7Securing a Local Network
This chapter will focus on the following topics:
- – the types of attacks on Layer 2:
- - MAC address flooding attacks;
- - MAC address spoofing attack;
- - DHCP starvation attack;
- - VLAN hopping attack;
- - STP-based attacks;
- – best security practices to protect Layer 2:
- - configuring port security;
- - configuring the DAI feature;
- - configuring the “portfast” feature;
- - configuring the “bpdu guard” feature;
- - configuring the “guard root” feature.
7.1. Introduction
A LAN, generally comprising one or more Layer 2 switches may be the target of several attacks based on any gaps that may exist in Layer 2. An attacker may attempt to interrupt, copy, redirect or compromise Level 2 data transmission and, consequently, may affect any type of protocol used on the upper layers.
7.2. Types of attacks on Layer 2
In this chapter we will study several security threats that target Layer 2 of an OSI model and discuss countermeasures that can be used to protect against these risks. This is part of securing the “data plane”.
7.2.1. MAC address flooding attacks
Overview of the attack
An attacker connects to a switch port and floods it using a large number of frames with fake source MAC addresses. Once the switch table is saturated, the switch acts as a hub. The attacker can then capture sensitive data from the network.
Countermeasures
The “port security” feature is a countermeasure that can prevent MAC address flooding attacks.
| Command | Description |
Switch(config-if)# ... |
Get Computer Network Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
