Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
38 Cards in this Set
- Front
- Back
What type of L2 Attacks are there?
|
CAM Overflow; VLAN hopping; MAC spoofing; Private VLAN Attacks; DHCP Attacks; STP Manipulation
|
|
What is the CAM Table?
|
Context-Addressable Memory (CAM) Table; cisco switches create a HASH of the 63 bit source (MAC, VLAN, etc) and store in table; entries expire after 5 minutes default
|
|
How does a CAM Attack Work?
|
An attacker connects to a switch port and sends out traffic from thousands of MAC addresses, filling the table. Eventually the table fills and switches begin flooding traffic; common tool is Macof (155,000 entries/minute)
|
|
What technology mitigates CAM Overflow attacks?
|
Port Security - used to control how MACs are learned on a switch port. Default is to shutdown interface if too many MACs are detected
|
|
What port types does Cisco recommend using port security on?
|
static access - switchport mode access
|
|
What does it mean when a switch learns MACs sticky"?"
|
They are stored in the configuration so they don't need to be relearned on reboot
|
|
How do you configure port security?
|
Int fa1/1 switchport port-security switchport port-security maximum 3 switchport port-security mac-address sticky switchport port-security mac-address 0016.1234.4565 switchport port-security violation protect
|
|
How can you reenable a port that is in error-disable state?
|
shutdown/no shutdown or errdisable recovery cause psecure-violation
|
|
What 3 types of actions can a switch take on a port in violation of security restrictions?
|
Protect - frames with unknown MACs are dropped, no notification; Restrict - unknown frames dropped, SNMP and syslog messages, and violation counter increases; Shutdown - interface to error-disabled, LED off, SNMP trap, syslog, and violation counter increases
|
|
Can you configure port security on trunks?
|
On some platforms, but not recommended due to results across VLANs
|
|
What is VLAN hopping?
|
When a user gains access to a VLAN that is not configured on their switchport
|
|
What two techniques are used in VLAN hopping attacks?
|
Trunking to the switch and double tagging
|
|
How do you prevent VLAN hopping attacks?
|
Configure ports as access ports, disable unused ports, configure access ports as the default
|
|
Describe the MAC Spoofing attack?
|
Attacker spoofs their MAC address to create a man-in-the-middle attack. Pretend to be default gateway by sending out GARP messages as the default gateway address. Then forward traffic to the correct gateway
|
|
How can you prevent a MAC Spoofing attack?
|
port security with single MAC addresses. Though the support of this configuration is often more difficult than the risk of the attack would justify. Other techniques include: holddown timers for ARP cache; private vlans; dynamic ARP inspection (DAI) and dhcp snooping
|
|
What are Private VLAN used for?
|
Further isolating a VLAN when hosts on the VLAN don't need to communicate with each other. Ports are isolated, community, or promiscuous ports. Common in DMZs
|
|
How are Private VLAN attacks accomplished?
|
The attacker in a limited port sends a packet to the router with the source ip and mac of itself, the dest mac of the router, and the dest IP of the target. The router rewrites and forwards on
|
|
How do you defend against Private VLAN attacks?
|
ACLs on routers that limit traffic back to source network
|
|
What are the two types of DHCP attacks?
|
DHCP spoofing and DHCP starvation attacks
|
|
Describe the DHCP spoofing?
|
An attacker configures a rogue DHCP server on the network to issue addresses to clients to force them to use their DNS, WINS, and Gateways
|
|
Describe DHCP starvation?
|
The attacker floods the DHCP server with DHCP requests to use all available addresses. This results in a DoS attack.
|
|
How do you prevent DHCP attacks?
|
DHCP Snooping
|
|
How does DHCP Snooping work?
|
Ports are either defined as trusted or untrusted. Only trusted ports can send DHCP offer and DHCP acknowledge packets; uses the DHCP snooping binding table;
|
|
How do you configured DHCP Snooping?
|
conf t ip dhcp snooping < global enable ip dhcp snooping vlan 10 < what VLAN onip dhcp snooping information option < use opt 82 for relay info int Gig 0/1 ip dhcp snooping trust < config port ip dhcp snooping limit rate 70 < limit to 70 pack per sec
|
|
Describe STP Attacks
|
Occur when an attacker spoofs being a switch with a lower priority in effort to become root bridge or change topology somehow. Can allow attacker to see all frames, or a DoS attack through the 30/45 sec recalculation of STP
|
|
How do you prevent STP Attacks?
|
root guard and BPDU guard
|
|
How do you configure STP mitigation techniques
|
conf t spanning-tree portfast bpduguard int fa0/10 spanning-tree guard root
|
|
What is DAI?
|
Dynamic ARP Inspection
|
|
How does DAI determine whether an ARP packet is valid?
|
Using the DHCP snooping binding table and ARP ACLs
|
|
Where are trusted DAI interfaces typially connected to?
|
other switches
|
|
How do you configure DAI for an interface?
|
conf t ip arp inspection vlan 34 ip arp inspection log-buffer entries 64 int fa0/0 ip arp inspection trust ip arp inspection limit rate 20 burst interval 2
|
|
How do you configure ARP ACLs?
|
ip arp inspection filter global config command
|
|
What is IP source gaurd?
|
denies traffic on interface until an IP is applied by DHCP to the host, then an ACL is configured on the interface
|
|
What type of EAP attacks are there?
|
Man in the middle and session-hijacking
|
|
How can you remove dynamic and sticky MAC addresses from the port security tables?
|
clear port-security sticky MACADDRESS clear port-security sticky INTERFACE clear port-security dynamic MACADDRSSS
|
|
How can you configure aging on port-security ports?
|
switchport port-security aging {static / time TIME / type {absolute /inactivity}}
|
|
What commands can you use to verify port-security?
|
show port-security show port-security interface INTERFACE show port-security interface INTERFACE address
|
|
What commands can you use to verify dhcp snooping?
|
sh ip dhcp snooping sh ip dhcp snooping binding [ADDRESS]
|