Download EVVBU Marketing Strategy Development Session

Cisco Network Admission Control
& the
Self Defending Network Initiatvie
802.1x & Identity Based Networking
Tim Ryan – Cisco SE
3856_10_2001_c1_X
© 2001, Cisco Systems, Inc. All rights reserved.
1
Cisco’s Embedded Intelligent Security
Evolving with Today’s Threats
Today
2002
2000
IDS
FW
VPN
Adjunct Based
Security
• Adjunct Security Appliances
plugged into the Network
• Enhanced Device Security
• Separate Mgt Software
IDS FW VPN
Integrated
Security
• Security Service Modules
Integrated into the
Infrastructure
Identity
L2,3 Hardening,
HIPS
IDS FW VPN
Embedded Intelligent
Security
• Network Wide Security Fully
Embedded into Network
Infrastructure
• FW + Intrusion Detection + VPN • Self Defending, Protecting,
Preventing, Healing
• Integrated Mgt Software
• Control of “Who” has Network
Access and “What” they can do
© 2001, Cisco Systems, Inc. All rights reserved.
2
Cisco End-to-End Security
Productization
Intelligent Linkage of Endpoint
with Network
Behavior/ AV
Anomaly
IPS/FW
HIDS
Pers. FW
HostBased
Security
VPN
NetworkBased
Security
SSL
VPN
VPN
FW +
VPN
FW
App
FW
IDS
In-Line
IPS
ID/
Trust
Comprehensive Desktop Solution
© 2001, Cisco Systems, Inc. All rights reserved.
Integration of Capabilities into
Converged Appliance/Switch
3
Intelligent Embedded Campus Security
“Tighten Down the Hatches”
Man in the
Middle Attack
Unauthorized users Rogue AP’s
Denied Access
Prevented
Authorized User
Access to HR
Records
Cisco Identity Based
Networking Services (IBNS)
“Controlling Who/What gets
access to the Network and
What they can do”
Authorized
User
Cisco Catalyst
Integrated Security
Protects Against Today’s
Emerging Attacks:
“Man-in-the-middle”
“DHCP Server Spoofing”
“IP Address Spoofing”
© 2001, Cisco Systems, Inc. All rights reserved.
Record
“Data”
Quarantine
VLAN
Host IPS (CSA) with
Cisco Identity (IBNS)
Detects And Isolates
Infected Users
4
What if you could…
“Control Who’s/What is on your Network?”
Unauthorized users
With Physical Access
(Visitors, “Door Tailgaters” etc)
Unauthorized External
Wireless Users
Corporate
Resources
Authorized User
• 99% of accessible Network ports are “open”
© 2001, Cisco Systems, Inc. All rights reserved.
5
Cisco Embedded Security with IBNS
Determining “who” gets access and “what” they can do
Campus Network
User Based Policies Applied
(BW, QoS etc)
User Identity Based
Network Access
Unauthorized
Users/Devices
Authorized
Users/Devices
• Equivalent to placing a Security Guard at each Switch Port
• Only Authorized users can get Network Access
• Unauthorized users can be placed into “Guest” VLANs
• Prevents unauthorized APs
© 2001, Cisco Systems, Inc. All rights reserved.
6
Internet Worm Infection
Remote
User
Wireless
LAN
Worm Attack
LAN
Internet
Data Center
Branch
•
Self propagating worms continue to disrupt business, causing downtime
and continual patching
•
Non-compliant servers and desktops are common, and they are difficult
to detect and contain
•
Locating and isolating infected systems is time and resource intensive
© 2001, Cisco Systems, Inc. All rights reserved.
7
Diverse Endpoint and User Community
Wireless
LAN
Remote
User
Attack vectors
can come from
anywhere
Internet
LAN
•
Data Center
Branch
The virus/worm problem is compounded by today’s networked
environment
•
Multiple types of end users – employees, vendors, contractors, etc.
•
Multiple types of endpoints – company desktop, home, server, etc.
•
Multiple types of access – wired, wireless, VPN, dial, etc.
© 2001, Cisco Systems, Inc. All rights reserved.
8
Ideal Solution: An Integrated System
Compliant
Endpoint:
Policy
Servers
Admit!
Non-Compliant
Endpoint:
Deny!
Remote
User
Internet
Branch
Quarantine!
•
Multiple components are required for a complete solution
•
Endpoint Security solutions knows security condition:
type/compliance/etc
•
Policy Servers know compliance/access rules
•
Network access devices (routers, switches) enforce admission
policy
•
Virus/worm prevention and containment requires industry collaboration
© 2001, Cisco Systems, Inc. All rights reserved.
9
Cisco Network Admission Control (NAC)
Summary
•
Cisco Network Admission Control (NAC) is Cisco-led, industry
leading program focused on limiting damage from emerging
security threats such as viruses and worms
•
In NAC, customers can allow network access only to compliant and
trusted endpoint devices (e.g. PCs, servers, PDAs) and can restrict
the access of non-compliant devices
•
Initial NAC co-sponsors include Network Associates, Symantec, and
Trend Micro
•
NAC is the first phase of the Cisco Self-Defending Network Initiative,
an effort designed to dramatically improve the ability of networks to
identify, prevent, and adapt to threats
•
These efforts extend Cisco’s ability to provide secure, intelligent
networks for customers
© 2001, Cisco Systems, Inc. All rights reserved.
10
Cisco Network Admission Control (NAC)
Cisco Network Admission Control
Hosts
Attempting
Network Access
AntiVirus
client
Cisco
Security
Agent
Cisco Network
Access Device
Cisco Policy
Server
AV Vendor Policy
Server
Cisco
Trust
Agent
Security Credential Checking
Cisco
Trust
Agent
Security Policy
Enforcement
Security Policy
Creation
AV Policy
Evaluation
•
Based on endpoint security posture, appropriate admission policy will
be enforced in the network
•
Cisco & NAC co-sponsors to deliver this collaborative solution
© 2001, Cisco Systems, Inc. All rights reserved.
11
NAC Program Overview
•
Cisco is driving the architectures and
specifications, guidelines of NAC
•
Initial NAC co-sponsor include the major
Anti-Virus vendors: Network Associates,
Symantec, and Trend Micro
•
Cisco Security Agent and NAC co-sponsor AV
solutions will leverage Cisco Trust Agent for
intelligent admission control
•
Initial NAC capability to be delivered in Q2
CY04 in Cisco routers
•
Future NAC extensions:
• More Cisco network devices
• More endpoint security software and
endpoint platforms (OSs)
• More industry co-sponsors
• Solution “opened”, timing and extent
TBD
© 2001, Cisco Systems, Inc. All rights reserved.
AV Client
CSA
EAP/TLV API
Broker and Security
Comms: L2/3 Service
EAP/UDP
EAP/802.1X
Cisco Trust Agent
12
NAC Deployment Scenarios
Comprehensive Compliance Validation
Branch Office
1: Branch office compliance
Main Office
Enforce on L3 router and
firewall
AAA Svr
AV Server
EAP/UDP
Extension of “Are You There”
Dial-in
NAS
1
2: Remote access compliance
Branch
Router
RA IPsec
VPN
SSL
RADIUS
(posture)
Edge Router
3: Dial-in access compliance
4: Wireless campus protection
Quarantine with ACLs/VLANS
Extension of 802.1x
EAP 802.1x
(wireless)
Campus FW
Internet
3
TBD
5: Campus access and data center
protection
5
2
EAP/UDP
after IPsec
Quarantine with ACLs/ VLANS
Extension of wired 802.1x
Remote
Access
© 2001, Cisco Systems, Inc. All rights reserved.
4
EAP 802.1x
(wired)
•
Ubiquitous solution for all
connection methods
•
Validates all hosts
13
NAC Customer Benefits
•
Dramatically improved security for
non-compliant hosts
•
Increased network resilience
•
Extended value from Cisco network
infrastructure investment
•
Increased value of existing
investment in AV
© 2001, Cisco Systems, Inc. All rights reserved.
14
NAC Customer Validation
General Interest (over 80%)*
Strategic Interest
•50+ Cisco
Enterprise
customers prebriefed on NAC
and Self-Defending
Network
•Consistently
positive feedback
•Interest spans all
vertical markets
•Strong desire for
acceleration of
future phases
*Cisco survey, Feb 3-5 2003, 250+ NIDS customers;
similar results in a blind survey
© 2001, Cisco Systems, Inc. All rights reserved.
•Must include key
AV partners
15
Self-Defending Network Futures:
Infection Containment
Infected Host
Local L2/L3 Device
Virus Detectors
Policy System
1. Infected host sends
AV Systems
virus data through local
L2/L3 device to network
Desktop
2. Virus detector notices
Server
Isolate!
AV Mgmt
Campus
Gateway
IDS Systems
HIDS
NIDS
Other Virus Detectors
virus data from sender,
notifies policy system
3. Policy server
Policy Svr
determines
containment action
4. Policy determines
closest local L2/L3
device to infected host
& communicates
containment action
5. Local L2/L3 device
enforces containment
action
(includes network proxy devices)
© 2001, Cisco Systems, Inc. All rights reserved.
16
In addition to securing network access…
What else can we do ?
• If you know “who” and “what” are now on the network,
what could you do w/ this info ?
• Now:
Cisco 802.1x Extensions
VLAN Assignments
Apply Security Profiles
Specify IP Assignment
Secure IP Telephony
• Future:
Posture & Virus scanning/Quarantine VLAN ?
Dynamic FW control/access/auth ?
IDS + Identity + Mgmt ?
© 2001, Cisco Systems, Inc. All rights reserved.
17
Cisco Identity-
Current and future capabilities…
Employee
Servers
CiscoSecure
ACS RADIUS
• Dynamic VLAN Assignment
• Dynamic Security Policy
Assignment using ACLs
• Dynamic QoS Assignment using
ACLS including dynamic peruser/per-port policing
• IBNS-based User/Port
Accounting
Faculty
Dorm Student
Off-Campus Student
© 2001, Cisco Systems, Inc. All rights reserved.
18
Campus Identity – Policy Enforcement
Future Capability: Beyond User Credentials…
Employee
Servers
CiscoSecure
ACS RADIUS/
Policy Server
Sorry, your
AV Software
is backlevel
•
How can we leverage Identity to
create finer granulations in policy
based on more attributes from the
user
•
Cisco Solution in development:
Attributes such as antivirus host
intrusion detection software and .dat
file levels can be passed in addition to
userid/pw credentials in
authentication process to segment
“unhealthy” users away from
“healthy” ones
Access
please, my
AV software
is version X
•
Employee
Problem:
First Phase: Symantec, Network
Associates, Trend Micro, Cisco
Security Agent
Student
Quarantined
VLAN
© 2001, Cisco Systems, Inc. All rights reserved.
19
802.1x – Ratified by the IEEE - June
2001
• Open-standards-based protocol for
authenticating network clients (or ports) on a
user-ID basis. aka"port-level authentication“
• It takes the RADIUS methodology and separates
it into three distinct groups: the Supplicant,
Authenticator, and Authentication Server.
• IEEE 802.1X provides automated user
identification, centralized authentication, key
management, and provisioning of LAN
connectivity. It even provides support for roaming
access in public areas.
© 2001, Cisco Systems, Inc. All rights reserved.
20
802.1x + EAP extensible authentication
protocol
• 802.1x builds on an existing protocol called Extensible
Authentication Protocol (EAP [RFC 2284])
• By tying EAP into the bigger picture, so to speak. EAP
conducts the authentication process. It ties Point-to-Point
Protocol (PPP) to the physical layer, OSI Layer 1.
• EAP over LAN (EAPOL) is EAP encapsulated into 802
frames. This is how the Authenticator and Supplicant actually
communicate during the authentication process.
• EAP is compatible with Ethernet, Token Ring, 802.11, and
other popular network protocols.
• EAP supports many authentication methods such as
Kerberos, public key, one-time passwords, etc., and it can
utilize Transport Level Security (TLS) and Secure Remote
Password (SRP).
© 2001, Cisco Systems, Inc. All rights reserved.
21
802.1x
802.1x provides an architecture for many authentication types and link layers
Today EAP-TLS requires the use of Digital Certificates and a Certificate
Authority.
WinXP, Win 2k, Win 9x and 3rd part clients support this.
Future versions will allow for other authentication options.
© 2001, Cisco Systems, Inc. All rights reserved.
22
802.1x Open Benefits
• 802.1x was designed to be inexpensive to implement on
existing network hardware, utilizing existing network-access
infrastructure (RADIUS, LDAP, Active Directory, etc.).
• EAP-compatible RADIUS servers include, among others,
Microsoft Windows 2000 Sever (IAS), Cisco ACS, Funk
RADIUS and Interlink Networks RADIUS Server. Other
vendors that support 802.1x are AirWave, Compaq, Dell,
IBM, Intel, Symbol, Toshiba, Telison and Wayport.
• 802.1x protocol requires two distinct steps. First, the
Supplicant is authenticated, and then it is authorized
access privileges.
• Privileges are distributed in the form of tokens, which can be
defined to include anything that may interest a security
professional, such as VLAN IDs, rate limits, filters, tunnels,
etc.
© 2001, Cisco Systems, Inc. All rights reserved.
23
Extensible Authentication Protocol
Some Common EAP Types
• EAP Cisco Wireless EAP (LEAP)—802.1X EAP authentication
type developed by Cisco to provide dynamic per-user, persession WEP encryption keys.
• PEAP—802.1X EAP authentication type that takes advantage
of server-side EAP-TLS and supports a variety of different
authentication methods, including logon passwords and onetime passwords (OTPs).
• EAP-TLS –(Transport Layer Security) 802.1X EAP
authentication algorithm based on the TLS protocol (RFC
2246).Uses mutual authentication based on X.509 certificates.
• EAP-Message Digest 5 (MD5)—User name-and-password
method that incorporates MD5 hashing for more secure
authentication.
• EAP-Generic Token Card (GTC)—One of the defined EAP
types in RFC 2284, allows OTP authentication.
• EAP-TTLS—Tunneled TLS – authentication from Funk SW.
© 2001, Cisco Systems, Inc. All rights reserved.
24
802.1x EAP Authentication Choices
• LEAP
802.1x framework, password-based authentication, uses MS-CHAP v1
Only advanced authentication solution supported on all major OS’s (Windows
Mac, Linux, etc.)
Cisco in the process of licensing LEAP to other key clients to move it from
being “proprietary” to “widely-supported”
• PEAP with One-Time Passwords (“OTP”)
Protected EAP (Creates a PKI based Secure/Encrypted tunnel from AP to
Radius Server – allowing for other types of client side authentication)
802.1x framework, certificate-based authentication
PEAP supported by Cisco, Microsoft, & RSA; draft standard proposed to IETF
Creates encrypted tunnel between client and Radius server, similar to VPN
PEAP supported in Cisco ACS Server software ver. 3.1
One-Time Password (“OTP”) is a Cisco enhancement to PEAP, similar to
Softoken or OTP cards
PEAP with OTP available from Cisco as a software upgrade on 802.1xsupported client OS’s
© 2001, Cisco Systems, Inc. All rights reserved.
25
Cisco EAP aka
Cisco LEAP + 802.1x Authentication Process
Client
-supplicant
Client
authenticates
RADIUS ke
server
y
Access Point (AP) / SWITCH -authenticator
Start
Request identity
AP blocks all requests until
Cisco LEAP completes
username
username
challenge
challenge
response
response
success
success
challenge
challenge
response
response, key
broadcast key
key length
RADIUS
authentication
server
RADIUS
server
authenticates
client
derive
key
AP sends client broadcast key,
encrypted with session key
© 2001, Cisco Systems, Inc. All rights reserved.
26
EAP-PEAP - Walk Through Example
LDAP /
NDS /
OTP
AP
client
Start
Request identity
identity
Server Side
Authentication
Client Side
Authentication
RADIUS
server
Authenticator blocks all
requests until authentication
completes
Certificate
Authority
identity
Server certificate
Server certificate
Encrypted Tunnel Established
EAP in EAP Authentication (pass Generic Token Card in TLS
application data )
broadcast key
key length
AP sends client broadcast key,
encrypted with session key
© 2001, Cisco Systems, Inc. All rights reserved.
27
Identity Based Networking:
What can we do Today!
• Centralized Management with
AAA server
• Wireless Mobility with 802.1X
and EAP Authentication Types
• Catalyst Switch Portfolio
• Basic 802.1X Support
• 802.1X with VLANs
• 802.1X with Port Security
• 802.1X with VVID
• 802.1X Guest VLANs
• Enhanced Port Based
Access Control
• Greater flexibility and
mobility for a stratified
user community
• Enhanced User
Productivity
• Added support for
converged VoIP
networks
• 802.1X with ACLs
© 2001, Cisco Systems, Inc. All rights reserved.
28
Identity Based Networking Service
Catalyst 6500
Catalyst 4000/4500
Catalyst 3550/2950/3750
Cisco ACS Server
Cisco Aironet
• CatOS -- 7.5.1
802.1x w/ VLAN
Assignment
• IOS
802.1x w/ VVID
802.1x w/ Guest VLAN
802.1x w/ Port Security
7.6.1
802.1x w/ DHCP
7.7.1 (Target)
12.1(13)E
802.1x w/ VLAN
Assignment
1HCY04:
802.1x w/VVID
802.1x Guest VLAN
802.1x w/Port Security
802.1x with ACL/QoS
802.1x w/ Guest
VLAN/port
7.8/8.1 (Target) – Q4CY03
802.1x with ACL/QoS
Identity Based Network Services (IBNS)
End-to-End Architecture
© 2001, Cisco Systems, Inc. All rights reserved.
29
Identity Based Networking Service
Catalyst 6500
Catalyst 4000/4500
Catalyst 3550/2950/3750
Cisco ACS Server
Cisco Aironet
• CatOS
• IOS
7.5.1
12.1(19)EW – June ‘03
802.1x w/ VLAN Assignment
802.1x w/ VLAN
Assignment
8.1 – Q4CY03
802.1x Guest VLAN
Roadmapped
802.1x w/ VVID
802.1x w/ Guest VLAN
802.1x w/ Port Security
802.1x w/VVID
802.1x w/Port Security
802.1x with ACL/QoS
802.1x Accounting
Identity Based Network Services (IBNS)
End-to-End Architecture
© 2001, Cisco Systems, Inc. All rights reserved.
30
Identity Based Networking Service
Catalyst 6500
Catalyst 4000/4500
• 2950/2955
Catalyst 3550/2950/3750
Cisco ACS Server
• 3550 (EMI/SMI)
Cisco Aironet
• 3750 – Aug ‘03
12.1(12c)EA1
802.1x w/ VLAN
Assignment
802.1x w/VVID
12.1(12c)EA1
802.1x w/ VLAN
Assignment
802.1x w/ Port Sec
12.1(14)EA1
802.1x w/ Port Sec
12.1(14)EA1
802.1x Guest VLAN
802.1x Guest
VLAN
802.1x w/ ACL/QoS
802.1x Guest VLAN
802.1x w/VVID
802.1x w/ VLAN
Assignment
802.1x w/VVID
802.1x w/ DHCP
Identity Based Network Services (IBNS)
End-to-End Architecture
© 2001, Cisco Systems, Inc. All rights reserved.
31
Identity Based Networking Service
Catalyst 6500
Catalyst 4000/4500
Catalyst 3550/2950/3750
Cisco ACS Server
Cisco Aironet
• Commercial RADIUS & TACACS+
• Scalable to 100K users/8K devices)
• 3.2 Avail Now
• 3.3 Avail Q2 ‘04
Appliance
Microsoft Peap
802.1X/IBNS
complementary features
with Catalyst/Wireless
PEAP Proxy
Machine Auth
802.1X Catalyst /IBNS
enhancements (guest
VLAN, accounting, CRL)
EAP Type Negotiation
LDAP Multithreading
EAP Performance
Windows password
EAP enhancements
(LEAP, PEAP v2)
User Quarantine
Identity Based Network Services (IBNS)
End-to-End Architecture
© 2001, Cisco Systems, Inc. All rights reserved.
32
Identity Based Networking Service
Catalyst 6500
Catalyst 4000/4500
Catalyst 3550/2950/3750
Cisco ACS Server
• AP 1100
• AP 350
802.1x for AP LAN Access
Not Committed
802.1x for AP LAN Access
Q1CY04
Cisco Aironet
• AP 1200
802.1x for AP LAN Access
Q1CY04
• For Wireless Clients Across These Products:
• Multiple VLANs for employees, guests and application specific
devices
•
Expanded 802.1X Authentication Support for: Cisco LEAP, EAP-TLS,
EAP-TTLS, PEAP, EAP-SIM
•
Expanded Encryption Support for 802.11i TKIP
Identity Based Network Services (IBNS)
End-to-End Architecture
© 2001, Cisco Systems, Inc. All rights reserved.
33
S2
Latest LAN Security Threats
Targeted by the Catalyst Integrated Security Features
• MAC Address Flooding Attack
–
Hacking Tool: macof (part of dsniff package)
• SYN floods with random src and dst MAC, random src and dst IP
• After CAM Table Fills, Traffic Flooding Occurs (32K entries)
• Random IP addresses include multicast address space and will eventually cause
distribution layer to fail due to excessive processing of multicast routes
• DHCP Rogue Server Attack
–
Hacking Tool: gobbler or actual rogue DHCP server
• Man in the middle attacks via DNS or IP default GW forging
• DHCP Starvation
–
Hacking Tool: gobbler
• Depletion of DHCP address space
• ARP Spoofing or ARP Poisoning Attack
–
Hacking Tool: ettercap, dsniff, arpspoof
• Menu driven discovery of MAC level topology with ARPs and DNS Reverse Name
Lookup
• Man in the middle attacks with integrated packet capture and password sniffing
© 2001, Cisco Systems, Inc. All rights reserved.
34
Raising the Bar on Surveillance Attacks
MAC-Based Attacks
00:0e:00:aa:aa:aa
00:0e:00:bb:bb:bb
Only 3 MAC
Addresses
Allowed on
the Port:
Shutdown
132,000
Bogus MACs
Solution:
Problem:
“Script Kiddie” Hacking Tools
Enable Attackers Flood Switch
CAM Tables with Bogus Macs;
Turning the VLAN into a “Hub”
and Eliminating Privacy
Port Security Limits MAC Flooding
Attack and Locks down Port and
Sends an SNMP Trap
Switch CAM Table Limit is Finite
Number of Mac Addresses
© 2001, Cisco Systems, Inc. All rights reserved.
35
Port Security
Cutting off MAC-Based Attacks
Port Security (port/interface commands)
Solution:
CatOS
set port security 5/1 enable
set port security 5/1 port max 3
set port security 5/1 violation restrict
set port security 5/1 age 2
set port security 5/1 timer-type inactivity
IOS
switchport port-security
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
• 3 MAC addresses to encompass the phone, the phone switch, the PC
• “Restrict” rather than “error disable” to allow only 3, and log more than 3
• Aging time 2 and aging type inactivity to allow for phone CDP of 1 min
If violation error-disable, the following log message will be produced:
4w6d: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi3/2, putting Gi3/2 in err-disable state
© 2001, Cisco Systems, Inc. All rights reserved.
36
DHCP Attack Types
Starvation Attack: Get whole scope’s addresses
DHCP Server
DHCP Client
Gobbler
DHCP Discover (Broadcast) x (Size of DHCP scope)
DHCP Offer (Unicast) x (Size of DHCP scope)
DHCP Request (Broadcast) x (Size of DHCP scope)
DHCP Ack (Unicast) x (Size of DHCP scope)
© 2001, Cisco Systems, Inc. All rights reserved.
37
DHCP Attack Types
Rogue Server: MiM or Non Malicious
DHCP Server
DHCP Client
Si
Rogue Server
DHCP Discover (Broadcast)
DHCP Offer (Unicast) from the Rogue
DHCP Request (Broadcast)
DHCP Ack (Unicast) from Rogue possibly with false DNS or Def GW
© 2001, Cisco Systems, Inc. All rights reserved.
38
DHCP Snooping
Prevents Rogue Server and Limits DHCP DoS
DHCP Server
DHCP Client
Untrusted
Si
Trusted
Untrusted
Rogue Server
DHCP Snooping Enabled
BAD DHCP
Responses:
Eg.) offer, ack,
nak
•
OK DHCP
Responses:
Eg.) offer, ack,
nak
Prevents MiM and limits denial of service (DoS) attacks based on DHCP protocol
Malicious—user pretends to be the Network DHCP Server to reply with DNS or GW info to
redirect traffic OR user pretends to be multiple DHCP clients to starve the DHCP address pool
Misconfiguration—user configures router (DHCP server) incorrectly
•
How it works:
For DHCP packets originating from untrusted ports (client ports), DHCP Snooping drops all
DHCP OFFER, ACK, NACK, or nonzero giaddr packes (server oriented packets). DHCP
Snooping forwards DHCP client requests from untrusted ports and builds a DHCP binding
table.
If DHCP server is not local to the Catalyst Switch, trust the uplink port
•
© 2001, Cisco Systems,
Inc. All rights reserved.
DHCP snooping is not equivalent
to Option
82 (DHCP Interface tracker)
39
Dynamic ARP Inspection
Not by my
binding table
10.1.1.2
10.1.1.1
My GW is
10.1.1.1
I’m your
GW:
10.1.1.1
Gratuitous ARP to change end
device MAC to ARP tables
• A binding table containing IP-address and MAC-address
associations is dynamically populated using DHCP Snooping
• Can also use ARP ACLs to deny (and optionally log) all invalid
IP/MAC binding attempts for non-DHCP assigned IP Addresses
• Private VLAN and routed port support coming.
• Prevents attacks that use ARP with an IP not in the binding
table in the switch
© 2001, Cisco Systems, Inc. All rights reserved.
40
IP Source Guard
Protection Against IP Spoofing
Not by my
Port ACL
10.1.1.2
10.1.1.1
Legit
10.1.1.2
I’m
Sourcing
10.1.1.2
Manually changing IP Address or
using programs to create IP
spoofed traffic
• Automatically load’s Port ACLs and optionally port security tables with
information learned from DHCP requests
• Just like Dynamic ARP inspection, but for IP source address (works
without the attack PC using ARP for source address)
• Switch learns IP address and MAC address via DHCP
• Automatically configures a Port ACL for IP address and adds MAC
address to port security list for the port. (DHCP server must run Option
82 for this to work if checking IP/MAC)
• Removes ACL and MAC entry when lease expires.
© 2001, Cisco Systems, Inc. All rights reserved.
41
3856_10_2001_c1_X
© 2001, Cisco Systems, Inc. All rights reserved.
42