Cisco devices have many features that are good for something but they can be easily exploited. You must know that the Internet is full of people that want to exploit your network for different or no reasons. We will show you the best ways for thinking ahead and securing the layer 2 of the network – the switches. Let’s start…
Category: Security – layer 2
Isolating Traffic inside a VLAN Using Private VLANs
In the article VACL – VLAN Access Lists we mention one way how to provide security on switch device like Cisco Catalyst switch. In this article we will see the other way of providing security with use of private VLANs – PVLAN.
The whole idea is to make possible to group VLANs inside the VLANs. You see from the picture here on the right that this will give you the opportunity to make group od computers or servers inside main (primary) VLAN. It will be possible to have two servers in the VLAN 10 and both of them on the same subnet. Here it becomes little bit strange, then they can be separated into two Secondary VLANs, VLAN 4 and VLAN 5.
If you are interested in the PVLAN configuration: PVLAN configuration article
In simple words SPAN technology enables port mirroring on selected switch.
In some cases you will need that some kind of server, PC or other network device receives a copy of network traffic that is destinated for some other device in the network. Why would you want that? Maybe you need some kind of control of the traffic or you want to implement IDS – Intrusion Detection System or something else. In that case you can configure every Cisco switch to send a copy of the traffic to one of the ports that is connected to sensor device.
Additional protection of potential man in the middle attack
Dynamic ARP Inspection will help us prevent Address Resolution Protocol – ARP spoofing attacks with help of DHCP functionality and specially DHCP snooping. This is why Dynamic ARP Inspection is usually used simultaneously with DCHP snooping. Let’s se how is this technology protecting us from ARP attack.
How attacker can launch man in the middle attack using ARP spoofing and what is ARP spoofing?
Attackers can attempt to launch an attack by sending gratuitous ARP – GARP replies. GARP reply messages are sent from some device in the network to other without the prior receiving of a request for sending a ARP reply. Is an ARP reply without cause. This reply without cause can tell network devices that the attacker’s MAC address corresponds to specific IP addresses that is actually IP address of some other device in the LAN.