Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Como Mitigar Ataques Switches de Capa 2 PDF
Como Mitigar Ataques Switches de Capa 2 PDF
1. Configurar la boca como de acceso para HOST asignándole una VLAN para usuarios,
es decir, no de gestión. Con el comando
3. Habilitar el número máximo de MAC que aprendera el switch para esa boca. Si no se
especifica este comando se asume una.
4. Configurar las MAC que se admiten en la boca. Si la cantidad es menor que las que
admite como máximo el resto las aprenderá hasta completarlo y no admitirá más.
Trap enviar un trap a una estación SNMP o con un gestor de TRAPs SNMP. Usar la
versión SNMP más alta posible.
7. Bajar los segundos de memorización de una MAC en tablas ARP o incluso poner
estáticas las que se puedan, para mitigar el envenenamiento ARP. Incluso en redes
medianas esta solución no solo no es definitiva sino que no es escalable. Una
alternativa más tajante es tener a cada equipo en una VLAN con un router on stick.
Configurar el ratio de paquetes DHCP máximo por segundo. Si es para una interfaz (no
trusted) no fiable (de cliente) se aconseja un máximo de 100 y para las de confianza subir
este valor conforme a la cantidad de equipos.
Los modelos 3550 o superiors (switches de capa 3) incorporan además Dynamic ARP
Inspection (DAI) que les permite validar una petición ARP en base a la validez de la MAC
asociada con la IP tomando como referencia la información almacenada en la tabla DHCP
snoop y mediante VACL (Vlan Access List) que permiten indicar las MAC correspondiente
para las IP estáticas.
Una de las más importantes es dedicar una Vlan exclusiva para todos los puertos de trunk.
También es conveniente mantener deshabilitados los puertos no usados y que además
pertenezcan a una Vlan sin uso. Colocar todos los puertos que no sean de trunk en modo
usuario, esto se hace de modo explicito en DTP con el comando de configuración de
interfaz switchport mode access . Aunque sea paranoico conviene no usar la VLAN 1
para nada. Enviar todas las tramas etiquetadas que se reciben en puertos de trunk a la
Vlan Nativa.
Lo primera medida es asignar al switch raíz prioridad cero, pero eso no asegura que el
atacante no lo haga y casualmente tenga una MAC más baja. Los modelos de switch de
CISCO de gama alta incluyen un sistema de protección llamado Bridge Guard
802.1x components
802.1x is a standardized framework defined by the IEEE that is designed to provide port-based
network access. 802.1x performs port-level authentication of network clients by using
information unique to the client and with credentials known only to the client. The 802.1x
framework defines three roles in the authentication process :
• Supplicant – The endpoint that is seeking network access is known as the supplicant.
The supplicant may be an end user device or a standalone device, such as an IP
phone.
• Authenticator – The device to which the supplicant directly connects and through
which the supplicant obtains network access permission is known as the authenticator.
• Authentication server – The authenticator acts as a gateway to the authentication
server, which is responsible for actually authenticating the supplicant.
• Mutual authentication between the client and the RADIUS authentication server
• Encryption keys that are dynamically derived after authentication
• Centralized policy control, where session time-out triggers re-authentication and new
encryption key generation
When these features are implemented, a wireless client that associates with an access point
cannot gain access to the network until the user performs a network logon. After association,
the client and the network access point or RADIUS server exchange EAP messages to perform
mutual authentication, with the client verifying the RADIUS server credentials, and vice versa.
An EAP supplicant is used on the client machine to obtain the user credentials. Upon successful
client and server mutual authentication, the RADIUS server and client then derive a client-
specific Wired Equivalent Privacy (WEP) key to be used by the client for the current logon
session. User passwords and session keys are never transmitted in the clear over the wireless
link.
In the simplest scenario, no traffic is allowed to flow from a client device to the network until the
client authenticates. 802.1x frames are the only traffic between the client, or supplicant, and the
access-control device, or authenticator. A user trying to access network resources must provide
access credentials using software on the client workstation. Microsoft Windows XP includes
802.1x supplicant support, while an add-on component for Microsoft Windows 2000 is available
as a Microsoft Hotfix.
When the user provides their credentials, the information is transmitted to the authenticator by
some variant of EAP. The user's information is encrypted in the EAP transfer, so that their
credentials cannot be easily compromised. The authenticator will transmit the credentials to the
AAA server, which will verify the user credentials against its database. If the AAA server is
configured to return a network access policy, it will return the policy associated with the user or
their corresponding group. The authenticator will apply the network policy to the user's
connection, allowing traffic to flow according to the policy. The policy may include traffic
engineering values, VLAN information for user connection, and IP address information.
The authenticator can be configured with default access policies to offer restricted connectivity
for client devices that do not have supplicant support. This allows unauthenticated users to have
limited network access, but they will be required to provide credentials in some other fashion if
access to restricted resources is needed. Default policy provision for IP phones, for instance,
may be required, as IP phones do not yet include supplicant capability.