LAN switches as the most common devices in the faces significant security threat. These threats against some loopholes in the management switch, the attacker attempts to control switches; some are for function of the switch, the attacker tries to disrupt the normal operation of the switch, so as to achieve the purpose of damage or even theft of data.
Switch attack against the following categories:
- Switch Configuration / Administrative attacks
- MAC flooding attacks
- DHCP spoofing attack
- MAC and IP spoofing attacks
- ARP spoofing
- VLAN hopping attack
- STP attack
- VTP attack
access security ⦁ switch
in order to prevent an attacker to detect or switch is controlled to be arranged substantially in the safety switch - The use of qualified Password
- Use ACL, restrict access management
- Configure the system warning language
- Disable unnecessary services
- Close CDP
- Enable system log
- Using SSH Telnet replacement
- Close SNMP or SNMP V3
⦁ port of the switch safety
switch dependent on the MAC address forwarding data frames, if the MAC address does not exist, the switch forwards the frame to every port (flooding) on the switch, but the size of the MAC address table is limited, MAC flooding attacks use this limit switches bombarded with bogus source MAC addresses until the switch MAC address table is full. Then enters the switch as "fail open" (Fail-open) mode, start working like a hub, a broadcast packet to all machines on the network. Thus, an attacker can not see all of the frame to the MAC address table entry to another host. To protect against MAC flooding attacks, security feature can configure the ports, the port to limit the number of allowed effective MAC address, and define the operation time of the attack port: closed, protection, limit.
Anti-spoofing DHCP ⦁ DHCP Snooping--
after the switch is turned on when a DHCP-Snooping, DHCP packets have listener, and can be extracted from the received DHCP Request message or DHCP and the Ack records the IP address and MAC address information. In addition, DHCP-Snooping allows a physical port to port trusted or untrusted port. Trust ports can normally receive and forward the DHCP Offer packet, the port will not trust received DHCP Offer packet discarding. In this way, you can complete the shielding effect of the switch to fake DHCP Server, ensure that clients obtain IP addresses from valid DHCP Server.
1, the main role is to isolate dhcp-snooping illegal dhcp server, configure the untrusted port.
2, the switch with the DAI, ARP prevent the spread of the virus.
3, establish and maintain a dhcp-snooping binding table, this table first, through dhcp ack packet ip and mac address generation, and second, you can manually specified. This table is a follow-DAI (dynamic arp inspect) and IPSource Guard base. Both similar technology, this table is determined by ip or mac address is legitimate, to limit the users connected to the network.
4, the illegal DHCP server port by building trust and non-trust port isolation, trusted port forwards DHCP packets normal, after DHCPACK DHCP offer and untrusted server port to receive a response, do deal with loss, no forwarding.
Four, DAI-- prevent ARP spoofing
Dynamic ARP Inspection (Dynamic ARP Inspection, DAI) can prevent ARP spoofing, it can help ensure access switch pass only "legitimate" ARP request and reply information. DAI operates based on DHCP Snooping, DHCP Snooping binding table monitor, comprising binding information of the IP address and MAC address, and a particular port is associated with a switch, Dynamic ARP Inspection (DAI-Dynamic ARP Inspection) can be used to check ARP requests and responses (active and non-active ARP ARP) all untrusted ports to ensure that response from the true MAC owner. Switch to decide whether it is true MAC owner, illegal ARP packet will be forwarded rejected binding information and IP address through DHCP ARP reply port inspection record.
DAI for VLAN configuration for the interface in the same VLAN, DAI can also be turned off if ARP packet is received from a trusted interfaces, you do not need to do any check; if the ARP packet is not from a trusted interface received on the package can only be proved in binding information will be forwarded out under legitimate circumstances. In this way ,, DHCP Snooping for DAI is also becoming essential. DAI is used dynamically, the client connected to the host does not require any changes in settings. For servers not using DHCP, static individual machines can be added to DHCP binding table or ARP access-list implementation.
Further, a port may be controlled by DAI ARP request packet frequency. Once the ARP request frequency exceeds a predetermined threshold value, closing the port immediately. This function can prevent the use of network scanning tools, while a large number of ARP packets characteristic of viruses or attacks may also play a blocking role.
