Cisco Cisco Aironet 350 Mini-PCI Wireless LAN Client Adapter Guia Do Desenho
4-41
Enterprise Mobility 4.1 Design Guide
OL-14435-01
Chapter 4 Cisco Unified Wireless Network Architecture—Base Security Features
Cisco Integrated Security Features
In the case of H-REAP, the user VLAN is terminated locally, the DHCP request does not go through the
controller, and an analysis of the chaddr cannot performed. In this case, the same security considerations
apply for this method of access as they do for wired access. A smart (wireless) attacker uses the MAC
address with which he or she is associated to the AP to generate the random DHCP requests, and then
simply changes the requesting MAC address within the DHCP packet payload. To the AP, the packet
looks valid because the originating MAC is the same as the MAC used to associate to the AP.
controller, and an analysis of the chaddr cannot performed. In this case, the same security considerations
apply for this method of access as they do for wired access. A smart (wireless) attacker uses the MAC
address with which he or she is associated to the AP to generate the random DHCP requests, and then
simply changes the requesting MAC address within the DHCP packet payload. To the AP, the packet
looks valid because the originating MAC is the same as the MAC used to associate to the AP.
Using DHCP Snooping to Mitigate a Rogue DHCP Server Attack
DHCP snooping is a DHCP security feature that provides security by building and maintaining a DHCP
snooping binding table and filtering untrusted DHCP messages. It does this by differentiating between
untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or
another switch. End-user ports can be restricted to sending only DHCP requests and no other type of
DHCP traffic. Trusted ports allow any DHCP message to be forwarded. The DHCP snooping table is
built per VLAN and ties the IP address/MAC address of the client to the untrusted port. Enabling DHCP
snooping prevents users from connecting a non-authorized DHCP server to an untrusted (user-facing)
port and start replying to DHCP requests.
snooping binding table and filtering untrusted DHCP messages. It does this by differentiating between
untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or
another switch. End-user ports can be restricted to sending only DHCP requests and no other type of
DHCP traffic. Trusted ports allow any DHCP message to be forwarded. The DHCP snooping table is
built per VLAN and ties the IP address/MAC address of the client to the untrusted port. Enabling DHCP
snooping prevents users from connecting a non-authorized DHCP server to an untrusted (user-facing)
port and start replying to DHCP requests.
DHCP Snooping for Wireless Access
The WLC manages all DHCP requests from clients and acts as a DHCP relay agent. DHCP requests from
WLAN clients are not broadcast back out to the WLAN, and they are unicasted from the WLC to a
configured DHCP server. This protects other WLAN clients connected to the WLC from rogue DHCP
server attacks.
WLAN clients are not broadcast back out to the WLAN, and they are unicasted from the WLC to a
configured DHCP server. This protects other WLAN clients connected to the WLC from rogue DHCP
server attacks.
Clients connecting to VLANs via an H-REAP 802.1q trunk interface are not protected against rogue
DHCP server attacks.
DHCP server attacks.
Keep in mind that the CISF features (in this case DHCP snooping) are implemented on the switch, not
on the AP, so the ability of a switch to intercept malicious messages from a rogue server goes only
happens if traffic is seen by the switch.
on the AP, so the ability of a switch to intercept malicious messages from a rogue server goes only
happens if traffic is seen by the switch.
shows an example of using DHCP snooping to mitigate against a rogue DHCP server attack,
and how an attack can happen before the switch is able to provide DHCP protection.
Figure 4-33
Security Used Against Rogue DHCP Server Attack
H-REAP
190375
LWAPP
Si
DHCP
Offer
DHCP
Server