1 00:00:07,100 --> 00:00:09,970 - [Instructor] This lesson discusses many security threats 2 00:00:09,970 --> 00:00:12,510 that focus on Layer 2 technologies 3 00:00:12,510 --> 00:00:15,730 and addresses how to implement counter measures 4 00:00:15,730 --> 00:00:17,880 against those threats. 5 00:00:17,880 --> 00:00:22,200 Disrupt the bottom of the wall and the top is disrupted too, 6 00:00:22,200 --> 00:00:25,610 everything at Layer 3 and higher is encapsulated 7 00:00:25,610 --> 00:00:28,600 into some type of Layer 2 frame. 8 00:00:28,600 --> 00:00:31,560 If the attacker can interrupt, copy, redirect 9 00:00:31,560 --> 00:00:35,350 or confuse the Layer 2 forwarding of that data, 10 00:00:35,350 --> 00:00:38,010 that same attacker can also disrupt any type 11 00:00:38,010 --> 00:00:41,430 of upper layer protocols that are being used. 12 00:00:41,430 --> 00:00:43,490 Let's look at some best practices 13 00:00:43,490 --> 00:00:47,200 for securing your switches and then discuss in more detail 14 00:00:47,200 --> 00:00:51,820 which best practice mitigates which type of attack. 15 00:00:51,820 --> 00:00:54,630 Best practices for securing your infrastructure 16 00:00:54,630 --> 00:00:58,150 including Layer 2, include the following; 17 00:00:58,150 --> 00:01:02,630 one, select an unused VLAN other than VLAN 1 18 00:01:02,630 --> 00:01:06,050 and use that for the native VLAN for all your trunks. 19 00:01:06,050 --> 00:01:08,230 Do not use this native VLAN 20 00:01:08,230 --> 00:01:11,090 for any of your enabled access ports. 21 00:01:11,090 --> 00:01:14,330 Two, avoid using VLAN 1 anywhere 22 00:01:14,330 --> 00:01:16,830 because it is but a default. 23 00:01:16,830 --> 00:01:20,140 Three, administratively configure access ports 24 00:01:20,140 --> 00:01:24,730 as access ports so that users cannot negotiate a trunk 25 00:01:24,730 --> 00:01:26,970 and disable the negotiation of trunking 26 00:01:27,910 --> 00:01:30,940 on Dynamic Trunking Protocol. 27 00:01:30,940 --> 00:01:34,070 Four, limit the number of MAC addresses 28 00:01:34,070 --> 00:01:37,683 learned on a given port with the port security feature. 29 00:01:38,620 --> 00:01:42,960 Five, control spanning tree to stop users 30 00:01:42,960 --> 00:01:46,530 or unknown devices from manipulating spanning tree. 31 00:01:46,530 --> 00:01:49,810 You can do so by using the BPDU Guard 32 00:01:49,810 --> 00:01:51,800 and Root Guard features. 33 00:01:51,800 --> 00:01:56,390 Six, turn off Cisco Discovery Protocol CDP 34 00:01:56,390 --> 00:01:59,550 on ports facing untrusted or unknown networks 35 00:01:59,550 --> 00:02:03,080 that do not require CDP for anything positive. 36 00:02:03,080 --> 00:02:06,300 CDP operates at Layer 2 and may provide attackers 37 00:02:06,300 --> 00:02:09,080 information we would rather not disclose. 38 00:02:09,080 --> 00:02:12,570 Seven, on a new switch shut down all ports 39 00:02:12,570 --> 00:02:15,700 and assign them to a VLAN that is not used 40 00:02:15,700 --> 00:02:18,620 for anything else other than a parking lot. 41 00:02:18,620 --> 00:02:21,470 Then bring up the ports and assign correct VLANs 42 00:02:21,470 --> 00:02:24,410 as the ports are allocated and needed. 43 00:02:24,410 --> 00:02:28,320 To control whether a port is an access port or a trunk port, 44 00:02:28,320 --> 00:02:31,900 you can revisit the commands used in an earlier lesson 45 00:02:31,900 --> 00:02:35,290 including the ones shown in this example. 46 00:02:35,290 --> 00:02:37,470 This example prevents a user 47 00:02:37,470 --> 00:02:41,810 from negotiating a trunk with the switch maliciously 48 00:02:41,810 --> 00:02:44,910 and then having full access to each of the VLANs 49 00:02:44,910 --> 00:02:48,560 by using custom software on the computer 50 00:02:48,560 --> 00:02:52,610 that can both send and receive .1Q tag frames. 51 00:02:52,610 --> 00:02:54,360 A user with a trunk established 52 00:02:54,360 --> 00:02:58,990 could perform VLAN hopping to any VLAN he desired 53 00:02:58,990 --> 00:03:02,440 by just tagging frames with the VLAN of choice. 54 00:03:02,440 --> 00:03:05,590 Other malicious tricks could be done as well 55 00:03:05,590 --> 00:03:09,040 but forcing the port to an access port 56 00:03:09,040 --> 00:03:12,440 with no negotiation removes this risk. 57 00:03:12,440 --> 00:03:15,760 Cisco has many tools for protecting Layer 2 58 00:03:15,760 --> 00:03:19,170 including the following, BPDU Guard, 59 00:03:19,170 --> 00:03:22,670 if BPDUs show up where they should not, 60 00:03:22,670 --> 00:03:24,610 the switch protects itself. 61 00:03:24,610 --> 00:03:28,330 Root Guard controls which ports are not allowed 62 00:03:28,330 --> 00:03:33,330 to become root ports to remote root switches. 63 00:03:33,600 --> 00:03:36,940 Port security limits the number of MAC addresses 64 00:03:36,940 --> 00:03:39,800 to be learned on an access switch port. 65 00:03:39,800 --> 00:03:43,230 DHCP Snooping prevents rogue DHCP service 66 00:03:43,230 --> 00:03:45,040 from impacting the network. 67 00:03:45,040 --> 00:03:47,720 Dynamic ARP Inspection prevents spoofing 68 00:03:47,720 --> 00:03:50,470 of Layer 2 information by hosts. 69 00:03:50,470 --> 00:03:52,820 IP Source Guard prevents spoofing 70 00:03:52,820 --> 00:03:55,747 of Layer 3 information by hosts. 71 00:03:55,747 --> 00:03:59,740 802.1X allows you to authenticate users 72 00:03:59,740 --> 00:04:03,720 before allowing their data frames into the network. 73 00:04:03,720 --> 00:04:07,190 Storm control limits the amount of broadcast 74 00:04:07,190 --> 00:04:11,400 or multicast traffic flowing through the switch. 75 00:04:11,400 --> 00:04:15,320 And Access Control Lists control traffic 76 00:04:15,320 --> 00:04:16,963 by enforcing policy. 77 00:04:17,800 --> 00:04:20,560 The key Layer 2 security technologies focused 78 00:04:20,560 --> 00:04:23,960 in the following sections include port security, 79 00:04:23,960 --> 00:04:28,960 BPDU Guard, Root Guard, DHCP Snooping and Access Lists.