© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Minimizing Service Loss and Data Theft in a Campus Network Protecting Against Spoof Attacks

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v DHCP Spoof Attacks Attacker activates DHCP server on VLAN. Attacker replies to valid client DHCP requests. Attacker assigns IP configuration information that establishes rogue device as client default gateway. Attacker establishes man-in-the-middle attack.

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v DHCP Snooping DHCP snooping allows the configuration of ports as trusted or untrusted. Untrusted ports cannot process DHCP replies. Configure DHCP snooping on uplinks to a DHCP server. Do not configure DHCP snooping on client ports.

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Securing Against DHCP Snooping Attacks Switch(config)# ip dhcp snooping limit rate [rate] Enables DHCP Option 82 data insertion Switch(config)# ip dhcp snooping information option Number of packets per second accepted on a port Enables DHCP snooping globally Switch(config)# ip dhcp snooping Switch(config-if)# ip dhcp snooping trust Configures a trusted interface Switch(config)# ip dhcp snooping vlan number [number] Enables DHCP snooping on your VLANs

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Verifying DHCP Snooping Verifies the DHCP snooping configuration Switch# show ip dhcp snooping Switch DHCP snooping is enabled DHCP Snooping is configured on the following VLANs: Insertion of option 82 information is enabled. Interface Trusted Rate limit (pps) FastEthernet2/1 yes none FastEthernet2/2 yes none FastEthernet3/1 no 20 Switch#

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v IP source guard is configured on untrusted L2 interfaces IP Source Guard

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Configuring IP Source Guard on a Switch Enables DHCP snooping on a specific VLAN Switch(config)# ip dhcp snooping vlan number [number] Enables DHCP snooping globally Switch(config)# ip dhcp snooping Switch(config-if)# ip verify source vlan dhcp-snooping port-security Enables IP Source Guard, source IP, and source MAC address filter on a port

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v ARP Spoofing

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v DAI associates each interface with a trusted state or an untrusted state. Trusted interfaces bypass all DAI. Untrusted interfaces undergo DAI validation. Dynamic ARP Inspection

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Switch(config)#ip arp inspection vlan vlan_id[,vlan_id] Enables DAI on a VLAN or range of VLANs Switch(config-if)#ip arp inspection trust Enables DAI on an interface and sets the interface as a trusted interface Switch(config-if)#ip arp inspection validate {[src-mac] [dst-mac] [ip]} Configures DAI to drop ARP packets when the IP addresses are invalid Configuring DAI

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Protection from ARP Spoofing Configure to protect against rogue DHCP servers. Configure for dynamic ARP inspection.

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Summary DHCP spoof attacks send unauthorized replies to DHCP queries. DHCP snooping is used to counter a DHCP spoof attack. DHCP snooping is easily implemented on a Cisco Catalyst switch. ARP spoofing can be used to redirect traffic to an unauthorized device on the network. Dynamic ARP inspection in conjunction with DHCP snooping can be used to counter ARP spoofing attacks. Configuration commands for dynamic ARP inspection are simple to understand. Dynamic APR inspection and DHCP snooping can protect against ARP spoofing attacks.

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v