What Cisco technology protects against Spanning-Tree Protocol manipulation?
A.
Spanning tree protect.
B.
MAC spoof guard.
C.
Root Guard and BPDU Guard.
D.
Port Security.
E.
Unicast Reverse Path Forwarding
Explanation:
Network Security at the Data Link Layer (Layer 2) of LAN Every layer of communication has its own unique security challenges. The data link layer (layer 2) communication is a weak link in terms of security. Network security should be addressed at multiple layers to for different vulnerabilities. In this article, we focus on the security issues related to wired local area networks. Wireless LAN and the securities issues for wide area networks (WAN) are discussed in separate articles. Switches are key components at the layer 2 communications and they are also used for layer 3 communications. They are susceptible to many of the same Layer 3 attacks as routers, as well as many unique network attacks, which include:
Content-Addressable Memory ( CAM) table overflow: The CAM table in a switch contains information such as the MAC addresses available on a given physical port of a switch, as well as the associated VLAN parameters. CAM tables are limited in size. Typically a network intruder will flood the switch with a large number of invalid-source MAC addresses until the CAM table fills up. When that occurs the switch will flood all ports with incoming traffic because it cannot find the port number for a particular MAC address in the CAM table. CAM table overflow only floods traffic within the local VLAN so the intruder will see only traffic within the local VLAN to which he or she is connected.
VLAN hopping: VLAN hopping is a network attack whereby an end system sends out packets destined for a system on a different VLAN that cannot normally be reached by the end system. This traffic is tagged with a different VLAN ID to which the end system belongs. Or, the attacking system may be trying to behave like a switch and negotiate trunking so that the attacker can send and receive traffic between other VLANs.
Spanning-Tree Protocol manipulation: Spanning-Tree Protocol is used in switched networks to prevent the creation of bridging loops in an Ethernet network topology. By attacking the Spanning- Tree Protocol, the network attacker hopes to spoof his or her system as the root bridge in the topology. To do this the network attacker broadcasts out Spanning-Tree Protocol Configuration/Topology Change Bridge Protocol Data Units (BPDUs) in an attempt to force spanning-tree recalculations. The BPDUs sent out by the network attacker’s system announce that the attacking system has a lower bridge priority. If successful, the network attacker can see a variety of frames.
Media Access Control (MAC) Address spoofing: MAC spoofing attacks involve the use of a known MAC address of another host to attempt to make the target switch forward frames destined for the remote host to the network attacker. By sending a single frame with the other host’s source Ethernet address, the network attacker overwrites the CAM table entry so that the switch forwards packets destined for the host to the network attacker. Until the host sends traffic it will not receive any traffic. When the host sends out traffic, the CAM table entry is rewritten once more so that it moves back to the original port.
Address Resolution Protocol (ARP) attack: ARP is used to map IP addressing to MAC addresses in a local area network segment where hosts of the same subnet reside. ARP attack happens when someone is trying to change the ARP table of MAC and IP addresses information without authorization. By doing so, hackers can spoof his/her MAC or IP address to launch the following two types of attacks: Denial of Service and Man-In-The-Middle attacks. Private VLAN: Private VLANs work by limiting the ports within a VLAN that can communicate with other ports in the same VLAN. Isolated ports within a VLAN can communicate only with promiscuous ports. Community ports can communicate only with other members of the same community and promiscuous ports. Promiscuous ports can communicate with any port. One network attack capable of bypassing the network security of private VLANs involves the use of a proxy to bypass access restrictions to a private VLAN. DHCP starvation: A DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses. This is easily achieved with attack tools such as gobbler. If enough requests are sent, the network attacker can exhaust the address space available to the DHCP servers for a period of time. This is a simple resource starvation attack just like a SYN flood. The network attacker can then set up a rogue DHCP server on his or her system and respond to new DHCP requests from clients on the network.
Mitigations of LAN Security Risks
The CAM table-overflow attack can be mitigated by configuring port security on the switch. This option provides for either the specification of the MAC addresses on a particular switch port or the specification of the number of MAC addresses that can be learned by a switch port. When an invalid MAC address is detected on the port, the switch can either block the offending MAC address or shut down the port.
Mitigating VLAN hopping attacks requires several modifications to the VLAN configuration. One of the more important elements is to use dedicated VLAN IDs for all trunk ports. Also, disable all unused switch ports and place them in an unused VLAN. Set all user ports to nontrunking mode by explicitly turning off DTP on those ports.
To mitigate Spanning-Tree Protocol manipulation use the root guard and the BPDU guard enhancement commands to enforce the placement of the root bridge in the network as well as enforce the Spanning-Tree Protocol domain borders. The root guard feature is designed to provide a way to enforce the root-bridge placement in the network. The Spanning-Tree Protocol BPDU guard is designed to allow network designers to keep the active network topology predictable. While BPDU guard may seem unnecessary given that the administrator can set the bridge priority to zero, there is still no guarantee that it will be elected as the root bridge because there might be a bridge with priority zero and a lower bridge ID. BPDU guard is best deployed towards user-facing ports to prevent rogue switch network extensions by an attacker.
Use the port security commands to mitigate MAC-spoofing attacks. The port security command provides the capability to specify the MAC address of the system connected to a particular port. The command also provides the ability to specify an action to take if a port-security violation occurs. However, as with the CAM table-overflow attack mitigation, specifying a MAC address on every port is an unmanageable solution. Hold-down timers in the interface configuration menu can be used to mitigate ARP spoofing attacks by setting the length of time an entry will stay in the ARP cache.
Configure access control lists (ACLs) on the router port to mitigate private VLAN attacks. Virtual ACLs can also be used to help mitigate the effects of private VLAN attacks. The techniques that mitigate CAM table flooding also mitigate DHCP starvation by limiting the number of MAC addresses on a switch port. As implementation of RFC 3118, Authentication for DHCP Messages, DHCP starvation attacks will become more difficult. In addition, IEEE 802.1X, a standard for passing the Extensible Authentication Protocol (EAP) framework over a wired or wireless network , acts as a gatekeeper for basic network access at the data link layer. By denying access to the network before authentication is successful, 802.1X can prevent many attacks against network infrastructure that depend on having basic IP connectivity. Originally written to be used within the Point-to-Point Protocol (PPP) of dial-up and remote access networks, 802.1x allows for EAP to be used within the context of LANs, including wireless LAN. The network security measures at the data link layer are complementary to the network layer (IPsec) measures to provide extra protection of the network and users, especially in the case of wireless LAN. The following table gives feature comparison of the network security at the data link layer and network layer.