LAN Security Sabrina

Questions and Answers

What command is used to enable PortFast globally on a Cisco device?

• spanning-tree bpduguard default
• spanning-tree bpduguard enable
• spanning-tree portfast default (correct)
• spanning-tree portfast interface

Enabling PortFast on an inter-switch link can lead to which of the following issues?

• Increased network traffic
• Slower network convergence
• Spanning-tree loop (correct)
• Reduced network security

Which command is used to verify if PortFast is enabled on a specific interface?

• show spanning-tree summary
• show spanning-tree interface type/number detail (correct)
• show running-config | begin spanning-tree
• show running-config interface type/number (correct)

BPDU Guard is a feature that prevents which of the following?

STP loops caused by misconfigured ports (A)

If an access port receives an unexpected BPDU while BPDU Guard is enabled, what happens?

The port is put into error-disabled state. (B)

What is a primary reason for Layer 2 being considered a weak link in network security?

It relies heavily on MAC address tables. (B)

Which of the following accurately describes a MAC address flooding attack?

Results in the switch acting as a hub. (D)

Which attack technique aims to exploit the limitation of MAC address table size?

MAC address flooding (D)

What happens when a switch's MAC address table is full due to flooding?

Traffic is flooded out on all ports in the same VLAN. (B)

Which attack is categorized under VLAN attacks?

VLAN hopping (B)

Which type of attack can manipulate the Spanning Tree Protocol (STP)?

STP manipulation (C)

Address spoofing attacks can involve which type of addresses?

Both MAC and IP addresses (B)

What is one consequence of a successful DHCP starvation attack?

The DHCP server becomes inaccessible. (B)

What method can a threat actor use to keep a switch from returning to its correct port assignment?

Sending constant frames to the switch (A)

How can IP address and MAC address spoofing be mitigated?

By implementing IP Source Guard (IPSG) (D)

What is one way attackers manipulate the Spanning Tree Protocol (STP)?

Sending BPDUs with lower bridge priority (C)

What is the function of BPDU Guard in network security?

To prevent incorrect STP configuration (C)

Which command disables CDP globally on a Cisco device?

no cdp run (C)

What type of information does Cisco Discovery Protocol (CDP) include in its broadcasts?

IP address, IOS version, platform, and native VLAN (B)

What command is used to disable CDP on an individual interface?

no cdp enable (B)

Which protocol is also mentioned to be vulnerable to reconnaissance attacks?

Link Layer Discovery Protocol (LLDP) (D)

What is the effect of a rogue DNS server providing an incorrect address?

It redirects users to a malicious website. (B)

What is a characteristic of ARP attacks?

They can involve sending unsolicited ARP Replies. (D)

How can Dynamic ARP Inspection (DAI) help address ARP spoofing?

By validating ARP Replies against a trusted database. (A)

What happens during an IP address spoofing attack?

A valid IP address is hijacked or randomly used. (A)

What happens during a gratuitous ARP attack?

A switch updates its MAC table with a spoofed MAC address. (C)

What is a challenge with MAC address spoofing?

It allows attackers to reroute traffic intended for another host. (D)

What does IP address spoofing make difficult?

Detecting unauthorized users in the network. (B)

What does IPv6 use for Layer 2 address resolution instead of ARP?

ICMPv6 Neighbor Discovery Protocol (D)

Which command is used to set a static MAC address on a port?

switchport port-security mac-address mac-address (B)

What happens when a switch is rebooted after dynamically learning MAC addresses?

The port will have to re-learn the device’s MAC address. (A)

Which command allows dynamically learned MAC addresses to be saved to NVRAM?

switchport port-security mac-address sticky (D)

What is the main purpose of port security aging?

To remove secure MAC addresses on a port without manual deletion. (B)

When an administrator wants to configure the aging type to 10 minutes of inactivity, which command would they use?

switchport port-security aging type inactivity 10 (B)

What is the correct command to view the current port security configuration on an interface?

show port-security interface (B)

What is the maximum number of secure MAC addresses that can be manually configured on a port in the example scenario?

1 (A)

What happens when a port experiences a violation due to an unknown MAC address?

The port enters the error-disabled state. (D)

Which command is used to set the port security violation mode?

Switch(config-if)# switchport port-security violation {shutdown | restrict | protect} (B)

In restrict mode, what action does the switch take when a security violation occurs?

It drops packets with unknown MAC addresses and increments the violation counter. (C)

What does the command 'show port-security interface' reveal when there is a port in error-disabled state?

The port status is displayed as secure-shutdown. (B)

What must an administrator do to re-enable a port that is in the error-disabled state due to a violation?

Enter the shutdown and no shutdown commands. (D)

What is the default action of the switch when it encounters a security violation?

Shutdown the port and send a syslog message. (B)

Which mode is the least secure option for port security violation?

Restrict (A)

What happens to packets with unknown MAC source addresses in protect mode?

They are dropped and no notifications are issued. (B)

Flashcards

Manually Configured MAC Address

Static MAC addresses configured manually by an administrator on a port.

Dynamically Learned MAC Address

Automatically learned MAC addresses that are not saved after reboot.

Sticky MAC Address

Dynamically learned MAC addresses that are saved in running configuration.

Port Security Configuration

Sets a maximum number of secure MAC addresses and their types.

Port Security Aging

Removes secure MAC addresses based on inactivity or a set timer.

Absolute Aging

Secure addresses are deleted after a defined aging time, regardless of activity.

Inactivity Aging

Secure addresses are deleted if they are inactive for a specified time.

Port Security Commands

Commands used for configuring port security settings on a switch.

PortFast

A feature that minimizes STP convergence time on access ports by bypassing the listening and learning states.

Enable PortFast Globally

Use the command 'spanning-tree portfast default' to enable PortFast on all access ports in a network.

Verify PortFast Status

Use 'show spanning-tree summary' to check if PortFast is enabled globally on access ports.

BPDU Guard

A protection feature that disables ports upon receiving BPDUs, putting them into an error-disabled state to prevent loops.

Enable BPDU Guard Globally

Use 'spanning-tree portfast bpduguard default' to activate BPDU Guard on all access ports.

Wrong DNS Server

Rogue server providing an incorrect DNS address to mislead users.

DoS Attack via Wrong IP

Using invalid IP to disrupt DHCP clients, causing denial of service.

ARP Request

Hosts broadcast to find MAC address for a specific IP.

Gratuitous ARP

Client sends unsolicited ARP Reply, updating ARP tables with its own details.

ARP Spoofing Attack

Attacker sends fake ARP messages, altering MAC address mappings.

Dynamic ARP Inspection (DAI)

A method to mitigate ARP spoofing and ARP poisoning attacks.

IP Address Spoofing

Hijacking or randomly using IP addresses to impersonate another device.

MAC Address Spoofing

Altering a device's MAC address to match another, redirecting traffic.

Layer 2 Security Threats

Vulnerabilities in Layer 2 of the OSI model affecting networks.

MAC Table Attack

Attacks that exploit the MAC address table to intercept traffic.

MAC Address Flooding

Overloading a switch with fake MAC addresses to fill its table.

VLAN Attack

Attacks targeting Virtual Local Area Networks, including hopping or tagging issues.

DHCP Attack

Attacks on the DHCP server, such as starvation or spoofing.

ARP Spoofing

Manipulating ARP to redirect traffic to an attacker's device.

Address Spoofing

Creating false identities for MAC and IP addresses.

STP Attack

Exploiting the Spanning Tree Protocol to disrupt network topology.

IP Source Guard (IPSG)

A security feature that prevents IP and MAC address spoofing.

STP Manipulation Attack

An attack that involves spoofing the root bridge in STP.

BPDUs

Bridge Protocol Data Units used in STP for topology changes.

Cisco Discovery Protocol (CDP)

A Layer 2 link discovery protocol enabled by default on Cisco devices.

Limiting CDP Exposure

Mitigating risks by disabling CDP on edge ports connected to untrusted devices.

Link Layer Discovery Protocol (LLDP)

A protocol similar to CDP that also has vulnerabilities.

Port Security

A feature that prevents unauthorized access to a switch port by allowing only certain MAC addresses.

Port Security Violation

Occurs when a device's MAC address does not match the allowed list, resulting in the port being disabled.

Error-Disabled State

A state where a port is disabled due to a security violation, stopping all traffic.

Violation Modes

Modes that determine the switch's response when a port security violation occurs.

Shutdown Mode

The default response when a violation occurs; the port is immediately disabled.

Restrict Mode

The port drops packets from unknown sources and increments the violation counter but stays enabled.

Protect Mode

The port drops packets from unknown sources without generating any logs.

Error Messages

Notifications displayed when a port is in the error-disabled state, indicating a security issue.

Study Notes

LAN Security

• LAN security is a critical component of protecting network resources.
• Attacks on a network may result in loss of time and money due to damage or theft of information or assets.
• Intruders gain network access through software vulnerabilities, hardware attacks, or by guessing usernames and passwords.
• Threat actors gain access to modify software or exploit vulnerabilities.
• After network access, four types of threats may arise:
  • Information Theft
  • Data loss and manipulation
  • Identity Theft
  • Disruption of service

Types of Vulnerabilities

• Vulnerability is the degree of weakness in a network or device.
• Routers, switches, desktops, servers, and security devices have inherent vulnerabilities.
• Network devices under attack are typically endpoints such as servers and desktop computers.
• Three primary vulnerabilities include:
  • Technological: TCP/IP issues, OS weaknesses, Network Equipment weaknesses
  • Configuration: unsecured accounts, easily guessed passwords, misconfigured services and network equipment, unsecure default settings.
  • Security Policy: Lack of written policy, inadequate authentication, missing logical access controls.
• All three of these can leave a network or device open to various attacks, including malicious code and network attacks.

Physical Security

• Network resources can be compromised physically, denying network resource usage by a threat actor.
• Four classes of physical threats are:
  • Hardware: physical damage to servers, routers, switches, and workstations.
  • Environmental: temperature extremes (hot/cold) and humidity extremes.
  • Electrical: voltage spikes, inadequate power, brownouts, and power loss.
  • Maintenance: improper handling of electrical components, lack of critical spare parts, and inadequate labeling.

Network Attacks Today

• Common network attacks include:
  • Distributed Denial of Service (DDoS): a coordinated attack from multiple devices (zombies) to halt public access to websites and resources.
  • Data Breach: an attack compromising organizational data servers or hosts to steal confidential information.
  • Malware: an attack infecting hosts with malicious software causing various problems, e.g., ransomware.

Endpoint Protection

• Endpoints are laptops, desktops, servers, and IP phones as well as employee-owned devices.
• Vulnerable to malware-related attacks originating from email or web browsing.
• Security features include antivirus/antimalware, host-based firewalls, host-based intrusion prevention systems (HIPSs).
• Combination of NAC, AMP, email security appliance (ESA), and web security appliance (WSA).

Authentication with a Local Password

• Authentication methods offer varying security levels.
• Simplest method is using login and password combinations on console, vty lines, and aux ports.
• SSH is a more secure form of remote access requiring a username and password that can be authenticated locally.
• Local database method has limitations as it is not scalable and lacks fallback authentication.

AAA Components

• AAA stands for Authentication, Authorization, and Accounting, providing a framework to control access on network devices.
• Authentication verifies who can access a network.
• Authorization defines what users can do while connected to the network.
• Accounting audits actions performed while accessing the network.

Local and Server-Based AAA Authentication

• Local AAA stores usernames and passwords locally on network devices, ideal for small networks.
• Server-based uses a central AAA server storing usernames and passwords for all users, using RADIUS or TACACS+ protocols to communicate with the AAA server, more suitable for larger networks with multiple routers/switches.

Authorization

• AAA authorization is automatic, doesn't require additional steps after authentication.
• Authorization governs users' actions on the network after authentication.
• Authorization uses attributes describing the user's network access level, used by the AAA Server to determine privileges and restrictions.

Accounting

• AAA accounting collects and reports usage details like connection times, commands, packet and byte counts.
• Serves for auditing and billing purposes.
• Combines with AAA authentication to create detailed logs of user actions, useful for troubleshooting and detecting malicious activity.

802.1X

• A port-based access control and authentication protocol.
• Restricts unauthorized workstation connections to a LAN through switch ports.
• The authentication server authenticates each workstation before granting access to switch services or the LAN.
• Device roles in 802.1X include Client (Supplicant), Switch (Authenticator), and Authentication Server.

Layer 2 Security Threats (Attacks)

• Layer 2 is a weak link in security because LANs are often trusted for all persons/devices connected.
• Common attacks on Layer 2 include MAC table attacks, VLAN attacks, DHCP, ARP, Address Spoofing, and STP attacks.
• If Layer 2 is compromised, the entire layered network is under attack and can cause significant damage.

ARP Attacks (Addressing Protocols)

• Hosts broadcast ARP requests to find the MAC address of a host with a destination IP address in the subnet.
• The host with a matching IP address responds with ARP replies.
• A client can send an unsolicited ARP reply, called a "gratuitous ARP".
• Attackers can send unsolicited ARP replies with a spoofed MAC address to a switch to compromise it.
• Mitigation techniques include DHCP snooping and Dynamic ARP Inspection (DAI).

VLAN Hopping Attacks

• Attackers potentially bypass the router and utilize a switch's automatic trunking port feature to access all VLANs.
• Double-tagging attacks can encapsulate a frame within a frame enabling access to a different VLAN than expected.

DHCP Attacks

• DHCP starvation attacks flood the network with bogus requests, exhausting resources (DoS).
• DHCP spoofing attacks mislead clients with false IP and gateway/DNS information.
• Mitigating measures involve DHCP snooping.

MAC Address Table Attacks

• MAC address table flooding overwhelms the switch memory, leading to all frames being forwarded on all ports within the same VLAN.
• Attackers can capture traffic meant for other hosts on the local network.
• Port security mitigates this issue by limiting the number of allowed MAC addresses on a switch port, only allowing configured or dynamically learned MAC addresses.

Mitigation of LAN Attacks

• Multitude of mitigation techniques exist
  • Port security
  • DHCP snooping
  • Dynamic ARP Inspection (DAI)
  • IP Source Guard (IPSG)

Port Security

• Secures switch ports against unauthorized access.
• Disables unused ports or limits allowed MAC addresses.
• Static or dynamic learning is implemented for secure MAC addresses.
• Port Security violation modes (shutdown, restrict, protect) manage potential unauthorized access when MAC addresses do not match.
• Configured maximum number of validated MAC addresses on a port.

CDP Reconnaissance

• Cisco Discovery Protocol (CDP) is a proprietary Layer 2 protocol used for discovering network devices by administrators for configuration/troubleshooting.
• Sending unencrypted, unauthenticated broadcasted information useful for network mapping/reconnaissance.
• Disable CDP on edge ports connecting to untrusted devices.

STP Attacks

• Attackers use STP to capture network traffic.
• Attackers spoof root bridges and modify network topologies.
• Mitigation involves employing BPDU Guard on all access ports.
• PortFast enables immediate forwarding for access ports, bypassing listening and learning stages to speed up network convergence, but may create spanning-tree loops when used in non-access ports.

Summary of VLAN Hopping Attacks

• Techniques for VLAN hopping include spoofing DTP, using rogue switches with trunk links, and using double-tagging.
• Counter-measures involve disabling DTP on non-trunking ports, disabling unused ports or placing them in unused VLANs, enabling trunk mode on trunking ports, and setting native VLAN to a value other than 1.