Practice Q's - L2 Security Flashcards
What attack technique attempts to fill a switching table so the attackers can capture traffic passing through a switch?
A. VLAN hopping
B. MAC spoofing
C. Rogue device
D. MAC flooding
Answer: D
Explanation:
MAC flooding is an attack technique in which frames with unique, but invalid, source MAC addresses flood the switch and exhaust the CAM table space. Eventually no more MAC addresses can be added because the table is full. When this occurs, any packets destined for a MAC address not in the table will be flooded to all other ports. This would allow the attacker to see the flooded traffic and capture information. The switch would be essentially functioning as a hub in this case.
Two methods of mitigating these attacks are:
VLAN hopping is an attack that allows an attacker to access network resources on a different VLAN without passing through a router. The attacker can create a packet with two 802.1Q VLAN headers on it (called double tagging) and send it to a switch. The switch port will strip off the first header and leave the second. The second header will be seen as the originating VLAN, allowing the attacker access to a VLAN they are not connected to. Executing the switchport mode access command on all non-trunk ports can help prevent this attack. Pruning the native VLAN from a trunk link can also help.
VLAN hopping is a security concern because it can be accomplished without the packet passing through a router and its security access lists. For this reason, private VLANs and VACLs should be used to secure access between VLANs. Techniques to prevent these attacks are:
MAC spoofing is an attack that allows an attacking device to receive frames intended for a different host by changing an assigned Media Access Control (MAC) address of a networked device to a different one. Changing the assigned MAC address may allow the device to bypass access control lists on servers or routers, either hiding a computer on a network or allowing it to impersonate another computer.
A rogue device is a device attached to the network that is not under the control of the organization. This term is normally used to mean a wireless device, perhaps an access point that is not operating as a part of the company’s infrastructure. Employees may bring their own access points and connect them to the network so they can use their computer wirelessly. This creates a security gap since the device is probably not secured to protect the traffic. An attacker could connect a rogue access point to a company’s network and capture traffic from outside the company’s premises.
drag and drop. see attached
What Cisco Catalyst switch feature can be used to define ports as trusted for DHCP server connections?
A. DHCP snooping
B. port security
C. 802.1x
D. private VLANs
Answer: A
Explanation:
DHCP snooping is used to define ports as trusted for DHCP server connections. The purpose of DHCP snooping is to mitigate DHCP spoofing attacks. DHCP spoofing is an attack that can be used to force user traffic through an attacking device. This is accomplished by an attacker responding to DHCP queries from users. Eliminating the response from the correct DHCP server would make this more effective, but if the attacker’s response gets to the client first, the client will accept it.
The DHCP response from the attacker will include a different gateway or DNS server address. If they define a different gateway, the user traffic will be forced to travel through a device controlled by the attacker. This will allow the attacker to capture traffic and gain company information. If the attacker changes the DNS server in the response, they can use their own DNS server to force traffic to selected hosts to go to a device they control. Again, this would allow the attacker to capture traffic and gain information.
DHCP snooping can be used to determine what ports are able to send DHCP server packets, such as DHCPOFFER, DHCPACK, and DHCPNAK, from the company DHCP server. DHCP snooping can also cache the MAC address to IP address mapping for clients receiving DHCP addresses from a valid DHCP server.
The three required steps to implement DHCP snooping are:
Enable DHCP snooping globally with the ip dhcp snooping command.
- switch(config)# ip dhcp snooping
Enable DHCP snooping for a VLAN with the vlan parameter:
- switch(config)# ip dhcp snooping vlan vlan # (for example, ip dhcp snooping 10 12 specifies snooping on VLANs 10 and 12)
Define an interface as a trusted DHCP port with the trust parameter:
- switch(config-if)# ip dhcp snooping trust
When specifying trusted ports, access ports on edge switches should be configured as untrusted, with the exception of any ports that may have company DHCP severs connected. Only portswhere DHCP traffic is expected should be trusted. Most certainly, ports in any area of the network where attacks have been detected should be configured as untrusted.
Some additional parameters that can be used with the ip dhcp snooping command are:
When DHCP snooping is enabled, no other relay agent-related commands are available. The disabled commands include:
- ip dhcp relay information check global configuration command
- ip dhcp relay information policy global configuration command
- ip dhcp relay information trust-all global configuration command
- ip dhcp relay information option global configuration command
- ip dhcp relay information trusted interface configuration command
DHCP Authorized ARP can also be used to mitigate DHCP spoofing. When implemented, the server assigns an IP address to a client and then creates a static mapping. The DHCP server then sends periodic ARPs to clients to make sure that the clients are still active. Clients respond with an ARP reply. Unauthorized clients cannot respond to these periodic ARPs. The unauthorized ARP responses are blocked at the DHCP server.
Private VLANs are a method of protecting or isolating different devices on the same port and VLAN. A VLAN can be divided into private VLANs, where some devices are able to access other devices and some are completely isolated from others. This was designed so service providers could keep customers on the same port isolated from each other, even if the customers had the same Layer 3 networks.
Port security is a method of only permitting specified MAC addresses access to a switch port. This can be used to define what computer or device can be connected to a port, but not to limit which ports can have DHCP servers connected to them.
802.1x is a method of determining authentication before permitting access to a switch port. This is useful in restricting who can connect to the switch, but it cannot control which ports are permitted to have a DHCP server attached to it.
What attack technique uses double VLAN tagging to access network devices that might not otherwise be accessible?
A. VLAN hopping
B. DHCP spoofing
C. Rogue devices
D. MAC flooding
Answer: A
Explanation:
Double VLAN tagging is used by a VLAN hopping attack. An attacker can create a packet with two VLAN headers on it and send it to a switch. The switch port will strip off the first header and leave the second. The second header will be seen as the originating VLAN, allowing the attacker access to a VLAN they are not connected to. This becomes a security concern because this hopping can be accomplished without passing through a router and its security access lists. For this reason, private VLANs and VACLs should be used to secure access between VLANs.
DHCP spoofing is an attack that can be used to force user traffic through an attacking device. This is accomplished by an attacker responding to DHCP queries from users. Eliminating the response from the correct DHCP server would make this more effective, but if the attacker’s response gets to the client first, the client will accept it. The DHCP response from the attacker will include a different gateway or DNS server address. If they define a different gateway, the user traffic will be forced to travel through a device controlled by the attacker. This will allow the attacker to capture traffic and gain company information. If the attacker changes the DNS server in the response, they can use their own DNS server to force traffic to selected hosts to go to a device they control.
Again, this would allow the attacker to capture traffic and gain information.
MAC flooding is an attack technique that attempts to fill a switch’s MAC address table so the attacker can capture flooded traffic sent from the switch. The concept of this attack is to use the CAM table limit to the attacker’s advantage. The attacker would send packets addressed from a large number of MAC addresses to the switch. The switch adds the source MAC address to the MAC address table. Eventually no more MAC addresses can be added because the table is full. When this occurs, any packets destined for a MAC address not in the table will be flooded to all other ports. This would allow the attacker to see the flooded traffic and capture information. The switch would be essentially functioning as a hub in this case.
A rogue device is a device attached to the network that is not under the control of the organization. This term is normally used to mean a wireless device, perhaps an access point that is not operating as a part of the company’s infrastructure. Employees may bring their own access points and connect them to the network so they can use their computer wirelessly. This creates a security gap since the device is probably not secured to protect the traffic. An attacker could connect a rogue access point to a company’s network and capture traffic from outside the company’s premises.
What Cisco switch features are designed to work together to mitigate ARP spoofing attacks? (Choose two.)
A. DHCP snooping
B. port security
C. 802.1x
D. DAI
Answer: A,D Explanation:
Dynamic ARP inspection (DAI) and DHCP snooping are Cisco features designed to work together to mitigate ARP spoofing attacks. DAI validates ARP packets in a network. DAI determines the validity of an ARP packet based on the valid MAC address-to-IP-address bindings stored in the DHCP snooping database. This capability protects the network from some man-in-the-middle attacks. The following global configuration command instructs the switch to intercept, log, and discard packets with invalid IP-to-MAC address bindings for the specified VLANs.
- switch(config)# ip arp inspection vlan 10-12,15
When configuring DAI, ports are configured as either trusted or untrusted. DAI forwards all packets received on a trusted interface without checks but intercepts all packets on an untrusted port.
DHCP snooping creates an IP address to MAC address database that DAI uses to validate ARP packets. It compares the MAC address and IP address in ARP packets and only permits the traffic if the addresses match. This eliminates attackers spoofing MAC addresses. The following command enables DHCP MAC address verification:
- router(config)# ip dhcp snooping verify mac-address
DHCP Authorized ARP can also be used to mitigate ARP spoofing. When implemented, the server assigns an IP address to a client and then creates a static mapping. The DHCP server then sends periodic ARPs to clients to make sure that the clients are still active. Clients respond with an ARP reply. Unauthorized clients cannot respond to these periodic ARPs. The unauthorized ARP responses are blocked at the DHCP server.
DHCP snooping also is used to define ports as trusted for DHCP server connections. The purpose of DHCP snooping is to mitigate DHCP spoofing attacks. DHCP snooping can be used to determine what ports are able to send DHCP server packets such as DHCPOFFER, DHCPACK, and DHCPNAK. DHCP snooping can also cache the MAC address to IP address mapping for clients receiving DHCP addresses from a valid DHCP server.
Port security is a method of only permitting specified MAC addresses access to a switch port. This can be used to define what computer or device can be connected to a port, but not eliminate ARP spoofing.
802.1x is a method of determining authentication before permitting access to a switch port. This is useful in restricting who can connect to the switch; it does not inspect ARP packets.
What command would be used to verify trusted DHCP ports?
A. show mls qos
B. show ip dhcp snooping
C. show ip trust
D. show ip arp trust
Answer: B
Explanation:
The command show ip dhcp snooping is used to verify trusted DHCP ports. This command is used to verify which ports are intended to have DHCP servers connected to them. DHCP snooping creates an IP address to MAC address database that Dynamic ARP Inspection (DAI) uses to validate ARP packets. It compares the MAC address and IP address in ARP packets and only permits the traffic if the addresses match. This eliminates attackers that are spoofing MAC addresses.
DHCP snooping is used to define ports as trusted for DHCP server connections. The purpose of DHCP snooping is to mitigate DHCP spoofing attacks. DHCP snooping can be used to determine what ports are able to send DHCP server packets, such as DHCPOFFER, DHCPACK, and DHCPNAK. DHCP snooping can also cache the MAC address to IP address mapping for clients receiving DHCP addresses from a valid DHCP server.
MLS QOS has no bearing on DHCP services, so show mls qos is not correct. The other commands are incorrect because of invalid syntax.
What Cisco Catalyst switch feature is designed to inspect ARP packets and mitigate ARP spoofing attacks?
A. DHCP snooping
B. port security
C. 802.1x
D. DAI
Answer: D
Explanation:
ARP spoofing attacks are attempts to redirect traffic to an attacking host by sending an ARP message with a forged identity to a transmitting host. Dynamic ARP inspection (DAI) is a Cisco feature designed to inspect ARP packets and mitigate spoofing attacks. It works in combination with DHCP snooping. DHCP snooping creates an IP address to MAC address database that DAI uses to validate ARP packets. It compares the MAC address and IP address in ARP packets and only permits the traffic if the addresses match. This eliminates attackers from spoofing MAC addresses. Characteristics of DAI include:
An interface can be configured as trusted by using the ip arp inspection trust command. Consider the configuration shown below. If an ARP spoof attack arrives on interface Fa0/2, it will not be inspected because the port is set as trusted, and the spoof packets will be allowed.
<output></output>
- ip arp inspection vlan 5
- interface fastethernet 0/2
- switchport mode trunk
- swtchport trunk encapsulation dot1q
- ip arp inspection trust
DHCP snooping is used to define ports as trusted for DHCP server connections. The purpose of DHCP snooping is to mitigate DHCP spoofing attacks. DHCP snooping can be used to determine what ports are able to send DHCP server packets, such as DHCPOFFER, DHCPACK, and DHCPNAK. DHCP snooping can also cache the MAC address to IP address mapping for clients receiving DHCP addresses from a valid DHCP server.
Port security is a method of only permitting specified MAC addresses access to a switch port. This can be used to define what computer or device can be connected to a port, but not eliminate ARP spoofing.
802.1x is a method of determining authentication before permitting access to a switch port. This is useful in restricting who can connect to the switch; it does not inspect ARP packets.
