Study Session Number 15! Switch Security - 802.1X, Dynamic ARP Inspection & DHCP Snooping! #16

Hi Everyone! 

Today ill be learning about switch security, I have vaguely covered man in the middle attacks in my university when I done my dissertation so that section should be okay but the rest of this is all new information which im looking forward to learning! Feel like all my topics are really starting to come together, always feels nice to be making progress! I'll smash the CCNA in two in no time!

DHCP Snooping - 
When using a router because routers dont forward broadcasts the ip helper command is used to direct a clients dhcp request from one subnet to another one to be able to provide the client with an IP address, why is this important I hear you asking? What if a rouge DHCP server is connected onto the switch where the client is? The client would be handed wrong information, this would kick clients off the network making them unusable. To avoid this whole scenario DHCP snooping is configured, when DHCP snooping is used DHCP requests that aren't from ports that are set to trusted will never reach the client, this prevents any rouge DHCP servers from gaining access to the network. This is all configured on switches. Commands below. 

DAI (Dynamic ARP Inspection) - 
ARP = Layer 3 to Layer 2 - IP address to MAC's.
In the ARP process a broadcast is carried out to find out what MAC address is associated with the IP address the client is trying to send data to, as a broadcast sends data to everyone on the network this means that an attacker could be attached to the network and will receive this broadcast as long as they are in the same IP subnet at this point the attacker will send out an ARP response using the IP address of the router, the client will then update its ARP cache to the MAC of the attackers device now the attacker will receive the data that the client is sending (man in the middle attack.), the attacker then sends the data to the router and the router forwards it back to the attacker who then forwards it back to the client (basically the attacker is involved in the whole data transfer process).

For DAI to work DHCP snooping needs to be enabled. The switch can look at the IP addresses that have been assigned to the relevant ports along with the MAC addresses that are associated with them, if any invalid traffic from an IP address that hasn't been assigned goes through the port the packet will be dropped. Commands Below. 

802.1x - Identity Based Networking - 
802.1x uses a username and password to provide authentication for traffic on switchports.

When a client first connects into a switch they dont get access to the network until they have been authenticated by the server through username and password.

Process - 
1) Client connects to switch
2) Client enters username and password
3) Switch passes information onto authentication server
4) Authentication Server authenticates user 
5) Switch then updates the port to allow user (can also be configured access to a vlan if vlans are being used)

802.1x Terminology -
Supplicant = Client
Access Layer Switch = Authencticator
Authentication Server 

DHCP Snooping Config - 
ip dhcp snooping 
ip dhcp snooping vlan *vlan*
int *interface* - this is done on the port that is directly connected to where the dhcp requests are coming from (generally the router/server)
    ip dchp snooping trust

DAI for non DHCP clients - 
int *int* 
    ip arp inspection trust 

DAI for DHCP Clients - 
    ip arp inspection *vlan* 

Comments

Post a Comment

Popular posts from this blog

Python Crash Course Chapter 1-2! #1

 Hi Everyone,  As a continuation from my CCNA I have started studying towards my Cisco DevNet, to do this I need some prior knowledge with Python (which I dont have) so after doing some research I have found this book! I will be using this until I am comfortable with Python.  In the first two chapters I have learned how to create variables and assigned them values, along with this I have also learned how to use methods with the variables. These are some examples of me beginning my Python journey -  blog_message = "Hi everyone! My name is" name = "Iain" first_blog = "this is my first blog about Pyhton, enjoy!" day, month, year = 29, 11, 2020 print(f"{blog_message.title()} {name.upper()} {first_blog.title()} {day, month, year}") This is my first piece of coding, in this I got to use variables, methods and integers. 
Read more

I PASSED! Cisco CCNA 200-301! Experience & Where I'm going from here!

 Hi Everyone, Long time no see. As the title says - I passed! After all the studying I have finally finished my CCNA on November 27th. So as a summary I managed to score 900/1000 - what do I think of the exam? I think that the exam focuses on a much wider spectrum than just R&S, I had an illusion in my head that most questions on the exam would revolve around R&S protocols when this wasn't the case at all! I had a majority of wireless questions is regards to WLC's, AP's etc (without going into to much detail - sorry guys blame the NDA) along with this there was other things that were involved that weren't on the blueprint which was mildly frustrating. My Advice? Learn all the gritty details, learn how to read routing tables things like longest prefix, AD, metric - what path will win? Learn protocol numbers, what the requirements for that protocol are to make a decision e.g how HSRP uses an active and standby router and how it decides what router is doing what. B
Read more

Python Notes #6 Functions

 Hi Everyone, Today I'm doing functions I have kept this as its own blog as this is a bit of a tougher topic and for my own memory I'd like to be able to find this easily if I ever had to review python notes. A function is a chunk of reusable code this means that the code can be created and then passed anywhere within the code later on. This is how a function works -  def name(first, last): print("Please enter name: ") print(f"Your name is: {first} {last}") name("Iain", "H") In this chunk of code I pass the parameters first & last within the function - from here I create a print statement asking for my name, notice how in the second print statement I am passing the parameters first and last (represented by the curly braces) and lastly I call the function name and define the values within the brackets - with the last statement now first will = 'Iain' and last will = 'H'. This code produces this output - Please enter
Read more