Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks."— Presentation transcript:

1 Chapter 5 Secure LAN Switching

2  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks

3 Port Security  Example –Set port security 2/1 enable –Set port security 2/1 00-90-2b-03-34-08 –Set port security 3/2 maximum 1

4 Restricting Access to a Switch via IP Permit List  Example –Set ip permit enable –Set ip permit 172.16.0.0 255.255.0.0 telnet –Set ip permit 172.20.52.2 255.255.255.255 snmp –Set ip permit 172.20.52.3 all

5 Controlling LAN Floods  Example –Set port broadcast 2/1-6 75%

6 Private VLANs on the Catalyst 6000  Restricts intra VLAN traffic on a per port basis  Solves ARP spoofing

7 IEEE 802.1x Standard  Provides authentication of devices connecting to a physical port on a layer 2 switch or a logical port on a wireless access point

8 802.1x Entities  Supplicant: a device (eg. Laptop) that needs to access the LAN  Authenticator: a device that initiates the authentication process between the supplicant and the authentication server  Authentication server: a device (eg. Cisco ACS) that can authenticate a user on behalf of an authenticator

9 802.1x Communication  Uses Extensible Authentication Protocol (EAP) described in RFC 3748RFC 3748  Authentication data is transmitted in EAP packets –encapsulated in EAPOL frames between supplicant and authenticator –encapsulated TACACS+ or RADIUS packets between authenticator and authentication server

10 Extensible Authentication Protocol (EAP)  Carries authentication data between two entities that wish to set up an authenticated channel for communication  Supports one-time password, MD5 hashed username and password, and transport layer security

11 EAP Packet Format (RFC 2284)  Code: identifies EAP packet type such as request, response, success, or failure  Identifier: used to match responses with requests  Length: length of EAP packet

12 Types of EAP Request/Response messages  Identity message  Notification message  NAK message  MD-5 challenge message  One-time password message  Transport-Layer Security (TLS) message

13 EAP Exchange Involving Successful OTP Authentication

14 Frame Format for EAPOL Using Ethernet 802.3

15 Relationship between Supplicant, Authenticator, Authentication server, EAPOL, and TACACS+/Radius

16 802.1x Architecture and Flow using EAP over EAPOL and EAP over TACACS+/RADIUS

Download ppt "Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks."

Similar presentations

Authentication.

Authentication.
Doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE 802.11 David Halasz, Stuart Norman, Glen.

Doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE David Halasz, Stuart Norman, Glen.
What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.

What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.
1 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security Ethernet: Layer 2 Security Eric Vyncke Cisco Systems Distinguished Engineer.

1 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security Ethernet: Layer 2 Security Eric Vyncke Cisco Systems Distinguished Engineer.
WLAN Security Examining EAP and 802.1x. 802.1x works at Layer 2 to authentication and authorize devices on wireless access points.

WLAN Security Examining EAP and 802.1x x works at Layer 2 to authentication and authorize devices on wireless access points.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Authentication Center for SDP Federation

Authentication Center for SDP Federation
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,

Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,
802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.

802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University

Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x OVERVIEW Sudhir Nath Product Manager, Trust.

1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x OVERVIEW Sudhir Nath Product Manager, Trust.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
OSI Model Routing Connection-oriented/Connectionless Network Services.

OSI Model Routing Connection-oriented/Connectionless Network Services.
Secure LAN Switching Layer 2 security Introduction Port-level controls

Secure LAN Switching Layer 2 security Introduction Port-level controls

Similar presentations

Ads by Google