Tuesday, June 1, 2010

IP Source Guard

Ok, so last time we talked about how DHCP snooping can mitigate a man-in-the-middle attack. This was when a rogue DHCP server sends out it's own DHCP replies with itself as the default gateway, snoops the packet, then sends it on to the true default gateway so users would never know anything was wrong. DHCP snooping blocks those untrusted DHCP replies and creates a binding table of all the client IP addresses. We can now look at IP Source Guard.

In general, IP addresses are assigned and used "on the honor system" with nothing in place to make sure clients are only using their own. Common uses are to disguise denial of service attacks. If a lot of requests could come from an IP address, but their is no return address to send the replies to, or to track down the offending computer.

Between vlans this might be simple to detect, if the 192.168.5.0 network is in vlan 5, then that network appearing out of any other vlan can be dropped. What about when the spoofed IP address is inside the proper vlan, the user is just using a random or stolen IP from inside it's own subnet?

IP source guard comes into play. Using the DHCP snooping database or statically entered bindings, all packets entering the switch verify that the port, IP address, and mac address all match the database or the packet is dropped.

Turn this feature on by entering each interface and adding:
Switch(config-if)#ip verify source [port-security]
(Port security can be added to verify the mac addresses).

show ip verify source will show you the status of your IP source guard configurations.

No comments: