Руководство По Проектированию для Cisco Cisco Aironet 350 Mini-PCI Wireless LAN Client Adapter
4-42
Enterprise Mobility 4.1 Design Guide
OL-14435-01
Chapter 4 Cisco Unified Wireless Network Architecture—Base Security Features
Cisco Integrated Security Features
Effectiveness of DHCP Snooping
DHCP snooping is enabled on a per-VLAN basis, so it works on a trunk port. A separate DHCP snooping
entry is inserted for each DHCP request received on a given trunk port for clients in different VLANs.
The fact that DHCP snooping works on trunk ports is very important because it makes this CISF feature
applicable to a WLAN deployment where multiple SSIDs/VLANs are configured on the local interface
of the H-REAP. If an attacker is associated to the same WLAN/VLAN as the target, but via a different
H-REAP, the switch is able to protect against the DHCP spoof attack. However, if the attacker and the
target are associated to the same H-REAP, the attack does not traverse the access switch and it is not
detected.
entry is inserted for each DHCP request received on a given trunk port for clients in different VLANs.
The fact that DHCP snooping works on trunk ports is very important because it makes this CISF feature
applicable to a WLAN deployment where multiple SSIDs/VLANs are configured on the local interface
of the H-REAP. If an attacker is associated to the same WLAN/VLAN as the target, but via a different
H-REAP, the switch is able to protect against the DHCP spoof attack. However, if the attacker and the
target are associated to the same H-REAP, the attack does not traverse the access switch and it is not
detected.
DHCP snooping also provides some protection against DHCP server attacks by rate limiting the DHCP
requests to the DHCP server.
requests to the DHCP server.
Using Dynamic ARP Inspection to Mitigate a Man-in-the-Middle Attack
Dynamic ARP Inspection (DAI) is enabled on the access switch on a per-VLAN basis. It compares ARP
requests and responses, including gratuitous ARPs (GARPs), with the MAC/IP entries populated by
DHCP snooping in the DHCP binding table. If the switch receives an ARP message with no matching
entry in the DHCP binding table, the packet is discarded and a log message is sent to the console. DAI
prevents ARP poisoning attacks that may lead to MIM attacks such as those launched using ettercap by
stopping the GARP messages that the malicious user sends to the target to alter their ARP table and
receive their traffic. The ARP messages are filtered directly at the port to which the attacker is
connected.
requests and responses, including gratuitous ARPs (GARPs), with the MAC/IP entries populated by
DHCP snooping in the DHCP binding table. If the switch receives an ARP message with no matching
entry in the DHCP binding table, the packet is discarded and a log message is sent to the console. DAI
prevents ARP poisoning attacks that may lead to MIM attacks such as those launched using ettercap by
stopping the GARP messages that the malicious user sends to the target to alter their ARP table and
receive their traffic. The ARP messages are filtered directly at the port to which the attacker is
connected.
DAI for Wireless Access
The WLC protects against MIM attacks by performing a similar function as DAI on the WLC itself. DIA
should not be enabled on the access switch for those VLANs connecting directly to the WLCs because
the WLC uses the GARP to support Layer 3 client roaming.
should not be enabled on the access switch for those VLANs connecting directly to the WLCs because
the WLC uses the GARP to support Layer 3 client roaming.
It is possible to enable DAI for each VLAN configured on a trunk between an H-REAP and access
switch. Therefore, DAI is useful in wireless deployments where multiple SSIDs/VLANs exist on an
H-REAP. However, in an H-REAP deployment, two scenarios can impact the effectiveness of the DAI
feature. The following scenarios assume that the attacker is associated to an H-REAP and is
Layer 2-adjacent to his/her targets:
switch. Therefore, DAI is useful in wireless deployments where multiple SSIDs/VLANs exist on an
H-REAP. However, in an H-REAP deployment, two scenarios can impact the effectiveness of the DAI
feature. The following scenarios assume that the attacker is associated to an H-REAP and is
Layer 2-adjacent to his/her targets:
•
Scenario 1—One of the targets is wireless and associated to the same AP as the attacker while the
other target is the default gateway. This is considered to be the most typical attack.
other target is the default gateway. This is considered to be the most typical attack.
•
Scenario 2—Both targets are wireless.
These two scenarios illustrate in which cases the traffic goes through the switch and thus can be stopped.
In Scenario 1, the MIM attack attempts to use a GARP to change the ARP table entries for the default
gateway and or a wireless target, to redirect traffic to the attacker. DAI can block a GARP for the default
gateway, but DAI has no impact on a spoofed GARP for the wireless client. This limits the effectiveness
of the MIM attack, but does not prevent it completely
gateway and or a wireless target, to redirect traffic to the attacker. DAI can block a GARP for the default
gateway, but DAI has no impact on a spoofed GARP for the wireless client. This limits the effectiveness
of the MIM attack, but does not prevent it completely
In Scenario 2, the MIM attack sends GARPs to wireless clients, and the switch implementing DAI does
not see these GARPs and cannot block the attack.
not see these GARPs and cannot block the attack.
shows an example of the attack mechanism where GARPs are sent to the two IP connection
nodes on the subnet to divert the traffic between them.