Switch and VLAN Configuration Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:04
>> Here are a couple of extra security measures
00:04
that we can take with our switches.
00:04
The first one is called a DHCP snooping,
00:04
and this is a feature that you can
00:04
turn on on some switches.
00:04
It's based on the idea that
00:04
the DHCP protocol is inherently insecure.
00:04
There really is no server of
00:04
authentication to make sure that the IP
00:04
addresses being assigned are
00:04
from a legitimate DHCP server.
00:04
Just like so many of our protocols,
00:04
DHCP was designed for function,
00:04
but not secure function.
00:04
So we can add on security at the switch level and have
00:04
the switch analyze the network for DHCP requests,
00:04
specifically, DHCP offers.
00:04
Hopefully narrow down the offers that come
00:04
from unauthorized DHCP servers.
00:04
We've also got flood guards,
00:04
and our switches can look for specific types
00:04
of traffic that are in excess of what's normal.
00:04
We talked a lot about denial of
00:04
service attacks or ping floods.
00:04
On switches, you can unmark floods.
00:04
There are all sorts of floods;
00:04
UDP floods, TCP floods, SYN floods.
00:04
So ultimately, looking for
00:04
an inordinate amount of traffic,
00:04
a specific type would be
00:04
what a flood guard is going to do for you.
00:04
Then x2; root guard and BPDU guard.
00:04
Both have to do with Spanning Tree Protocol.
00:04
We talked about Spanning Tree Protocol briefly,
00:04
but the whole idea is that Spanning Tree is
00:04
designed to mitigate the problems switching loops.
00:04
What Spanning Tree does,
00:04
is it creates a logical structure of
00:04
an inverted tree where
00:04
the root switch is the basis of the inverted tree.
00:04
It's the root, and all the other switches
00:04
ultimately connect through a pathway up to the root,
00:04
and then any other redundant links are disabled.
00:04
Ultimately, everything is coming up through the root.
00:04
We want to make sure that our particular route switch
00:04
is one that is capable of
00:04
handling a solid amount of switching
00:04
traffic because it's going to be very busy.
00:04
We also want to make sure that it is
00:04
guarded and that we don't have
00:04
the capability of another switch
00:04
modifying or impersonating the root.
00:04
That's where the root guard feature comes in.
00:04
Then we have BPDU guard,
00:04
which stands for Bridge Protocol Data Unit,
00:04
and this is communication that should
00:04
only go across trunking ports.
00:04
When one switch is connecting to
00:04
another switch or is connecting to a router,
00:04
we have access ports and trunking ports.
00:04
Trunking is switch to switch.
00:04
Access ports are where your client devices plug in.
00:04
We want to make sure that we don't have
00:04
BPDUs coming in on client or access ports
00:04
because that would indicate
00:04
some reconfiguring on our network environments.
00:04
So we turn BPDU Guard on with our access ports.
00:04
Also, with port security,
00:04
we can set configuration options like only allowing
00:04
certain MAC addresses or
00:04
a certain number of MAC addresses
00:04
to connect to a certain port.
00:04
That's not really high-end security
00:04
>> because MAC addresses
00:04
>> can be spoofed just like most addresses however.
00:04
It does give us one more layer of defense.
00:04
Our key takeaways;
00:04
we spent this chapter looking at switches more
00:04
deeply and we talked about the ways switches operate,
00:04
as well as some of the security concerns with switches.
00:04
We continue to focus on the fact that
00:04
switches use MAC addresses and we
00:04
have to make sure that the table in which they
00:04
store those MAC addresses is protected.
00:04
Remember, that table is called the CAM
00:04
table and we're concerned
00:04
>> with things like MAC flooding.
00:04
>> Another concern with switches is switching loops
00:04
that lead to what are referred to as broadcast storms,
00:04
and that's when all data is going out all ports on
00:04
a switch because it's gotten
00:04
confused as to where specific hosts are.
00:04
When a switch doesn't know where to send traffic,
00:04
it goes back to an operating like
00:04
a hub and all data goes out all ports all the time.
00:04
That can be caused by MAC flood.
00:04
But we can also see that as a result of
00:04
redundant links that are set up
00:04
to have additional fault tolerance.
00:04
But if they're not configured properly
00:04
with the Spanning Tree,
00:04
it can cause a lot of confusing,
00:04
making Spanning Tree very helpful.
00:04
We also talked about needing to
00:04
monitor security through our switches.
00:04
But because of how switches operate,
00:04
we need to enable port span or port mirroring on
00:04
a specific port on
00:04
the switch so that we can view all traffic.
00:04
We also discuss VLAN tagging a trunking,
00:04
which essentially is how we're going to enable
00:04
valence to spend multiple switches and
00:04
can also tag for layer 2 switches
00:04
>> that still want to have
00:04
>> VLANs and allow that inner VLAN communication.
Up Next