Switch security - protecting against "port stealing"
I work for a public library system, and we have a number of public-access computers on switched networks (largely Catalyst 2950s). We have just been made aware of a potential security threat, using a package named Ettercap. referred to as "port stealing".
It involves an attacking PC tricking the switch by sending a spoofed layer 2 frame with a target PC's MAC in the source field, and it's own MAC in the destination field. The switch should then update it's CAM table so that packets addressed to the target are forwarded to the attacker.
The attacker can then relay the packets on to the target by sending an arp request to it's IP address to reset the CAM table. The exploit is described here:
I can see that enabling port security and limiting each port to one MAC address would make this attack difficult. Are there any other security measures that could be taken on the switch to protect against this attack? Sticky addresses could be a possibility, but configuring static MAC address would not be practical.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...