* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download EVVBU Marketing Strategy Development Session
Survey
Document related concepts
Airborne Networking wikipedia , lookup
Network tap wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Spanning Tree Protocol wikipedia , lookup
Distributed firewall wikipedia , lookup
Computer security wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Wireless security wikipedia , lookup
Virtual LAN wikipedia , lookup
Dynamic Host Configuration Protocol wikipedia , lookup
Cisco Systems wikipedia , lookup
Transcript
Cisco Network Admission Control & the Self Defending Network Initiatvie 802.1x & Identity Based Networking Tim Ryan – Cisco SE 3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 1 Cisco’s Embedded Intelligent Security Evolving with Today’s Threats Today 2002 2000 IDS FW VPN Adjunct Based Security • Adjunct Security Appliances plugged into the Network • Enhanced Device Security • Separate Mgt Software IDS FW VPN Integrated Security • Security Service Modules Integrated into the Infrastructure Identity L2,3 Hardening, HIPS IDS FW VPN Embedded Intelligent Security • Network Wide Security Fully Embedded into Network Infrastructure • FW + Intrusion Detection + VPN • Self Defending, Protecting, Preventing, Healing • Integrated Mgt Software • Control of “Who” has Network Access and “What” they can do © 2001, Cisco Systems, Inc. All rights reserved. 2 Cisco End-to-End Security Productization Intelligent Linkage of Endpoint with Network Behavior/ AV Anomaly IPS/FW HIDS Pers. FW HostBased Security VPN NetworkBased Security SSL VPN VPN FW + VPN FW App FW IDS In-Line IPS ID/ Trust Comprehensive Desktop Solution © 2001, Cisco Systems, Inc. All rights reserved. Integration of Capabilities into Converged Appliance/Switch 3 Intelligent Embedded Campus Security “Tighten Down the Hatches” Man in the Middle Attack Unauthorized users Rogue AP’s Denied Access Prevented Authorized User Access to HR Records Cisco Identity Based Networking Services (IBNS) “Controlling Who/What gets access to the Network and What they can do” Authorized User Cisco Catalyst Integrated Security Protects Against Today’s Emerging Attacks: “Man-in-the-middle” “DHCP Server Spoofing” “IP Address Spoofing” © 2001, Cisco Systems, Inc. All rights reserved. Record “Data” Quarantine VLAN Host IPS (CSA) with Cisco Identity (IBNS) Detects And Isolates Infected Users 4 What if you could… “Control Who’s/What is on your Network?” Unauthorized users With Physical Access (Visitors, “Door Tailgaters” etc) Unauthorized External Wireless Users Corporate Resources Authorized User • 99% of accessible Network ports are “open” © 2001, Cisco Systems, Inc. All rights reserved. 5 Cisco Embedded Security with IBNS Determining “who” gets access and “what” they can do Campus Network User Based Policies Applied (BW, QoS etc) User Identity Based Network Access Unauthorized Users/Devices Authorized Users/Devices • Equivalent to placing a Security Guard at each Switch Port • Only Authorized users can get Network Access • Unauthorized users can be placed into “Guest” VLANs • Prevents unauthorized APs © 2001, Cisco Systems, Inc. All rights reserved. 6 Internet Worm Infection Remote User Wireless LAN Worm Attack LAN Internet Data Center Branch • Self propagating worms continue to disrupt business, causing downtime and continual patching • Non-compliant servers and desktops are common, and they are difficult to detect and contain • Locating and isolating infected systems is time and resource intensive © 2001, Cisco Systems, Inc. All rights reserved. 7 Diverse Endpoint and User Community Wireless LAN Remote User Attack vectors can come from anywhere Internet LAN • Data Center Branch The virus/worm problem is compounded by today’s networked environment • Multiple types of end users – employees, vendors, contractors, etc. • Multiple types of endpoints – company desktop, home, server, etc. • Multiple types of access – wired, wireless, VPN, dial, etc. © 2001, Cisco Systems, Inc. All rights reserved. 8 Ideal Solution: An Integrated System Compliant Endpoint: Policy Servers Admit! Non-Compliant Endpoint: Deny! Remote User Internet Branch Quarantine! • Multiple components are required for a complete solution • Endpoint Security solutions knows security condition: type/compliance/etc • Policy Servers know compliance/access rules • Network access devices (routers, switches) enforce admission policy • Virus/worm prevention and containment requires industry collaboration © 2001, Cisco Systems, Inc. All rights reserved. 9 Cisco Network Admission Control (NAC) Summary • Cisco Network Admission Control (NAC) is Cisco-led, industry leading program focused on limiting damage from emerging security threats such as viruses and worms • In NAC, customers can allow network access only to compliant and trusted endpoint devices (e.g. PCs, servers, PDAs) and can restrict the access of non-compliant devices • Initial NAC co-sponsors include Network Associates, Symantec, and Trend Micro • NAC is the first phase of the Cisco Self-Defending Network Initiative, an effort designed to dramatically improve the ability of networks to identify, prevent, and adapt to threats • These efforts extend Cisco’s ability to provide secure, intelligent networks for customers © 2001, Cisco Systems, Inc. All rights reserved. 10 Cisco Network Admission Control (NAC) Cisco Network Admission Control Hosts Attempting Network Access AntiVirus client Cisco Security Agent Cisco Network Access Device Cisco Policy Server AV Vendor Policy Server Cisco Trust Agent Security Credential Checking Cisco Trust Agent Security Policy Enforcement Security Policy Creation AV Policy Evaluation • Based on endpoint security posture, appropriate admission policy will be enforced in the network • Cisco & NAC co-sponsors to deliver this collaborative solution © 2001, Cisco Systems, Inc. All rights reserved. 11 NAC Program Overview • Cisco is driving the architectures and specifications, guidelines of NAC • Initial NAC co-sponsor include the major Anti-Virus vendors: Network Associates, Symantec, and Trend Micro • Cisco Security Agent and NAC co-sponsor AV solutions will leverage Cisco Trust Agent for intelligent admission control • Initial NAC capability to be delivered in Q2 CY04 in Cisco routers • Future NAC extensions: • More Cisco network devices • More endpoint security software and endpoint platforms (OSs) • More industry co-sponsors • Solution “opened”, timing and extent TBD © 2001, Cisco Systems, Inc. All rights reserved. AV Client CSA EAP/TLV API Broker and Security Comms: L2/3 Service EAP/UDP EAP/802.1X Cisco Trust Agent 12 NAC Deployment Scenarios Comprehensive Compliance Validation Branch Office 1: Branch office compliance Main Office Enforce on L3 router and firewall AAA Svr AV Server EAP/UDP Extension of “Are You There” Dial-in NAS 1 2: Remote access compliance Branch Router RA IPsec VPN SSL RADIUS (posture) Edge Router 3: Dial-in access compliance 4: Wireless campus protection Quarantine with ACLs/VLANS Extension of 802.1x EAP 802.1x (wireless) Campus FW Internet 3 TBD 5: Campus access and data center protection 5 2 EAP/UDP after IPsec Quarantine with ACLs/ VLANS Extension of wired 802.1x Remote Access © 2001, Cisco Systems, Inc. All rights reserved. 4 EAP 802.1x (wired) • Ubiquitous solution for all connection methods • Validates all hosts 13 NAC Customer Benefits • Dramatically improved security for non-compliant hosts • Increased network resilience • Extended value from Cisco network infrastructure investment • Increased value of existing investment in AV © 2001, Cisco Systems, Inc. All rights reserved. 14 NAC Customer Validation General Interest (over 80%)* Strategic Interest •50+ Cisco Enterprise customers prebriefed on NAC and Self-Defending Network •Consistently positive feedback •Interest spans all vertical markets •Strong desire for acceleration of future phases *Cisco survey, Feb 3-5 2003, 250+ NIDS customers; similar results in a blind survey © 2001, Cisco Systems, Inc. All rights reserved. •Must include key AV partners 15 Self-Defending Network Futures: Infection Containment Infected Host Local L2/L3 Device Virus Detectors Policy System 1. Infected host sends AV Systems virus data through local L2/L3 device to network Desktop 2. Virus detector notices Server Isolate! AV Mgmt Campus Gateway IDS Systems HIDS NIDS Other Virus Detectors virus data from sender, notifies policy system 3. Policy server Policy Svr determines containment action 4. Policy determines closest local L2/L3 device to infected host & communicates containment action 5. Local L2/L3 device enforces containment action (includes network proxy devices) © 2001, Cisco Systems, Inc. All rights reserved. 16 In addition to securing network access… What else can we do ? • If you know “who” and “what” are now on the network, what could you do w/ this info ? • Now: Cisco 802.1x Extensions VLAN Assignments Apply Security Profiles Specify IP Assignment Secure IP Telephony • Future: Posture & Virus scanning/Quarantine VLAN ? Dynamic FW control/access/auth ? IDS + Identity + Mgmt ? © 2001, Cisco Systems, Inc. All rights reserved. 17 Cisco Identity- Current and future capabilities… Employee Servers CiscoSecure ACS RADIUS • Dynamic VLAN Assignment • Dynamic Security Policy Assignment using ACLs • Dynamic QoS Assignment using ACLS including dynamic peruser/per-port policing • IBNS-based User/Port Accounting Faculty Dorm Student Off-Campus Student © 2001, Cisco Systems, Inc. All rights reserved. 18 Campus Identity – Policy Enforcement Future Capability: Beyond User Credentials… Employee Servers CiscoSecure ACS RADIUS/ Policy Server Sorry, your AV Software is backlevel • How can we leverage Identity to create finer granulations in policy based on more attributes from the user • Cisco Solution in development: Attributes such as antivirus host intrusion detection software and .dat file levels can be passed in addition to userid/pw credentials in authentication process to segment “unhealthy” users away from “healthy” ones Access please, my AV software is version X • Employee Problem: First Phase: Symantec, Network Associates, Trend Micro, Cisco Security Agent Student Quarantined VLAN © 2001, Cisco Systems, Inc. All rights reserved. 19 802.1x – Ratified by the IEEE - June 2001 • Open-standards-based protocol for authenticating network clients (or ports) on a user-ID basis. aka"port-level authentication“ • It takes the RADIUS methodology and separates it into three distinct groups: the Supplicant, Authenticator, and Authentication Server. • IEEE 802.1X provides automated user identification, centralized authentication, key management, and provisioning of LAN connectivity. It even provides support for roaming access in public areas. © 2001, Cisco Systems, Inc. All rights reserved. 20 802.1x + EAP extensible authentication protocol • 802.1x builds on an existing protocol called Extensible Authentication Protocol (EAP [RFC 2284]) • By tying EAP into the bigger picture, so to speak. EAP conducts the authentication process. It ties Point-to-Point Protocol (PPP) to the physical layer, OSI Layer 1. • EAP over LAN (EAPOL) is EAP encapsulated into 802 frames. This is how the Authenticator and Supplicant actually communicate during the authentication process. • EAP is compatible with Ethernet, Token Ring, 802.11, and other popular network protocols. • EAP supports many authentication methods such as Kerberos, public key, one-time passwords, etc., and it can utilize Transport Level Security (TLS) and Secure Remote Password (SRP). © 2001, Cisco Systems, Inc. All rights reserved. 21 802.1x 802.1x provides an architecture for many authentication types and link layers Today EAP-TLS requires the use of Digital Certificates and a Certificate Authority. WinXP, Win 2k, Win 9x and 3rd part clients support this. Future versions will allow for other authentication options. © 2001, Cisco Systems, Inc. All rights reserved. 22 802.1x Open Benefits • 802.1x was designed to be inexpensive to implement on existing network hardware, utilizing existing network-access infrastructure (RADIUS, LDAP, Active Directory, etc.). • EAP-compatible RADIUS servers include, among others, Microsoft Windows 2000 Sever (IAS), Cisco ACS, Funk RADIUS and Interlink Networks RADIUS Server. Other vendors that support 802.1x are AirWave, Compaq, Dell, IBM, Intel, Symbol, Toshiba, Telison and Wayport. • 802.1x protocol requires two distinct steps. First, the Supplicant is authenticated, and then it is authorized access privileges. • Privileges are distributed in the form of tokens, which can be defined to include anything that may interest a security professional, such as VLAN IDs, rate limits, filters, tunnels, etc. © 2001, Cisco Systems, Inc. All rights reserved. 23 Extensible Authentication Protocol Some Common EAP Types • EAP Cisco Wireless EAP (LEAP)—802.1X EAP authentication type developed by Cisco to provide dynamic per-user, persession WEP encryption keys. • PEAP—802.1X EAP authentication type that takes advantage of server-side EAP-TLS and supports a variety of different authentication methods, including logon passwords and onetime passwords (OTPs). • EAP-TLS –(Transport Layer Security) 802.1X EAP authentication algorithm based on the TLS protocol (RFC 2246).Uses mutual authentication based on X.509 certificates. • EAP-Message Digest 5 (MD5)—User name-and-password method that incorporates MD5 hashing for more secure authentication. • EAP-Generic Token Card (GTC)—One of the defined EAP types in RFC 2284, allows OTP authentication. • EAP-TTLS—Tunneled TLS – authentication from Funk SW. © 2001, Cisco Systems, Inc. All rights reserved. 24 802.1x EAP Authentication Choices • LEAP 802.1x framework, password-based authentication, uses MS-CHAP v1 Only advanced authentication solution supported on all major OS’s (Windows Mac, Linux, etc.) Cisco in the process of licensing LEAP to other key clients to move it from being “proprietary” to “widely-supported” • PEAP with One-Time Passwords (“OTP”) Protected EAP (Creates a PKI based Secure/Encrypted tunnel from AP to Radius Server – allowing for other types of client side authentication) 802.1x framework, certificate-based authentication PEAP supported by Cisco, Microsoft, & RSA; draft standard proposed to IETF Creates encrypted tunnel between client and Radius server, similar to VPN PEAP supported in Cisco ACS Server software ver. 3.1 One-Time Password (“OTP”) is a Cisco enhancement to PEAP, similar to Softoken or OTP cards PEAP with OTP available from Cisco as a software upgrade on 802.1xsupported client OS’s © 2001, Cisco Systems, Inc. All rights reserved. 25 Cisco EAP aka Cisco LEAP + 802.1x Authentication Process Client -supplicant Client authenticates RADIUS ke server y Access Point (AP) / SWITCH -authenticator Start Request identity AP blocks all requests until Cisco LEAP completes username username challenge challenge response response success success challenge challenge response response, key broadcast key key length RADIUS authentication server RADIUS server authenticates client derive key AP sends client broadcast key, encrypted with session key © 2001, Cisco Systems, Inc. All rights reserved. 26 EAP-PEAP - Walk Through Example LDAP / NDS / OTP AP client Start Request identity identity Server Side Authentication Client Side Authentication RADIUS server Authenticator blocks all requests until authentication completes Certificate Authority identity Server certificate Server certificate Encrypted Tunnel Established EAP in EAP Authentication (pass Generic Token Card in TLS application data ) broadcast key key length AP sends client broadcast key, encrypted with session key © 2001, Cisco Systems, Inc. All rights reserved. 27 Identity Based Networking: What can we do Today! • Centralized Management with AAA server • Wireless Mobility with 802.1X and EAP Authentication Types • Catalyst Switch Portfolio • Basic 802.1X Support • 802.1X with VLANs • 802.1X with Port Security • 802.1X with VVID • 802.1X Guest VLANs • Enhanced Port Based Access Control • Greater flexibility and mobility for a stratified user community • Enhanced User Productivity • Added support for converged VoIP networks • 802.1X with ACLs © 2001, Cisco Systems, Inc. All rights reserved. 28 Identity Based Networking Service Catalyst 6500 Catalyst 4000/4500 Catalyst 3550/2950/3750 Cisco ACS Server Cisco Aironet • CatOS -- 7.5.1 802.1x w/ VLAN Assignment • IOS 802.1x w/ VVID 802.1x w/ Guest VLAN 802.1x w/ Port Security 7.6.1 802.1x w/ DHCP 7.7.1 (Target) 12.1(13)E 802.1x w/ VLAN Assignment 1HCY04: 802.1x w/VVID 802.1x Guest VLAN 802.1x w/Port Security 802.1x with ACL/QoS 802.1x w/ Guest VLAN/port 7.8/8.1 (Target) – Q4CY03 802.1x with ACL/QoS Identity Based Network Services (IBNS) End-to-End Architecture © 2001, Cisco Systems, Inc. All rights reserved. 29 Identity Based Networking Service Catalyst 6500 Catalyst 4000/4500 Catalyst 3550/2950/3750 Cisco ACS Server Cisco Aironet • CatOS • IOS 7.5.1 12.1(19)EW – June ‘03 802.1x w/ VLAN Assignment 802.1x w/ VLAN Assignment 8.1 – Q4CY03 802.1x Guest VLAN Roadmapped 802.1x w/ VVID 802.1x w/ Guest VLAN 802.1x w/ Port Security 802.1x w/VVID 802.1x w/Port Security 802.1x with ACL/QoS 802.1x Accounting Identity Based Network Services (IBNS) End-to-End Architecture © 2001, Cisco Systems, Inc. All rights reserved. 30 Identity Based Networking Service Catalyst 6500 Catalyst 4000/4500 • 2950/2955 Catalyst 3550/2950/3750 Cisco ACS Server • 3550 (EMI/SMI) Cisco Aironet • 3750 – Aug ‘03 12.1(12c)EA1 802.1x w/ VLAN Assignment 802.1x w/VVID 12.1(12c)EA1 802.1x w/ VLAN Assignment 802.1x w/ Port Sec 12.1(14)EA1 802.1x w/ Port Sec 12.1(14)EA1 802.1x Guest VLAN 802.1x Guest VLAN 802.1x w/ ACL/QoS 802.1x Guest VLAN 802.1x w/VVID 802.1x w/ VLAN Assignment 802.1x w/VVID 802.1x w/ DHCP Identity Based Network Services (IBNS) End-to-End Architecture © 2001, Cisco Systems, Inc. All rights reserved. 31 Identity Based Networking Service Catalyst 6500 Catalyst 4000/4500 Catalyst 3550/2950/3750 Cisco ACS Server Cisco Aironet • Commercial RADIUS & TACACS+ • Scalable to 100K users/8K devices) • 3.2 Avail Now • 3.3 Avail Q2 ‘04 Appliance Microsoft Peap 802.1X/IBNS complementary features with Catalyst/Wireless PEAP Proxy Machine Auth 802.1X Catalyst /IBNS enhancements (guest VLAN, accounting, CRL) EAP Type Negotiation LDAP Multithreading EAP Performance Windows password EAP enhancements (LEAP, PEAP v2) User Quarantine Identity Based Network Services (IBNS) End-to-End Architecture © 2001, Cisco Systems, Inc. All rights reserved. 32 Identity Based Networking Service Catalyst 6500 Catalyst 4000/4500 Catalyst 3550/2950/3750 Cisco ACS Server • AP 1100 • AP 350 802.1x for AP LAN Access Not Committed 802.1x for AP LAN Access Q1CY04 Cisco Aironet • AP 1200 802.1x for AP LAN Access Q1CY04 • For Wireless Clients Across These Products: • Multiple VLANs for employees, guests and application specific devices • Expanded 802.1X Authentication Support for: Cisco LEAP, EAP-TLS, EAP-TTLS, PEAP, EAP-SIM • Expanded Encryption Support for 802.11i TKIP Identity Based Network Services (IBNS) End-to-End Architecture © 2001, Cisco Systems, Inc. All rights reserved. 33 S2 Latest LAN Security Threats Targeted by the Catalyst Integrated Security Features • MAC Address Flooding Attack – Hacking Tool: macof (part of dsniff package) • SYN floods with random src and dst MAC, random src and dst IP • After CAM Table Fills, Traffic Flooding Occurs (32K entries) • Random IP addresses include multicast address space and will eventually cause distribution layer to fail due to excessive processing of multicast routes • DHCP Rogue Server Attack – Hacking Tool: gobbler or actual rogue DHCP server • Man in the middle attacks via DNS or IP default GW forging • DHCP Starvation – Hacking Tool: gobbler • Depletion of DHCP address space • ARP Spoofing or ARP Poisoning Attack – Hacking Tool: ettercap, dsniff, arpspoof • Menu driven discovery of MAC level topology with ARPs and DNS Reverse Name Lookup • Man in the middle attacks with integrated packet capture and password sniffing © 2001, Cisco Systems, Inc. All rights reserved. 34 Raising the Bar on Surveillance Attacks MAC-Based Attacks 00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb Only 3 MAC Addresses Allowed on the Port: Shutdown 132,000 Bogus MACs Solution: Problem: “Script Kiddie” Hacking Tools Enable Attackers Flood Switch CAM Tables with Bogus Macs; Turning the VLAN into a “Hub” and Eliminating Privacy Port Security Limits MAC Flooding Attack and Locks down Port and Sends an SNMP Trap Switch CAM Table Limit is Finite Number of Mac Addresses © 2001, Cisco Systems, Inc. All rights reserved. 35 Port Security Cutting off MAC-Based Attacks Port Security (port/interface commands) Solution: CatOS set port security 5/1 enable set port security 5/1 port max 3 set port security 5/1 violation restrict set port security 5/1 age 2 set port security 5/1 timer-type inactivity IOS switchport port-security switchport port-security maximum 3 switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity • 3 MAC addresses to encompass the phone, the phone switch, the PC • “Restrict” rather than “error disable” to allow only 3, and log more than 3 • Aging time 2 and aging type inactivity to allow for phone CDP of 1 min If violation error-disable, the following log message will be produced: 4w6d: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi3/2, putting Gi3/2 in err-disable state © 2001, Cisco Systems, Inc. All rights reserved. 36 DHCP Attack Types Starvation Attack: Get whole scope’s addresses DHCP Server DHCP Client Gobbler DHCP Discover (Broadcast) x (Size of DHCP scope) DHCP Offer (Unicast) x (Size of DHCP scope) DHCP Request (Broadcast) x (Size of DHCP scope) DHCP Ack (Unicast) x (Size of DHCP scope) © 2001, Cisco Systems, Inc. All rights reserved. 37 DHCP Attack Types Rogue Server: MiM or Non Malicious DHCP Server DHCP Client Si Rogue Server DHCP Discover (Broadcast) DHCP Offer (Unicast) from the Rogue DHCP Request (Broadcast) DHCP Ack (Unicast) from Rogue possibly with false DNS or Def GW © 2001, Cisco Systems, Inc. All rights reserved. 38 DHCP Snooping Prevents Rogue Server and Limits DHCP DoS DHCP Server DHCP Client Untrusted Si Trusted Untrusted Rogue Server DHCP Snooping Enabled BAD DHCP Responses: Eg.) offer, ack, nak • OK DHCP Responses: Eg.) offer, ack, nak Prevents MiM and limits denial of service (DoS) attacks based on DHCP protocol Malicious—user pretends to be the Network DHCP Server to reply with DNS or GW info to redirect traffic OR user pretends to be multiple DHCP clients to starve the DHCP address pool Misconfiguration—user configures router (DHCP server) incorrectly • How it works: For DHCP packets originating from untrusted ports (client ports), DHCP Snooping drops all DHCP OFFER, ACK, NACK, or nonzero giaddr packes (server oriented packets). DHCP Snooping forwards DHCP client requests from untrusted ports and builds a DHCP binding table. If DHCP server is not local to the Catalyst Switch, trust the uplink port • © 2001, Cisco Systems, Inc. All rights reserved. DHCP snooping is not equivalent to Option 82 (DHCP Interface tracker) 39 Dynamic ARP Inspection Not by my binding table 10.1.1.2 10.1.1.1 My GW is 10.1.1.1 I’m your GW: 10.1.1.1 Gratuitous ARP to change end device MAC to ARP tables • A binding table containing IP-address and MAC-address associations is dynamically populated using DHCP Snooping • Can also use ARP ACLs to deny (and optionally log) all invalid IP/MAC binding attempts for non-DHCP assigned IP Addresses • Private VLAN and routed port support coming. • Prevents attacks that use ARP with an IP not in the binding table in the switch © 2001, Cisco Systems, Inc. All rights reserved. 40 IP Source Guard Protection Against IP Spoofing Not by my Port ACL 10.1.1.2 10.1.1.1 Legit 10.1.1.2 I’m Sourcing 10.1.1.2 Manually changing IP Address or using programs to create IP spoofed traffic • Automatically load’s Port ACLs and optionally port security tables with information learned from DHCP requests • Just like Dynamic ARP inspection, but for IP source address (works without the attack PC using ARP for source address) • Switch learns IP address and MAC address via DHCP • Automatically configures a Port ACL for IP address and adds MAC address to port security list for the port. (DHCP server must run Option 82 for this to work if checking IP/MAC) • Removes ACL and MAC entry when lease expires. © 2001, Cisco Systems, Inc. All rights reserved. 41 3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 42