attack in Action
10.1.1.2 Is Now
Attacker “poisons” 10.1.1.1 MAC C
the ARP tables MAC A
ARP 10.1.1.1
Saying ARP 10.1.1.2
10.1.1.2 is MAC C Saying
10.1.1.1 is MAC C
10.1.1.3
MAC C 10.1.1.2
MAC B
10.1.1.1 Is Now
MAC C
ARP Attack in Action
10.1.1.2 Is Now
All traffic flows 10.1.1.1 MAC C
through the attacker MAC A
Transmit/Receive
Traffic to Transmit/Receive
10.1.1.2 is MAC C Traffic to
10.1.1.1 is MAC C
10.1.1.3
MAC C 10.1.1.2
MAC B
10.1.1.1 Is Now
MAC C
Countermeasures to ARP Attacks:
Dynamic ARP Inspection
Uses the DHCP Snooping
10.1.1.1 Binding table information
MAC A Dynamic ARP Inspection
IsNone
This Is My All ARP packets must match
ARP 10.1.1.1 NO!
Binding the IP/MAC Binding table
Matching DHCP Snooping
Saying Table? entries
ARP’s in the Enabled Dynamic If the entries do not match,
10.1.1.2 is MAC C
Bit Bucket ARP Inspection throw them in the bit bucket
Enabled
10.1.1.3
MAC C 10.1.1.2
ARP 10.1.1.2 MAC B
Saying
10.1.1.1 is MAC C
Countermeasures to ARP Attacks:
Dynamic ARP Inspection
Uses the information from the DHCP snooping binding

table
------------------ --------------- ---------- ------------- ---- --------------------
00:03:47:c4:6f:83 10.120.4.11 213454 dhcp-snooping 4 FastEthermet3/21
Looks at the MacAddress and IpAddress fields to see if

the ARP from the interface is in the binding, it not, traffic
is blocked
Building the Layers
Port security prevents CAM Dynamic ARP

Inspection
attacks and DHCP
DHCP

Dynamic ARP inspection

prevents current ARP attacks
Agenda

MAC Attacks
DHCP Attacks
ARP Attacks
Spoofing Attacks
General Attacks
Summary
Spoofing Attacks
MAC spoofing
If MACs are used for network access an attacker can gain
access to the network
Also can be used to take over someone’s identity already on the
network
IP spoofing
Ping of death
ICMP unreachable storm
SYN flood
Trusted IP addresses can be spoofed
Countermeasures to Spoofing Attacks:
IP Source Guard
Uses the DHCP
10.1.1.1 snooping binding
MAC A table information
Traffic Sent with NonIsMatching

This Is My IP source guard
DHCP Snooping
IP 10.1.1.3 NO!
Traffic
Binding
Enabled Dynamic Operates just like
Mac B Dropped
Table? dynamic ARP
ARP Inspection
Enabled IP Source inspection, but looks at
Guard Enabled every packet, not just
ARP packet
10.1.1.3
MAC C 10.1.1.2
Traffic Sent with MAC B
IP 10.1.1.2
Mac C
Received Traffic
Source IP
10.1.1.2
Mac B
Countermeasures to Spoofing Attacks:
IP Source Guard
Uses the information from the DHCP Snooping Binding

table
------------------ --------------- ---------- ------------- ---- --------------------
00:03:47:c4:6f:83 10.120.4.11 213454 dhcp-snooping 4 FastEthermet3/21
Looks at the MacAddress and IpAddress fields to see if

the traffic from the interface is in the binding table, it
not, traffic is blocked
Building the Layers
IP Source
Guard
Port security prevents Dynamic ARP
Inspection
DHCP

Dynamic ARP
inspection prevents
current ARP attacks
IP source guard prevents
IP/MAC spoofing
Agenda

MAC Attacks
DHCP Attacks
ARP Attacks
Spoofing Attacks
General Attacks
Summary
Spanning Tree Basics
STP Purpose: To maintain loop-free topologies in a redundant Layer 2

infrastructure A Switch Is
Elected as Root
Root Root Selection Is

Based on the Lowest
Configured Priority of
A ‘Tree-Like’
Any Switch 0–65535
Loop-Free Topology Is
Established from the
Perspective of the
Root Bridge X
STP is very simple; messages are sent using Bridge Protocol Data Units
(BPDUs); basic messages include: configuration, topology change
notification/acknowledgment (TCN/TCA); most have
no “payload”
Avoiding loops ensures broadcast traffic does not become storms
Spanning Tree Attack Example
Access Switches
Root
Root
Send BPDU messages
to become root bridge
STP
X Blocked
ST
Spanning Tree Attack Example
Access Switches
Root
Root
Send BPDU messages to Blocked
become root bridge X
The attacker then sees frames he
shouldn’t
MITM, DoS, etc. all possible
Although STP takes link speed into
consideration, it is always done from
the perspective of the root bridge.
Taking a Gb backbone to half-duplex
10 Mb was verified
Requires attacker is dual homed to
two different switches
Root
STP Attack Mitigation
Try to design loop-free topologies where ever possible, so you do

not need STP
Don’t disable STP, introducing a loop would become another
attack
Except in loop-free topologies (like layer 3 at access switch)
BPDU guard
Should be run on all user facing ports and infrastructure facing
ports
Disables ports using portfast upon detection of a BPDU message on the port
Cisco Discovery Protocol
Useful protocol but could lead to

information leakage
Enabled: in the core
Disabled: on host facing interface (except
phones)
There was a DoS attack against CDP

but it has been fixed for years
Basic Trunk Port Defined
Trunk with:
VLAN Native VLAN VLAN
10 VLAN 10 20
VLAN 20
VLAN
VLAN 10
20
Trunk ports have access to all VLANS by default

Used to route traffic for multiple VLANS across the same physical
link (generally between switches or phones)
Encapsulation can be 802.1q or ISL
Dynamic Trunk Protocol (DTP)
What is DTP?
Automates 802.1x/ISL trunk
configuration
Operates between switches (Cisco
IP phone is a switch)
Does not operate on routers Dynamic
Support varies, check Trunk
your device Protocol
DTP synchronizes the trunking

mode on end links
DTP state on 802.1q/ISL
trunking port can be set to
“Auto”, “On”, “Off”, “Desirable”,
or “Non-Negotiate”
Basic VLAN Hopping Attack
Trunk with:
VLAN Native VLAN VLAN
10 VLAN 10 20
VLAN 20
Trunk With: VLAN

Native VLAN 10
VLAN 10
VLAN 20
An end station can spoof as a switch with ISL or 802.1q

The station is then a member of all VLANs
Double 802.1q Encapsulation
VLAN Hopping Attack
Strip Off First,
and Send
80
Back Out
2.1
q,8
02
.1 q
802.1q Frame
Fr
am
e
Note: Only Works if Trunk Has the
Same VLAN as the Attacker
Send 802.1q double encapsulated frames

Switch performs only one level of decapsulation
Unidirectional traffic only
Works even if trunk ports are set to off
Security Best Practices for VLANs
and Trunking
Always use a dedicated VLAN ID for all trunk ports

Disable unused ports and put them in an
unused VLAN
Be paranoid: Do not use VLAN 1 for anything
Disable auto-trunking on user facing ports (DTP off)
Explicitly configure trunking on infrastructure ports
Use all tagged mode for the native VLAN on trunks
Use PC voice VLAN Access on phones that
support it
VLAN Hopping
Attacker sends frames to another VLAN

But is unable to receive back traffic
Counter Measures
Disable trunking on all host ports (except
phones)
Never use VLAN 1 anywhere
Specific VLAN for trunk native VLAN
Disable VLAN tag on access ports
Enforce VLAN tag on trunk ports
Control Plane Protection
Even on HW switches, some frames always go to main CPU

ARP
Packets addressed to the switch: OSPF, ICMP,
BPDU
DoS happens when too many packets go to the CPU
100% of CPU => loss of adjacencies, no more ARP, ...
Use control plane policing
Rate limit those packets, done in HW and transparently in most
switches
Switch Management
Management can be your weakest link

All the great mitigation techniques we talked about aren’t worth much if the attacker telnets
into your switch and disables them
Most of the network management protocols we know and love are
insecure (syslog, SNMP, TFTP, Telnet, FTP, etc.)
Consider secure variants of these protocols as they become available
(SSH, SCP, SSL, OTP etc.), where impossible, consider Out- of-Band
(OOB) management
Put the management VLAN into a dedicated non-standard VLAN where nothing but
management traffic resides
Consider physically back-hauling this interface to your management network
When OOB management is not possible, at least limit access to the
management protocols using the “set ip permit” lists on the management
protocols
SSH is available on Catalyst 6K with Catalyst OS 6.1 and Catalyst 4K/29XXG with Catalyst OS
6.3; 3550 in 12.1(11)EA1; 2950 in 12.1(12c)EA1; Cisco IOS 6K 12.1(5c)E12; IOS 4K in
12.1(13)EW
Summary
For your
reference
Matrix for Security Features 1 of 3
Feature/ 6500/ 4500/

6500/Cisco IOS 4500/Cisco IOS
Platform Catalyst OS Catalyst OS
Dynamic Port
Security
7.6(1) 12.1(13)E 5.1(1) 12.1(13)EW
DHCP 12.1(12c)EW
Snooping
8.3(1) 12.2(18)SXE* N/A
**
12.1(19)EW
DAI 8.3(1) 12.2(18)SXE* N/A
**
IP Source 12.1(19)EW
Guard
8.3(1)* 12.2(18)SXD2 N/A
**
* Requires Sup720—Support for Sup32 DHCP Snooping and DAI Q3CY05

** For the Catalyst 4500/IOS-Based Platforms, This Requires Sup2+, Sup3, Sup4, Sup 5.
These Sups Are Supported on the Catalyst 4006, 4503, 4506, and 4507R Chassis
NOTE: There Are No Plans to Support These Features for any Catalyst 4000/4500 Platform
Running Catos, or Any 2900 Platform
For your
reference
Feature/ 3750/3560
3550 EMI 2970 EI 2950 EI 2950 SI
Platform EMI
Dynamic Port 12.0(5.2)WC 12.0(5.2)WC

Security
12.1(25)SE 12.2(25)SEA 12.1(11)AX
1 1
DHCP
Snooping
12.1(25)SE 12.2(25)SEA 12.1(19)EA1 12.1(19)EA1 N/A
DAI 12.2(25)SE 12.2(25)SEA N/A N/A N/A
IP Source
Guard
12.2(25)SE 12.2(25)SEA N/A N/A N/A
Note: Old Names of the Cisco IOS for the 3000 Series Switches Cisco
IOS Feature Finder— http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
For your
reference

Feature/ 3750/3560 3550 3750/3560 3550
Platform Advance IP Advanced IP IP Base IP Base
Dynamic Port
Security
12.1(25)SE 12.2(25)SEA 12.1(25)SE 12.2(25)SEA
DHCP
Snooping
12.1(25)SE 12.2(25)SEA 12.1(25)SE 12.2(25)SEA
DAI 12.2(25)SE 12.2(25)SEA 12.1(25)SE 12.2(25)SEA
IP Source
Guard
12.2(25)SE 12.2(25)SEA 12.1(25)SE 12.2(25)SEA
Note: Old Names of the Cisco IOS for the 3000 Series Switches Cisco
IOS Feature Finder— http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
Conclusion
Layer 2 is not only dumb pipes

You need to secure those pipes
Easy and free IP Source
Guard
Port security Dynamic

ARP
Inspection
DHCP
DHCP snooping Snooping
Port Security
ARP inspection
Source Guard
BPDU Guard
Q&A

Security2006 Eric Vyncke 2

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Security2006 Eric Vyncke 2

Hochgeladen von

Copyright:

Verfügbare Formate

Layer 2 Security

Distinguished Consulting Engineer

 All attacks and mitigation techniques assume a switched Ethernet

 This is not a comprehensive talk on configuring Ethernet switches

 Layer 2 Attack Landscape

Transport Protocols/Ports Transport

Network IP Addresses Network

Data Link MAC Addresses Data Link

Transport Protocols/Ports Transport

Network IP Addresses Network

 What is your stance • There are L2 security • I handle security

 Layer 2 Attack Landscape

 CAM table stands for Content Addressable Memory

Does Not See MAC C

 Macof tool since 1999

 Attack successful by exploiting the size limit on CAM

 Once the CAM table is full, traffic without a CAM entry

 Port Security prevents

 Layer 2 Attack Landscape

DHCP Ack (Unicast)

 DHCP Defined by RFC 2131

DHCP Offer x (Size of DHCPScope)

DHCP Request x (Size of Scope)

DHCP Ack x (Size of Scope)

2 DHCP Offers (Unicast) (1 from Rogue, 1 genuine)

DHCP Request (Broadcast) to 1st offer

DHCP Ack (Unicast) from Rogue Sever

 What can the attacker do if he is the DHCP server?

Here is Your Configuration

 What do you see as a potential problem with incorrect

BAD DHCP IOS

DHCP Snooping Untrusted Client DHCP Snooping Trusted Server

 By default all ports in the VLAN are untrusted

DHCP Snooping Binding Table

 Table is built by “Snooping” the DHCP reply to the client

 Port security prevents

 DHCP snooping prevents

 Layer 2 Attack Landscape

 Before a station can talk to another station it must do an

 According to the ARP RFC, a client is allowed to send

You Are I Am You Are You Are

 Uses the information from the DHCP snooping binding

 Looks at the MacAddress and IpAddress fields to see if

 Port security prevents CAM Dynamic ARP

 DHCP snooping prevents

 Dynamic ARP inspection

 Layer 2 Attack Landscape

Traffic Sent with NonIsMatching

 Uses the information from the DHCP Snooping Binding

 Looks at the MacAddress and IpAddress fields to see if

 DHCP snooping prevents

 Layer 2 Attack Landscape

 STP Purpose: To maintain loop-free topologies in a redundant Layer 2

Root Root Selection Is

 Try to design loop-free topologies where ever possible, so you do

 Useful protocol but could lead to

 There was a DoS attack against CDP

 Trunk ports have access to all VLANS by default

 DTP synchronizes the trunking

Trunk With: VLAN

 An end station can spoof as a switch with ISL or 802.1q

 Send 802.1q double encapsulated frames

 Always use a dedicated VLAN ID for all trunk ports

 Attacker sends frames to another VLAN

All attacks and mitigation techniques assume a switched Ethernet

This is not a comprehensive talk on configuring Ethernet switches

Layer 2 Attack Landscape

What is your stance • There are L2 security • I handle security

Layer 2 Attack Landscape

CAM table stands for Content Addressable Memory

Macof tool since 1999

Attack successful by exploiting the size limit on CAM

Once the CAM table is full, traffic without a CAM entry

Port Security prevents

Layer 2 Attack Landscape

DHCP Defined by RFC 2131

What can the attacker do if he is the DHCP server?

What do you see as a potential problem with incorrect

By default all ports in the VLAN are untrusted

Table is built by “Snooping” the DHCP reply to the client

Port security prevents

DHCP snooping prevents

Layer 2 Attack Landscape

Before a station can talk to another station it must do an

According to the ARP RFC, a client is allowed to send

Uses the information from the DHCP snooping binding

Looks at the MacAddress and IpAddress fields to see if

Port security prevents CAM Dynamic ARP

DHCP snooping prevents

Dynamic ARP inspection

Layer 2 Attack Landscape

Uses the information from the DHCP Snooping Binding

Looks at the MacAddress and IpAddress fields to see if

DHCP snooping prevents

Layer 2 Attack Landscape

STP Purpose: To maintain loop-free topologies in a redundant Layer 2

Try to design loop-free topologies where ever possible, so you do

Useful protocol but could lead to

There was a DoS attack against CDP

Trunk ports have access to all VLANS by default

DTP synchronizes the trunking

An end station can spoof as a switch with ISL or 802.1q

Send 802.1q double encapsulated frames

Always use a dedicated VLAN ID for all trunk ports

Attacker sends frames to another VLAN

Even on HW switches, some frames always go to main CPU

Management can be your weakest link

Layer 2 is not only dumb pipes