Port Guards
- switch port security features to mitigate attacks on network infrastructure:
- dynamic ARP inspection (DAI)
- malicious host may use a spoofed MAC address to try to perform ARP cache poisoning
- prevents a host attached to an untrusted port from flooding the segment with gratuitous ARP replies
- maintains a trusted database of IP:ARP mappings
- ensures that ARP packets are validly constructed and use valid IP addresses
- DHCP snooping
- causes the switch to inspect DHCP traffic arriving on access ports to ensure
- that a host is not trying to spoof its MAC address
- prevent rogue DHCP servers from operating on the network
- only DHCP offers from ports configured as trusted are allowed
- Neighbor Discovery (ND) Inspection and Router Advertisement (RA) Guard
- RA Guard is switch port security feature to block router advertisement packets from unauthorized sources
- perform similar functions to DAI and DHCP snooping for IPv6
- most hosts have IPv6 enabled by default
- disabling can cause unexpected problems
- should be enabled to mitigate spoofing and on-path attacks over IPv6
- ensure the default VLAN uses a different ID than any other user accessible VLAN
- mitigates against double tagging attacks
- ensure
- ports allowed to be used as trunks are predetermined in switch config
- access ports are not allowed to auto-configure as trunk ports
- mitigates against VLAN hopping attacks
- to mitigate against spanning tree attacks and root bridge selection attacks:
- ensure attackers can’t guess which bridge ID number is used by the root bridge
- set up Bridge Protocol Data Units Guard (BPDU Guard)
- to allow an interface to put itself into blocking state when
- it receives a BPDU packet meant to change the root bridge switch
- enable root guard on ports not used as trunk lines
- keeps ports in their assigned roles
- if one port receives BPDU frame
- error is logged and that port is blocked