Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Switch security - protecting against "port stealing"

I work for a public library system, and we have a number of public-access computers on switched networks (largely Catalyst 2950s). We have just been made aware of a potential security threat, using a package named Ettercap. referred to as "port stealing".

It involves an attacking PC tricking the switch by sending a spoofed layer 2 frame with a target PC's MAC in the source field, and it's own MAC in the destination field. The switch should then update it's CAM table so that packets addressed to the target are forwarded to the attacker.

The attacker can then relay the packets on to the target by sending an arp request to it's IP address to reset the CAM table. The exploit is described here:

http://ettercap.sourceforge.net/forum/viewtopic.php?t=2329&sid=305c457d68c3c9c757747b86b4a1bec9

I can see that enabling port security and limiting each port to one MAC address would make this attack difficult. Are there any other security measures that could be taken on the switch to protect against this attack? Sticky addresses could be a possibility, but configuring static MAC address would not be practical.

Thanks,

Rob

  • LAN Switching and Routing
2 REPLIES
New Member

Re: Switch security - protecting against "port stealing"

Hi Rob,

Please take a look at Dynamic ARP Inspection and DHCP snooping here:

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_example09186a00807c4101.shtml

This will help.

Regards,

Jason

New Member

Re: Switch security - protecting against "port stealing"

Thanks for the link, Jason - very useful.

Rob

919
Views
0
Helpful
2
Replies