Home > Cisco, LAN, Security > Recalling the basics – L2/L3 security

Recalling the basics – L2/L3 security

One person has just inspired me to resurrect in my memory some basics of LAN security.

It actually appeared to be quite challenging to get from L4-L7 issues (which I have been working with on a daily basis for the last couple of years) down to L2/L3 issues which certainly had been part of my CCNP related studies a while ago but then gave way to a risk-based approach. The latter as you may know assumes tackling all security issues in order decreasing from those presenting the highest business risk to those of a lower priority. This makes perfect sense to any sensible person 🙂 including myself but, despite the fact that L2 challenges are nowhere close to the top of my list of priorities in the current company, my ashamed engineering ego required satisfaction after struggling to recall on the spot some basics about IOS features related to DHCP Snooping.

So here we go – my refresher on DHCP Snooping, Dynamic ARP Inspection and IP Source Guard.

DHCP Snooping

First things first. This feature is used by both Dynamic ARP Inspection and by the IPSG.

  • Main goal – need to identify spoofed MAC addresses in a LAN environment to prevent man-in-the-middle attacks
  • Main idea – we have trusted switch ports (for legit DHCP servers) and non-trusted ones (allowing legit clients only). We do so by looking at DHCP messages passing through the switch and building an internal table that maps IP address to an associated MAC address and also contains the lease time, the interface to which the binding applies, and the VLAN to which the interface belongs.
  • What the feature does (on per-VLAN basis):
    • Validates DHCP messages from untrusted sources and drops invalid messages
    • Rate-limits DHCP messages
    • Populates DHCP Snooping binding table that basically contains MAC addresses on untrusted ports and IPs leased to them by DHCP server(s)
    • Uses the table to validate subsequent requests from the untrusted ports.

 IP Source Guard

  • Main goal – we prevent IP-address spoofing by allowing IP traffic only from those hosts on untrusted ports who correctly obtained their IP address from a trusted DHCP server (or hosts were specifically allowed by manual creation of a static binding)
  • Main idea – we rely on DHCP Snooping binding table; we block all traffic from an untrusted port until/unless it goes through proper DHCP lease process; in non-DHCP environment we create manual binding MAC-IP-interface.

Dynamic ARP Inspection

  • Main goal – validate ARP packets in a network and discard invalid ones thus preventing illegal hosts from knowing MAC address of their desired destination
  • Main idea – we cross-reference all ARP packets against a trusted binding table (that can be created either by DHCP Snooping or manually)
  • What the feature does:
    • Intercepts all ARP traffic on untrusted interfaces
    • Verifies that each ARP packet has a valid mapping in the DHCP Snooping database or a manual IP-to-MAC binding exists; all invalid ARP packets get dropped.
Categories: Cisco, LAN, Security Tags: ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: