Upload
cody-carter
View
223
Download
2
Embed Size (px)
Citation preview
13856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved.
Cisco Network Admission Control& the
Self Defending Network Initiatvie
802.1x & Identity Based Networking
Tim Ryan – Cisco SE
© 2001, Cisco Systems, Inc. All rights reserved. 222
Cisco’s Embedded Intelligent Security Evolving with Today’s Threats
Adjunct BasedSecurity
• Adjunct Security Appliances plugged into the Network
• Enhanced Device Security
• Separate Mgt Software
FW
IDS
VPN
2000
IntegratedSecurity
• Security Service Modules Integrated into the Infrastructure
• FW + Intrusion Detection + VPN
• Integrated Mgt Software
FWIDS VPN
2002
Embedded IntelligentSecurity
• Network Wide Security Fully Embedded into Network Infrastructure
• Self Defending, Protecting, Preventing, Healing
• Control of “Who” has Network Access and “What” they can do
Today
FWIDS VPNIdentityL2,3 Hardening,
HIPS
© 2001, Cisco Systems, Inc. All rights reserved. 333
Cisco End-to-End Security Productization
VPN
FW
IDS
Network-Based
Security
FW +VPN
AppFW
SSLVPN
Host-Based
Security
AV
HIDS
Pers. FW
VPN
Behavior/AnomalyIPS/FW
Comprehensive Desktop SolutionIntegration of Capabilities into Converged Appliance/Switch
Intelligent Linkage of Endpoint with Network
In-LineIPS
ID/Trust
© 2001, Cisco Systems, Inc. All rights reserved. 444
Authorized User Quarantine
VLAN
Intelligent Embedded Campus Security“Tighten Down the Hatches”
Authorized User Access to HR
Records
Protects Against Today’sEmerging Attacks:“Man-in-the-middle”
“DHCP Server Spoofing”“IP Address Spoofing”
Cisco CatalystIntegrated Security
Detects And IsolatesInfected Users
Host IPS (CSA) withCisco Identity (IBNS)
“Controlling Who/What getsaccess to the Network and
What they can do”
Cisco Identity BasedNetworking Services (IBNS)
Unauthorized usersDenied Access
Rogue AP’sPrevented
Record “Data”
Man in theMiddle Attack
© 2001, Cisco Systems, Inc. All rights reserved. 555
Unauthorized usersWith Physical Access
(Visitors, “Door Tailgaters” etc)
Unauthorized ExternalWireless Users
Corporate Resources
Authorized User
What if you could… “Control Who’s/What is on your Network?”
• 99% of accessible Network ports are “open”99% of accessible Network ports are “open”
© 2001, Cisco Systems, Inc. All rights reserved. 666
User Identity BasedNetwork Access
Cisco Embedded Security with IBNSDetermining “who” gets access and “what” they can do
User Based Policies Applied(BW, QoS etc)
Campus Network
• Equivalent to placing a Security Guard at each Switch Port
• Only Authorized users can get Network Access
• Unauthorized users can be placed into “Guest” VLANs
• Prevents unauthorized APs
AuthorizedUsers/Devices
UnauthorizedUsers/Devices
© 2001, Cisco Systems, Inc. All rights reserved. 777
Internet Worm Infection
Branch
InternetData Center
• Self propagating worms continue to disrupt business, causing downtime and continual patching
• Non-compliant servers and desktops are common, and they are difficult to detect and contain
• Locating and isolating infected systems is time and resource intensive
RemoteUser
Worm Attack
LAN
WirelessLAN
© 2001, Cisco Systems, Inc. All rights reserved. 888
Diverse Endpoint and User Community
Branch
InternetData Center
• The virus/worm problem is compounded by today’s networked environment
• Multiple types of end users – employees, vendors, contractors, etc.
• Multiple types of endpoints – company desktop, home, server, etc.
• Multiple types of access – wired, wireless, VPN, dial, etc.
RemoteUser
WirelessLAN
LAN
Attack vectors can come from anywhere
© 2001, Cisco Systems, Inc. All rights reserved. 999
Ideal Solution: An Integrated System
Branch
Policy Servers
InternetDeny!
RemoteUser
• Multiple components are required for a complete solution• Endpoint Security solutions knows security condition:
type/compliance/etc• Policy Servers know compliance/access rules• Network access devices (routers, switches) enforce admission
policy
• Virus/worm prevention and containment requires industry collaboration
Compliant Endpoint:
Admit!
Non-Compliant Endpoint:
Quarantine!
© 2001, Cisco Systems, Inc. All rights reserved. 101010
Cisco Network Admission Control (NAC)Summary
• Cisco Network Admission Control (NAC) is Cisco-led, industry leading program focused on limiting damage from emerging security threats such as viruses and worms
• In NAC, customers can allow network access only to compliant and trusted endpoint devices (e.g. PCs, servers, PDAs) and can restrict the access of non-compliant devices
• Initial NAC co-sponsors include Network Associates, Symantec, and Trend Micro
• NAC is the first phase of the Cisco Self-Defending Network Initiative, an effort designed to dramatically improve the ability of networks to identify, prevent, and adapt to threats
• These efforts extend Cisco’s ability to provide secure, intelligent networks for customers
© 2001, Cisco Systems, Inc. All rights reserved. 111111
Cisco Network Admission Control (NAC)
Hosts Attempting
Network AccessAV Vendor Policy
Server
Security Credential Checking
Cisco Network Access Device
Security Policy Enforcement
Cisco Policy Server
Security Policy Creation
AV Policy Evaluation
Cisco Network Admission Control
Anti- Virus client
Cisco Security
Agent
Cisco Trust Agent
• Based on endpoint security posture, appropriate admission policy will be enforced in the network
• Cisco & NAC co-sponsors to deliver this collaborative solution
Cisco Trust Agent
© 2001, Cisco Systems, Inc. All rights reserved. 121212
NAC Program Overview
• Cisco is driving the architectures and specifications, guidelines of NAC
• Initial NAC co-sponsor include the majorAnti-Virus vendors: Network Associates, Symantec, and Trend Micro
• Cisco Security Agent and NAC co-sponsor AV solutions will leverage Cisco Trust Agent for intelligent admission control
• Initial NAC capability to be delivered in Q2 CY04 in Cisco routers
• Future NAC extensions:• More Cisco network devices• More endpoint security software and
endpoint platforms (OSs)• More industry co-sponsors• Solution “opened”, timing and extent
TBD
Broker and SecurityBroker and Security
AV Client CSA
Comms: L2/3 ServiceComms: L2/3 Service
EAP/TLV APIEAP/TLV API
EAP/UDPEAP/UDP EAP/802.1XEAP/802.1X
Cisco Trust Agent
© 2001, Cisco Systems, Inc. All rights reserved. 131313
NAC Deployment ScenariosComprehensive Compliance Validation
Main OfficeBranch Office
Internet
Remote Access
Dial-in NAS
RA IPsec VPN
Campus FW
Edge Router
AV ServerAAA Svr
Branch Router
RADIUS (posture)
SSLEAP/UDP
1
1: Branch office complianceEnforce on L3 router and firewall
2EAP/UDP
after IPsec
2: Remote access complianceExtension of “Are You There”
3
TBD
3: Dial-in access compliance
EAP 802.1x (wireless)
4
4: Wireless campus protectionQuarantine with ACLs/VLANS
Extension of 802.1x 5EAP 802.1x
(wired)5: Campus access and data center protection
Quarantine with ACLs/ VLANS
Extension of wired 802.1x • Ubiquitous solution for all connection methods
• Validates all hosts
© 2001, Cisco Systems, Inc. All rights reserved. 141414
• Dramatically improved security for non-compliant hosts
• Increased network resilience
• Extended value from Cisco network infrastructure investment
• Increased value of existing investment in AV
NAC Customer Benefits
© 2001, Cisco Systems, Inc. All rights reserved. 151515
*Cisco survey, Feb 3-5 2003, 250+ NIDS customers; similar results in a blind survey
General Interest (over 80%)*
NAC Customer Validation
Strategic Interest
•50+ Cisco Enterprise customers pre-briefed on NAC and Self-Defending Network
•Consistently positive feedback
•Interest spans all vertical markets
•Strong desire for acceleration of future phases
•Must include key AV partners
© 2001, Cisco Systems, Inc. All rights reserved. 161616
Self-Defending Network Futures: Infection Containment
Server
Desktop
AV Mgmt
NIDS
Policy Svr
Other Virus Detectors(includes network proxy devices)
AV Systems
HIDS
IDS Systems
GatewayCampus
Local L2/L3 DeviceInfected Host Policy SystemVirus Detectors
1. Infected host sends virus data through local L2/L3 device to network
2. Virus detector notices virus data from sender, notifies policy system
3. Policy server determines containment action
4. Policy determines closest local L2/L3 device to infected host & communicates containment action
5. Local L2/L3 device enforces containment action
Isolate!
© 2001, Cisco Systems, Inc. All rights reserved. 171717
In addition to securing network access…What else can we do ?
• If you know “who” and “what” are now on the network, what could you do w/ this info ?
• Now:
Cisco 802.1x Extensions
VLAN Assignments
Apply Security Profiles
Specify IP Assignment
Secure IP Telephony
• Future:
Posture & Virus scanning/Quarantine VLAN ?
Dynamic FW control/access/auth ?
IDS + Identity + Mgmt ?
© 2001, Cisco Systems, Inc. All rights reserved. 181818
Faculty Dorm Student Off-Campus Student
Cisco Identity- Current and future capabilities…
• Dynamic VLAN Assignment
• Dynamic Security Policy Assignment using ACLs
• Dynamic QoS Assignment using ACLS including dynamic per-user/per-port policing
• IBNS-based User/Port Accounting
CiscoSecure ACS RADIUS
Employee Servers
© 2001, Cisco Systems, Inc. All rights reserved. 191919
Employee
Campus Identity – Policy EnforcementFuture Capability: Beyond User Credentials…
• Problem:
How can we leverage Identity to create finer granulations in policy based on more attributes from the user
• Cisco Solution in development:
Attributes such as antivirus host intrusion detection software and .dat file levels can be passed in addition to userid/pw credentials in authentication process to segment “unhealthy” users away from “healthy” ones
• First Phase: Symantec, Network Associates, Trend Micro, Cisco Security Agent
CiscoSecure ACS RADIUS/Policy Server
Employee Servers
StudentQuarantined
VLAN
Access please, my
AV software is version X
Sorry, your AV Software is backlevel
© 2001, Cisco Systems, Inc. All rights reserved. 202020
802.1x – Ratified by the IEEE - June 2001
• Open-standards-based protocol for authenticating network clients (or ports) on a user-ID basis. aka"port-level authentication“
• It takes the RADIUS methodology and separates it into three distinct groups: the Supplicant, Authenticator, and Authentication Server.
• IEEE 802.1X provides automated user identification, centralized authentication, key management, and provisioning of LAN connectivity. It even provides support for roaming access in public areas.
© 2001, Cisco Systems, Inc. All rights reserved. 212121
802.1x + EAP extensible authentication protocol
• 802.1x builds on an existing protocol called Extensible Authentication Protocol (EAP [RFC 2284])
• By tying EAP into the bigger picture, so to speak. EAP conducts the authentication process. It ties Point-to-Point Protocol (PPP) to the physical layer, OSI Layer 1.
• EAP over LAN (EAPOL) is EAP encapsulated into 802 frames. This is how the Authenticator and Supplicant actually communicate during the authentication process.
• EAP is compatible with Ethernet, Token Ring, 802.11, and other popular network protocols.
• EAP supports many authentication methods such as Kerberos, public key, one-time passwords, etc., and it can utilize Transport Level Security (TLS) and Secure Remote Password (SRP).
© 2001, Cisco Systems, Inc. All rights reserved. 222222
802.1x provides an architecture for many authentication types and link layersToday EAP-TLS requires the use of Digital Certificates and a Certificate Authority. WinXP, Win 2k, Win 9x and 3rd part clients support this. Future versions will allow for other authentication options.
802.1x
© 2001, Cisco Systems, Inc. All rights reserved. 232323
802.1x Open Benefits
• 802.1x was designed to be inexpensive to implement on existing network hardware, utilizing existing network-access infrastructure (RADIUS, LDAP, Active Directory, etc.).
• EAP-compatible RADIUS servers include, among others, Microsoft Windows 2000 Sever (IAS), Cisco ACS, Funk RADIUS and Interlink Networks RADIUS Server. Other vendors that support 802.1x are AirWave, Compaq, Dell, IBM, Intel, Symbol, Toshiba, Telison and Wayport.
• 802.1x protocol requires two distinct steps. First, the Supplicant is authenticated, and then it is authorized access privileges.
• Privileges are distributed in the form of tokens, which can be defined to include anything that may interest a security professional, such as VLAN IDs, rate limits, filters, tunnels, etc.
© 2001, Cisco Systems, Inc. All rights reserved. 242424
Extensible Authentication ProtocolSome Common EAP Types
• EAP Cisco Wireless EAP (LEAP)—802.1X EAP authentication type developed by Cisco to provide dynamic per-user, per-session WEP encryption keys.
• PEAP—802.1X EAP authentication type that takes advantage of server-side EAP-TLS and supports a variety of different authentication methods, including logon passwords and one-time passwords (OTPs).
• EAP-TLS –(Transport Layer Security) 802.1X EAP authentication algorithm based on the TLS protocol (RFC 2246).Uses mutual authentication based on X.509 certificates.
• EAP-Message Digest 5 (MD5)—User name-and-password method that incorporates MD5 hashing for more secure authentication.
• EAP-Generic Token Card (GTC)—One of the defined EAP types in RFC 2284, allows OTP authentication.
• EAP-TTLS—Tunneled TLS – authentication from Funk SW.
© 2001, Cisco Systems, Inc. All rights reserved. 252525
802.1x EAP Authentication Choices
• LEAP
802.1x framework, password-based authentication, uses MS-CHAP v1
Only advanced authentication solution supported on all major OS’s (Windows, Mac, Linux, etc.)
Cisco in the process of licensing LEAP to other key clients to move it from being “proprietary” to “widely-supported”
• PEAP with One-Time Passwords (“OTP”)
Protected EAP (Creates a PKI based Secure/Encrypted tunnel from AP to Radius Server – allowing for other types of client side authentication)
802.1x framework, certificate-based authentication
PEAP supported by Cisco, Microsoft, & RSA; draft standard proposed to IETF
Creates encrypted tunnel between client and Radius server, similar to VPN
PEAP supported in Cisco ACS Server software ver. 3.1
One-Time Password (“OTP”) is a Cisco enhancement to PEAP, similar to Softoken or OTP cards
PEAP with OTP available from Cisco as a software upgrade on 802.1x-supported client OS’s
© 2001, Cisco Systems, Inc. All rights reserved. 262626
Cisco EAP aka Cisco LEAP + 802.1x Authentication Process
Start
challenge
response
broadcast key
username
challenge
response
AP sends client broadcast key, encrypted with session key
AP blocks all requests until Cisco LEAP completes
username
RADIUS server
authenticates client
Request identity
success success
challenge challenge
response response, key
Client authenticates
RADIUS server
key length
Client-supplicant
Access Point (AP) / SWITCH -authenticator RADIUS authentication
server
key
derivekey
© 2001, Cisco Systems, Inc. All rights reserved. 272727
EAP-PEAP - Walk Through Example
Start
broadcast key AP sends client broadcast key, encrypted with session key
Authenticator blocks all requests until authentication
completesidentity
Request identity
Encrypted Tunnel Established
key length
clientAP RADIUS
server CertificateAuthority
Server certificate
identity
Server certificateServer Side
Authentication
Client Side
Authentication
LDAP / NDS /OTP
EAP in EAP Authentication (pass Generic Token Card in TLS application data )
© 2001, Cisco Systems, Inc. All rights reserved. 282828
Identity Based Networking:What can we do Today!
• Enhanced Port Based Access Control
• Greater flexibility and mobility for a stratified user community
• Enhanced User Productivity
• Added support for converged VoIP networks
• Centralized Management with AAA server
• Wireless Mobility with 802.1X and EAP Authentication Types
• Catalyst Switch Portfolio
• Basic 802.1X Support
• 802.1X with VLANs
• 802.1X with Port Security
• 802.1X with VVID
• 802.1X Guest VLANs
• 802.1X with ACLs
© 2001, Cisco Systems, Inc. All rights reserved. 292929
Identity Based Networking Service
• CatOS -- 7.5.1802.1x w/ VLAN Assignment
802.1x w/ VVID
802.1x w/ Guest VLAN
802.1x w/ Port Security
7.6.1
802.1x w/ DHCP
7.7.1 (Target)
802.1x w/ Guest VLAN/port
7.8/8.1 (Target) – Q4CY03
802.1x with ACL/QoS
Identity Based Network Services (IBNS)End-to-End Architecture
Identity Based Network Services (IBNS)End-to-End Architecture
• IOS
12.1(13)E
802.1x w/ VLAN Assignment
1HCY04:
802.1x w/VVID
802.1x Guest VLAN
802.1x w/Port Security
802.1x with ACL/QoS
Cisco AironetCatalyst 6500 Catalyst 4000/4500 Catalyst 3550/2950/3750 Cisco ACS Server
© 2001, Cisco Systems, Inc. All rights reserved. 303030
Identity Based Networking Service
• CatOS
7.5.1
802.1x w/ VLAN Assignment
8.1 – Q4CY03
802.1x w/ VVID
802.1x w/ Guest VLAN
802.1x w/ Port Security
Identity Based Network Services (IBNS)End-to-End Architecture
Identity Based Network Services (IBNS)End-to-End Architecture
• IOS12.1(19)EW – June ‘03
802.1x w/ VLAN Assignment
802.1x Guest VLAN
Roadmapped
802.1x w/VVID
802.1x w/Port Security
802.1x with ACL/QoS
802.1x Accounting
Cisco AironetCatalyst 6500 Catalyst 4000/4500 Catalyst 3550/2950/3750 Cisco ACS Server
© 2001, Cisco Systems, Inc. All rights reserved. 313131
Identity Based Networking Service
Identity Based Network Services (IBNS)End-to-End Architecture
Identity Based Network Services (IBNS)End-to-End Architecture
• 2950/295512.1(12c)EA1
802.1x w/ VLAN Assignment
802.1x w/VVID
802.1x w/ Port Sec
12.1(14)EA1
802.1x Guest VLAN
• 3550 (EMI/SMI)12.1(12c)EA1
802.1x w/ VLAN Assignment
802.1x w/VVID
802.1x w/ Port Sec
12.1(14)EA1
802.1x Guest VLAN
• 3750 – Aug ‘03802.1x w/ VLAN Assignment
802.1x w/VVID
802.1x Guest VLAN
802.1x w/ DHCP
802.1x w/ ACL/QoS
Cisco AironetCatalyst 6500 Catalyst 4000/4500 Catalyst 3550/2950/3750 Cisco ACS Server
© 2001, Cisco Systems, Inc. All rights reserved. 323232
Identity Based Networking Service
Identity Based Network Services (IBNS)End-to-End Architecture
Identity Based Network Services (IBNS)End-to-End Architecture
• Commercial RADIUS & TACACS+
• Scalable to 100K users/8K devices)
Cisco AironetCatalyst 6500 Catalyst 4000/4500 Catalyst 3550/2950/3750 Cisco ACS Server
• 3.2 Avail NowAppliance
Microsoft Peap
PEAP Proxy
Machine Auth
EAP Type Negotiation
LDAP Multithreading
EAP Performance
Windows password
• 3.3 Avail Q2 ‘04802.1X/IBNS complementary features with Catalyst/Wireless
802.1X Catalyst /IBNS enhancements (guest VLAN, accounting, CRL)
EAP enhancements (LEAP, PEAP v2)
User Quarantine
© 2001, Cisco Systems, Inc. All rights reserved. 333333
Identity Based Networking Service
Identity Based Network Services (IBNS)End-to-End Architecture
Identity Based Network Services (IBNS)End-to-End Architecture
Cisco AironetCatalyst 6500 Catalyst 4000/4500 Catalyst 3550/2950/3750 Cisco ACS Server
• AP 350802.1x for AP LAN Access Not Committed
• AP 1100802.1x for AP LAN Access Q1CY04
• AP 1200802.1x for AP LAN Access Q1CY04
• For Wireless Clients Across These Products:
• Multiple VLANs for employees, guests and application specific devices
• Expanded 802.1X Authentication Support for: Cisco LEAP, EAP-TLS, EAP-TTLS, PEAP, EAP-SIM
• Expanded Encryption Support for 802.11i TKIP
© 2001, Cisco Systems, Inc. All rights reserved. 343434
Latest LAN Security Threats Targeted by the Catalyst Integrated Security Features
S2
• MAC Address Flooding Attack– Hacking Tool: macof (part of dsniff package)
• SYN floods with random src and dst MAC, random src and dst IP
• After CAM Table Fills, Traffic Flooding Occurs (32K entries)
• Random IP addresses include multicast address space and will eventually cause distribution layer to fail due to excessive processing of multicast routes
• DHCP Rogue Server Attack– Hacking Tool: gobbler or actual rogue DHCP server
• Man in the middle attacks via DNS or IP default GW forging
• DHCP Starvation– Hacking Tool: gobbler
• Depletion of DHCP address space
• ARP Spoofing or ARP Poisoning Attack– Hacking Tool: ettercap, dsniff, arpspoof
• Menu driven discovery of MAC level topology with ARPs and DNS Reverse Name Lookup
• Man in the middle attacks with integrated packet capture and password sniffing
© 2001, Cisco Systems, Inc. All rights reserved. 353535
Raising the Bar on Surveillance AttacksMAC-Based Attacks
Port Security Limits MAC Flooding Attack and Locks down Port and
Sends an SNMP Trap
00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb
00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb
“Script Kiddie” Hacking Tools Enable Attackers Flood Switch CAM Tables with Bogus Macs; Turning the VLAN into a “Hub”
and Eliminating Privacy
Switch CAM Table Limit is Finite Number of Mac Addresses
Only 3 MAC Only 3 MAC Addresses Addresses Allowed on Allowed on
the Port: the Port: ShutdownShutdown
132,000 Bogus MACs
Problem:Problem: Solution:Solution:
© 2001, Cisco Systems, Inc. All rights reserved. 363636
Port SecurityCutting off MAC-Based Attacks
CatOSset port security 5/1 enableset port security 5/1 port max 3set port security 5/1 violation restrictset port security 5/1 age 2set port security 5/1 timer-type inactivityIOSswitchport port-security switchport port-security maximum 3 switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity
Solution:Solution:
Port Security (port/interface commands)
• 3 MAC addresses to encompass the phone, the phone switch, the PC• “Restrict” rather than “error disable” to allow only 3, and log more than 3• Aging time 2 and aging type inactivity to allow for phone CDP of 1 min
If violation error-disable, the following log message will be produced:4w6d: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi3/2, putting Gi3/2 in err-disable state
© 2001, Cisco Systems, Inc. All rights reserved. 373737
DHCP Attack TypesStarvation Attack: Get whole scope’s addresses
DHCP Client DHCP Server
DHCP Discover (Broadcast) x (Size of DHCP scope)
DHCP Offer (Unicast) x (Size of DHCP scope)
DHCP Request (Broadcast) x (Size of DHCP scope)
DHCP Ack (Unicast) x (Size of DHCP scope)
Gobbler Denial of S
ervice
© 2001, Cisco Systems, Inc. All rights reserved. 383838
DHCP Attack TypesRogue Server: MiM or Non Malicious
DHCP Client DHCP Server
DHCP Discover (Broadcast)
DHCP Offer (Unicast) from the Rogue
DHCP Request (Broadcast)
DHCP Ack (Unicast) from Rogue possibly with false DNS or Def GW
SiSi
Rogue Server
© 2001, Cisco Systems, Inc. All rights reserved. 393939
DHCP SnoopingPrevents Rogue Server and Limits DHCP DoS
DHCP Client DHCP Server
SiSi
Rogue Server
Trusted
Untrusted
Untrusted
DHCP Snooping Enabled
• Prevents MiM and limits denial of service (DoS) attacks based on DHCP protocolMalicious—user pretends to be the Network DHCP Server to reply with DNS or GW info to redirect traffic OR user pretends to be multiple DHCP clients to starve the DHCP address pool
Misconfiguration—user configures router (DHCP server) incorrectly
• How it works:For DHCP packets originating from untrusted ports (client ports), DHCP Snooping drops all DHCP OFFER, ACK, NACK, or nonzero giaddr packes (server oriented packets). DHCP Snooping forwards DHCP client requests from untrusted ports and builds a DHCP binding table.
If DHCP server is not local to the Catalyst Switch, trust the uplink port
• DHCP snooping is not equivalent to Option 82 (DHCP Interface tracker)
OK DHCP Responses:
Eg.) offer, ack, nak
BAD DHCP Responses:
Eg.) offer, ack, nak
© 2001, Cisco Systems, Inc. All rights reserved. 404040
Dynamic ARP Inspection
• A binding table containing IP-address and MAC-address associations is dynamically populated using DHCP Snooping
• Can also use ARP ACLs to deny (and optionally log) all invalid IP/MAC binding attempts for non-DHCP assigned IP Addresses
• Private VLAN and routed port support coming.
• Prevents attacks that use ARP with an IP not in the binding table in the switch
My GW is10.1.1.1My GW is10.1.1.1
10.1.1.110.1.1.2
I’m your GW:
10.1.1.1
I’m your GW:
10.1.1.1
Not by my binding tableNot by my
binding table 10.1.1.2
Gratuitous ARP to change end device MAC to ARP tables
© 2001, Cisco Systems, Inc. All rights reserved. 414141
• Automatically load’s Port ACLs and optionally port security tables with information learned from DHCP requests
• Just like Dynamic ARP inspection, but for IP source address (works without the attack PC using ARP for source address)
• Switch learns IP address and MAC address via DHCP
• Automatically configures a Port ACL for IP address and adds MAC address to port security list for the port. (DHCP server must run Option 82 for this to work if checking IP/MAC)
• Removes ACL and MAC entry when lease expires.
IP Source GuardProtection Against IP Spoofing
Legit 10.1.1.2 Legit 10.1.1.2
10.1.1.110.1.1.2
I’m Sourcing10.1.1.2
I’m Sourcing10.1.1.2
Not by my Port ACL
Not by my Port ACL 10.1.1.2
Manually changing IP Address or using programs to create IP spoofed traffic
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 424242