Other - Security Concepts Flashcards
(19 cards)
Why is Layer 2 considered to be the weakest link in a network?
Layer 2 assumes all devices on the Local Area Network (LAN) are trusted.
There is no built-in authentication at this layer for devices joining the network.
If Layer 2 is compromised, then all layers above it are also affected.
What are the different categories of switch attacks?
MAC Table Attacks
- Includes MAC address flooding attacks.
VLAN Attacks
- Includes VLAN hopping and VLAN double-tagging attacks.
DHCP Attacks
- Includes DHCP starvation and DHCP spoofing attacks.
STP Attacks
- Includes STP manipulation attacks.
What are the two switch attack mitigation techniques? What attacks do they mitigate?
Port Security
- Prevents MAC address flooding and DHCP starvation attacks.
DHCP Snooping
- Prevents DHCP starvation and DHCP spoofing attacks.
What are some recommended security techniques?
Always use secure variants of management protocols (e.g., SSH).
Use a dedicated management VLAN where nothing but management traffic resides.
Disable all unused ports on a switch.
Enable port security and BPDU guard on access ports.
Implement DHCP Snooping.
What is a MAC Address Table Attack?
All MAC tables have a fixed size and consequently, a switch can run out of resources in which to store MAC addresses. MAC address flooding attacks take advantage of this limitation by bombarding the switch with fake source MAC addresses until the switch MAC address table is full.
This condition now allows a threat actor to capture all of the frames sent from one host to another on the local VLAN. This means they can see traffic meant for other devices and allows packet sniffing or data theft.
How do you mitigate MAC Address Table Attacks?
Implement port security. Port security will only allow a specified number of source MAC addresses to be learned on the port.
What is a VLAN Hopping Attack?
VLAN hopping is a type of network attack where a hacker tricks a switch into letting them access multiple VLANs—even though they’re only supposed to be on one.
In a basic VLAN hopping attack, the threat actor configures a host to act like a switch to take advantage of the automatic trunking port feature enabled by default on most switch ports.
The attacker can “hop” between VLANs, seeing or injecting traffic from other VLANs without needing a router.
What is a VLAN Double-Tagging Attack?
It’s a VLAN hopping technique where an attacker sneaks traffic into another VLAN by placing two VLAN tags inside one Ethernet frame.
The outer tag (usually the native VLAN) is removed by the first switch, and the inner tag sends the frame to a target VLAN, allowing the attacker to bypass VLAN boundaries.
What is a DHCP Starvation Attack?
A DHCP starvation attack is a Denial-of-Service (DoS) attack that tries to use up all the IP addresses from a network’s DHCP server, so real devices can’t connect.
The goal is to prevent real users from connecting to the network and cause disruption or downtime.
What is DHCP Spoofing?
DHCP spoofing is when an attacker sets up a fake (rogue) DHCP server on a network. It pretends to be a real DHCP server and gives out false IP settings to users.
Goal of the attack is to steal information, redirect traffic, or block access for real users.
What is an STP Attack and how is it mitigated?
An STP attack is when an attacker pretends to be the main switch (root bridge) in a network.
The attacker sends fake STP messages (BPDUs) with a very low priority number. This tricks the network into thinking the attacker’s device should be the new root bridge. Once that happens, network traffic may be sent through the attacker’s device, allowing them to intercept or manipulate data.
Enabling BPDU Guard on access ports (ports connected to user devices) blocks any fake STP messages from non-network devices.
What are the three MAC Address port security configurations?
Manually Configured - The administrator manually configures a static MAC address.
Dynamically Learned - The MAC address for a device connected to the port is dynamically learned but is not added to the running configuration. If the switch is rebooted, the port will have to re-learn the device’s MAC address.
Dynamically Learned – Sticky: The administrator can enable the switch to dynamically learn the MAC address and “stick” them to the running configuration.
How do you enable port security?
switchport port-security
switchport port-security mac-address sticky
switchport port-security maximum 3
switchport port-security violation shutdown
What are the two port security aging configurations?
Absolute - The secure addresses on the port are deleted after the specified aging time.
Inactivity - The secure addresses on the port are deleted if they are inactive for a specified time.
What are the three port security violation modes?
Protect – Drops packets from unknown MACs; no notification.
Restrict – Drops packets and logs the violation, increments the violation counter.
Shutdown – Disables the port (err-disabled state) when a violation occurs. Most secure.
Why should unused ports be shutdown?
To prevent unauthorized access or devices from connecting to the network, reducing the risk of security breaches or attacks like VLAN hopping or MAC flooding.
How do you mitigate VLAN Hopping Attacks?
Disable DTP (auto trunking) negotiations on non-trunking ports by using the “switchport mode access” interface configuration command.
Manually enable the trunk link on a trunking port by using the “switchport mode trunk” command.
Disable DTP (auto trunking) negotiations on trunking ports by using the “switchport nonegotiate” command.
What is DHCP Snooping?
DHCP snooping is a Layer 2 security feature that drops DHCP messages and rate-limits DHCP traffic from untrusted sources/ports.
Trusted Ports: Connect to real DHCP servers. Must be manually set as trusted.
Untrusted Ports: Connect to end devices (not servers). By default, all ports are untrusted.
How do you enable PortFast and BPDU Guard?
spanning-tree portfast
spanning-tree bpduguard enable
