Why is Layer 2 security critical ?
Firewalls and VPNs protect layers 3-7, layer 2 is often where the secutiy compromises are.
If layer 2 is compromised then the other layers cant be trusted.
What is a MAC address flooding attack ?
An attacker sends thousands of fake source MAC addresses to a switch to fill up the CAM table.
Once the CAM table is full the switch turns to fail-open mode and broadcasts frames to all ports.
The attacker can then sniff sensitive traffic.
What are DHCP spoofing and starvation attacks ?
DHCP Spoofing: An attaker sets up a rogue DHCP server to issue malicious IP configurations.
DHCP Starvation: An attacker floods the DHCP server using fake MAC addresses to lease all available IP addresses causing a DoS for any new users.
How does port secutiy prevent MAC flooding ?
It limits the number of MAC addresses on a single port.
It can learn MACs dynamically or statically.
If the limit is reached or an unkown MAC address appears, the switch blocks traffic or shuts down.
What is a VLAN hopping attack ?
An attacker configures their device to act like switch.
They use DTP to negotiate a link with the real switch.
They can then access to all traffic on VLANs.
What is DHCP Snooping and how does it work ?
It validates DHCP messages to prevent rogue servers.
Only ports connected to validated DHCP servers are allowed to send Off/Ack messages.
Any DHCP requests coming in from user facing ports are blocked.
How do you prevent VLAN attacks ?
Turn off auto negotiation on all trunk ports (disable DTP).
Change the native VLAN from the default to an unused ID.
Disable unused ports and assing them to a black hole VLAN.
What are the three main elements of SNMP ?
SNMP Manager: The central system that monitors the network.
SNMP Agent: Software running on the managed device.
MIB (management information base): The database on the device that stores statistics and operational data.
What are the key SNMP operations ?
Get-Request: Manager asks for a specific value.
Set-Request: Manager changes a configuration on the device.
Trap: The agent sends a unsolicited alert to the manager immediately when a specific event occurs.
Compare the security of SNMP versions.
SNMP V1 & V2c: Use community strings transmitted in clear text. Read-Only (ro) allows viewing data
Read-Write (rw) allows changing configurations
SNMP v3: Adds strong security; authentication of users and encryption.
What is SPAN (Port mirroring)?
Switched Port Analyser.
It copies traffic from one or more ports and sends it to a specified port.
Allows a packet analyser or an IPS to inspect network traffic without interrupting the network flow.
What are ACLs (Access control list) used for ?
They filter network traffic by permiting or denying packets based on IP address.
They provide a basic level of security by limiting access.
