Руководство По Проектированию для Cisco Cisco Aironet 350 Mini-PCI Wireless LAN Client Adapter
4-44
Enterprise Mobility 4.1 Design Guide
OL-14435-01
Chapter 4 Cisco Unified Wireless Network Architecture—Base Security Features
Cisco Integrated Security Features
Because the MAC address is provided in the log, the administrator can take further action to block the
attack by disassociating the attacker.
attack by disassociating the attacker.
When DAI is configured on a VLAN, an ARP rate limiter is configured globally to prevent flooding of
ARP requests coming from a certain port. The default value of the rate limiter is 15 packets per second
(pps). If this limit is reached, the switch disables the port to prevent the attack. In this case, to launch a
MIM attack, an attacker must first discover who else is Layer 2 adjacent. To do this, ettercap generates
a series of GARPs, claiming to be each one of the IP address on the subnet. In this way, the real owner
of that address replies and ettercap can build its table.
ARP requests coming from a certain port. The default value of the rate limiter is 15 packets per second
(pps). If this limit is reached, the switch disables the port to prevent the attack. In this case, to launch a
MIM attack, an attacker must first discover who else is Layer 2 adjacent. To do this, ettercap generates
a series of GARPs, claiming to be each one of the IP address on the subnet. In this way, the real owner
of that address replies and ettercap can build its table.
In lab tests, this limit has been reached immediately when using ettercap and the port shuts down. This
is acceptable in a wired scenario, but in a wireless scenario, by shutting down the port connected to the
AP, all the wireless users lose their connection to the outside world and a possible MIM attack turns into
a DoS attack.
is acceptable in a wired scenario, but in a wireless scenario, by shutting down the port connected to the
AP, all the wireless users lose their connection to the outside world and a possible MIM attack turns into
a DoS attack.
To avoid this potential DoS (involuntarily created by enabling DAI), Cisco recommends turning off the
ARP rate limiter on the port of the switch connected to the AP. You can do this with the following
interface level command:
ARP rate limiter on the port of the switch connected to the AP. You can do this with the following
interface level command:
ip arp inspection limit none
An alternative is to change the threshold value to a value larger than 15 pps. However, this is not a
general remedy because it depends on the implementation of the specific tool being used to launch the
attack.
general remedy because it depends on the implementation of the specific tool being used to launch the
attack.
Using IP Source Guard to Mitigate IP and MAC Spoofing
When enabled on an interface of the access switch, IP Source Guard dynamically creates a per-port
access control list (PACL) based on the contents of the DHCP snooping binding table. This PACL
enforces traffic to be sourced from the IP address issued at DHCP binding time and prevents any traffic
from being forwarded by other spoofed addresses. This also prevents an attacker from impersonating a
valid address by either manually changing the address or running a program designed to do address
spoofing, such as hping2. This feature has an option (port security) to filter the incoming address, also
using the MAC address in the DHCP snooping binding table.
access control list (PACL) based on the contents of the DHCP snooping binding table. This PACL
enforces traffic to be sourced from the IP address issued at DHCP binding time and prevents any traffic
from being forwarded by other spoofed addresses. This also prevents an attacker from impersonating a
valid address by either manually changing the address or running a program designed to do address
spoofing, such as hping2. This feature has an option (port security) to filter the incoming address, also
using the MAC address in the DHCP snooping binding table.
The attacker typically uses the spoofed address to hide his or her real identity and launch an attack, such
as a DoS attack, against a target.
as a DoS attack, against a target.
IP Source Guard for Wireless Access
In the case of wireless access, IP Source Guard can be enabled on the trunk port connecting the access
switch to the H-REAP. This allows the switch to filter any traffic coming from wireless users that does
not match an entry in the DHCP binding table.
switch to the H-REAP. This allows the switch to filter any traffic coming from wireless users that does
not match an entry in the DHCP binding table.
IP Source Guard does not need to be enabled on the VLANs configured behind a WLC, because the WLC
performs a similar function to ensure that the IP address used by a client is the IP address that has been
assigned to that client.
performs a similar function to ensure that the IP address used by a client is the IP address that has been
assigned to that client.
IP Source Guard is beneficial in H-REAP deployments because the H-REAP (unlike a standard LAP) is
not able to check the WLAN client MAC-to-IP address binding relationship.
not able to check the WLAN client MAC-to-IP address binding relationship.
In tests, the following two scenarios were considered:
•
Scenario 1—The target is represented by another wireless user associated to the same AP.
•
Scenario 2—The target is another wireless user associated to a different AP.