Руководство По Проектированию для Cisco Cisco Aironet 350 Mini-PCI Wireless LAN Client Adapter
4-36
Enterprise Mobility 4.1 Design Guide
OL-14435-01
Chapter 4 Cisco Unified Wireless Network Architecture—Base Security Features
Cisco Integrated Security Features
Cisco Integrated Security Features
Cisco Integrated Security Features (CISF) are available on Cisco Catalyst switches, and help mitigate
against a variety of attacks that a malicious user might launch after gaining wireless access to the
network. This section describes these attacks, how a WLC protects against these attacks, and how CISF,
when enabled on the access switch, can help protect the network.
against a variety of attacks that a malicious user might launch after gaining wireless access to the
network. This section describes these attacks, how a WLC protects against these attacks, and how CISF,
when enabled on the access switch, can help protect the network.
Note
This section describes only the attacks that CISF can help prevent when enabled on access switches, and
is not meant to be a comprehensive analysis of all the possible attacks that are possible on wireless
networks.
is not meant to be a comprehensive analysis of all the possible attacks that are possible on wireless
networks.
Types of Attacks
Attacks can occur against either wired or wireless networks. However, a wireless network connection
allows an attacker to craft an attack without physical connectivity to the network. The WLC and CISF
include features that are specifically designed to prevent such attacks, including the following:
allows an attacker to craft an attack without physical connectivity to the network. The WLC and CISF
include features that are specifically designed to prevent such attacks, including the following:
•
MAC flooding attacks
•
DHCP rogue server attacks
•
DHCP exhaustion attacks
–
ARP spoofing attacks
–
IP spoofing attacks
MAC Flooding Attack
MAC flooding attacks are attempts to fill the content-addressable memory (CAM) table of a switch, and
thus force the switch to start flooding LAN traffic. These attacks are performed with tools such as macof
(part of the dsniff package), which generates a flood of frames with random MAC and IP source and
destination addresses.
thus force the switch to start flooding LAN traffic. These attacks are performed with tools such as macof
(part of the dsniff package), which generates a flood of frames with random MAC and IP source and
destination addresses.
The Layer 2 learning mechanism of an Ethernet switch is based on the source MAC addresses of packets.
For each new source MAC address received on a port, the switch creates a CAM table entry for that port
and for the VLAN to which the port belongs. The macof utility typically fills the CAM table in less than
ten seconds, given the finite memory available to store these entries on the switch. CAM tables are
limited in size. If enough entries are entered into the CAM table before other entries expire, the CAM
table fills up to the point that no new entries can be accepted.
For each new source MAC address received on a port, the switch creates a CAM table entry for that port
and for the VLAN to which the port belongs. The macof utility typically fills the CAM table in less than
ten seconds, given the finite memory available to store these entries on the switch. CAM tables are
limited in size. If enough entries are entered into the CAM table before other entries expire, the CAM
table fills up to the point that no new entries can be accepted.
When the switch CAM table of a switch is filled, it then floods all its ports with incoming traffic because
it cannot find the port number for a particular MAC address in the CAM table. The switch, in essence,
acts like a hub to the detriment of performance and security. The overflow floods traffic within the local
VLAN, so the intruder sees traffic within the VLAN to which he or she is connected.
it cannot find the port number for a particular MAC address in the CAM table. The switch, in essence,
acts like a hub to the detriment of performance and security. The overflow floods traffic within the local
VLAN, so the intruder sees traffic within the VLAN to which he or she is connected.
At Layer 3, the random IP destinations targeted by macof also use the multicast address space. Thus, the
distribution layer switches that have multicast turned on experience high CPU usage levels as the
protocol independent multicast (PIM) process attempts to handle the false routes.
distribution layer switches that have multicast turned on experience high CPU usage levels as the
protocol independent multicast (PIM) process attempts to handle the false routes.