Secure Shell

SSH is a protocol that is similar to Telnet, but SSH uses encryption for security. SSH usually uses TCP port 22.

Catalyst native security can protect networks against serious threats originating from the exploitation of MAC address vulnerabilities, ARP vulnerabilities, and Dynamic Host Configuration Protocol (DHCP) vulnerabilities. (Both ARP and DHCP are covered in Appendix B.) Table 2-1 shows some examples of the protection provided by the built-in intelligence in Catalyst switches.

Table 2-1. Examples of Built-In Intelligence to Mitigate


Table 2-1. Examples of Built-In Intelligence to Mitigate



Native Security (Built-In Intelligence) to Mitigate Attacks

DHCP Denial of Service (DoS)

A DHCP DoS attack can be initiated by a hacker. As well as taking down the DHCP server, the attack could also be initiated from a server that is pretending to be a legitimate DHCP server. This rogue server replies to DHCP requests with phony DHCP information.

Trusted-State Port

The switch port to which the DHCP server is attached can be set to a "trusted" state. Only trusted ports are allowed to pass DHCP replies. Untrusted ports are only allowed to pass DHCP requests.

MAC Flooding

A hacker targets the switch's MAC address table, to flood it with many addresses.

MAC Port Security

The switch can be configured with a maximum number of MAC addresses per port.

The switch can also be configured with static MAC addresses that identify the specific addresses that it should allow, further constraining the devices allowed to attach to the network.

Redirected Attack

A hacker wanting to cover his tracks and complicate the network forensics investigation

Private VLAN (PVLAN)

The flow of traffic can be directed by using PVLANs. In the example shown in Figure 2-11, a

might decide to compromise an intermediary target first. The hacker would then unleash his attack to the intended target from that intermediary victim.

PVLAN is defined so that traffic received on either switch port 2 or 3 can exit only by switch port 1. Should a hacker compromise server A, he would not be able to directly attack server B because the traffic can only flow between port 1 and port 2, and between port 1 and port 3. Traffic is not allowed to flow between port 2 and port 3.

Figure 2-11. Using a Switch to Create a PVLAN

Figure 2-11. Using a Switch to Create a PVLAN

Was this article helpful?

0 0

Post a comment