Cisco Cisco ASA 5585-X Adaptive Security Appliance 백서
Cisco and Public Sector Cyberdefense
10
Table 3 Additional Cisco Catalyst Security Capabilities
Capability
Description
DHCP Snooping
Build a table connecting IP address to the MAC address of each client. This table is used by the next two features to
prevent man-in-the-middle attacks.
prevent man-in-the-middle attacks.
Dynamic ARP Inspection
Consults DHCP snooping table to prevent hackers from tampering with the switch ARP table.
IP Source Guard
Consults DHCP snooping table to prevent hacker from using spoofed IP address.
Private VLAN
PVLAN provides the capability to insulate one user from another. It provides enhanced Layer 2 security for data
centers, wiring closets, and Metro Ethernet deployments.
centers, wiring closets, and Metro Ethernet deployments.
Control Plane Policing
Control plane rate limiters and policers are hardware based and will limit traffic directed to the CPU to mitigate
denial-of-service attacks.
denial-of-service attacks.
Dedicated TCAM for Access
Controls Lists (ACL)
Controls Lists (ACL)
Shared TCAM space can lead to ACL overflow. ACL overflow triggers software-based forwarding and severely
downgraded performance.
The Cisco Catalyst 6500 Series provides extensive ACL capability with 32K dedicated TCAM space. Chances of
ACL overflow minimized.
downgraded performance.
The Cisco Catalyst 6500 Series provides extensive ACL capability with 32K dedicated TCAM space. Chances of
ACL overflow minimized.
Hardware-based MAC
learning
learning
For switches that learn MAC addresses in software, a hacker can generate thousands of bogus MAC addresses and
dominate the CPU. The Cisco Catalyst 6500 Series learns MAC addresses in hardware and is not susceptible to
such DoS attacks.
dominate the CPU. The Cisco Catalyst 6500 Series learns MAC addresses in hardware and is not susceptible to
such DoS attacks.
Multipath uRPF
Typical DoS attacks start with address spoofing. Multipath unicast RPF prevents source address spoofing by doing
reverse path forwarding checks on packets, even when there are multiple paths leading to the source.
reverse path forwarding checks on packets, even when there are multiple paths leading to the source.
User-Based Rate Limiting
To prevent a user from using too many network resources, dynamically learn traffic flows and rate limit each unique
flow in hardware.
flow in hardware.
Broadcast suppression
A hacker can flood a network with broadcast traffic and bring it down to an unusable state. The Cisco Catalyst 6500
Series provides a set of flood control tools—traffic storm control, unknown unicast flood blocking, and unicast flood
protection—to protect the network from such DoS attacks.
Series provides a set of flood control tools—traffic storm control, unknown unicast flood blocking, and unicast flood
protection—to protect the network from such DoS attacks.
Cisco Security Manager
Provides security managers a centralized security management tool to manage Cisco Security products, including
the Cisco Catalyst 6500 Series secure ACLs, VLANs, and PISA flexible packet matching polices.
the Cisco Catalyst 6500 Series secure ACLs, VLANs, and PISA flexible packet matching polices.
AutoSecure
AutoSecure saves security managers considerable time by automatically setting a standard security policy on the
switch, thereby quickly bringing the entire network to a security baseline.
switch, thereby quickly bringing the entire network to a security baseline.
Continue
Previous