Cisco Cisco Aironet 350 Mini-PCI Wireless LAN Client Adapter Guia Do Desenho
4-39
Enterprise Mobility 4.1 Design Guide
OL-14435-01
Chapter 4 Cisco Unified Wireless Network Architecture—Base Security Features
Cisco Integrated Security Features
Using CISF for Wireless Features
This section describes each of the features provided within CISF that were tested for protection against
wireless attacks.
wireless attacks.
Using Port Security to Mitigate a MAC Flooding Attack
Port security sets a maximum number of MAC addresses allowed on a port. You can add addresses to
the address table manually, dynamically, or by a combination of the two. Packets are dropped in
hardware when the maximum number of MAC addresses in the address table is reached, and a station
that does not have a MAC address in the address table attempts to send traffic.
the address table manually, dynamically, or by a combination of the two. Packets are dropped in
hardware when the maximum number of MAC addresses in the address table is reached, and a station
that does not have a MAC address in the address table attempts to send traffic.
Enabling port security on the access port of the switch stops a MAC flooding attack from occurring
because it limits the MAC addresses allowed through that port. If the response to a violation is set to
shutdown, the port goes to error-disable state. If the response is set to restrict, traffic with unknown
source MAC addresses are dropped.
because it limits the MAC addresses allowed through that port. If the response to a violation is set to
shutdown, the port goes to error-disable state. If the response is set to restrict, traffic with unknown
source MAC addresses are dropped.
Port Security in a Wireless Network
It is not generally recommended to enable port security on a switch port connected to an H-REAP AP or
WLC. The use of port security implies knowing the exact number of MAC addresses that the switch
learns and allows from that port; in the case of an H-REAP AP or WLC, the various source MAC
addresses that the switch learns usually correspond to wireless users. Setting port security on the switch
port allows only a certain number of users on the wired network.
WLC. The use of port security implies knowing the exact number of MAC addresses that the switch
learns and allows from that port; in the case of an H-REAP AP or WLC, the various source MAC
addresses that the switch learns usually correspond to wireless users. Setting port security on the switch
port allows only a certain number of users on the wired network.
For example, a company might have a security policy that allows only certain MACs, and a certain
number of them, to send traffic through the access point. In this case, a combination of MAC filtering
on the H-REAP AP or WLC and port security on the switch ensures that only the selected users access
the wired network. Most of the time, however, a company implements a WLAN to facilitate the mobility
of the employees, which implies that an H-REAP AP or WLC, at any given time, does not have a
predetermined number of users associated with it. Therefore in cases where it is impossible to determine
the number of users connected to the AP, enabling port security on the switch port offers no advantages.
At worst, it can create an involuntary DoS attack; if the policy for port security is set to shut down the
port in the event of a violation. When this happens, all the users connected to that AP lose network
connectivity.
number of them, to send traffic through the access point. In this case, a combination of MAC filtering
on the H-REAP AP or WLC and port security on the switch ensures that only the selected users access
the wired network. Most of the time, however, a company implements a WLAN to facilitate the mobility
of the employees, which implies that an H-REAP AP or WLC, at any given time, does not have a
predetermined number of users associated with it. Therefore in cases where it is impossible to determine
the number of users connected to the AP, enabling port security on the switch port offers no advantages.
At worst, it can create an involuntary DoS attack; if the policy for port security is set to shut down the
port in the event of a violation. When this happens, all the users connected to that AP lose network
connectivity.
shows an example of using port security to limit a wireless MAC flooding
attack by locking down the port and sending an SNMP trap.