I’m going to miss Marvin 
Here are the notes for the final day of the bootcamp .
L2 SECURITY
- Violation modes of port-security
- Shutdown
- send port to err-disable
- Protect
- Violators cannot send traffic in , no alert is raised
- Restrict
- Violators cannot send traffic in
- Generates SNMP/ Syslog
- HSRP uses 2 MAC addresses ( NOTE )
- During configuration, check if some traffic might inadvertantly trigger this port-security feature.
- Shutdown
- 2 ways to recover a port from err-disable
- err-disable recovery configured
- shut/no-shut
- We can also configure a static ” Null route” a MAC address
- When we block multicast, then some unicast/broadcast traffic also gets blocked in Storm-control ( read more on this )
- “switchport protected” -> Mini PVLAN like configuration
- When configuring VLAN Maps, ensure that ARP traffic is allowed ( most of the time, this is needed )
- PVLAN requires Transparent ( VTP ) mode configuration on the switch
ATTACK MITIGATION
- VLAN HOPPING ATTACK
- 2 variations
- Hosts runs DTP to form a trunk with the adjacent switch
- Host sends frames double tagged with 802.1q
- Mitigation
- Ensure that all host-facing ports are statically assigned as access ports (switchport mode access )
- Don’t ever use VLAN 1 as the default VLAN
- 2 variations
- CAM TABLE ATTACKS
- port-security -> Mitigation
- Shutting down the port is the best option
- DHCP STARVATION ATTACKS
- Tons of DHCP requests exhaust the DHCP pool.
- Victim hosts are starved of a DHCP lease.
- Could be a DOS/ MITM attack
- Mitigation
- DHCP Snooping
- Ensure that all switches running a the particular VLAN have DHCP snooping turned on ( talk to the proctor )
- ROGUE DHCP SERVER ATTACK
- Mitigation : DHCP Snooping ( trust )
- Can also use Port ACLs/VACLs
- We can also use the “ip dhcp snooping Limit” command to limit the flood.
- Mitigation : DHCP Snooping ( trust )
- ARP SPOOFING
- Gratuitous ARP -> Send ARP replies regularly without valid requests ( to refresh the ARP caches of the devices )
- This can be a good playground to lauch MITM attacks
- Mitigation
- DHCP snooping with DAI
- or ARP acls with DAI ( for static IP addressing )
- If switches don’t support snooping or ARP inspection
- IP ARP uses ethertype 0×806
- IP uses Ethertype 0×800
- This can be used to block the ARP traffic
- Bad configuration of this can cause problems later ( reload, reboot ,etc ) . So remember, it won’t immediately show up due to ARP caching on the devices
- MAC SPOOFING
- Mitigation
- IP Source guard
- Consults the DHCP Snooping table
- We can also use port-security
- IP Source guard
- Mitigation
- IP SPOOFING
- Mitigation
- RFC 1918/2827/3330 BOGON ingress filtering
- uRPF
- RFC 2827 is bidirectional
- Traffic leaving should have the internal address
- Traffic entering from the outside, should not have the internal address
- uRPF takes into consideration all equal cost paths(urpf accepts both the paths as the reverse path ) into consideration when determining the interface upon which a packet should be received on . It even understands EIGRP unequal cost load-balancing.
- Mitigation
- SMURF/FRAGGLE ATTACK
- Mitigation -> no ip directed broadcast
- uRPF also does the job
- via CAR/MQC
- via Blackholing ( either source/destination based )
- Mitigation -> no ip directed broadcast
STANDARD BLACKHOLE FILTERING
- Problem is legit traffic to the destination also gets blocked
- Matches only by destination
- Ensure that the “no ip unreachables” is configured on the Edge -routers
SOURCE-BASED BLACKHOLE FILTERING
- There is a uRPF statement on the EDGE router
- The trigger will be a route for the “source IP”s next hop ( instead of the destination IP , like the previous configuration )
- If we do not add a “deny” route-map after the first route-map, any other static routes will get redistributed into the BGP.
SYN FLOODING
- Mitigation
- TCP Intercept
- IOS CBAC/ ZBF
- PIX/ASA MPF connection limits
- SYN policing with CAR/MQC
Network scanning can be blocked by using ASA Threat detections, IPS/IDS , etc
- To drop ip options you can use the global config command : “ip options drop”, or we can drop using ACL’s ” access-list 101 deny ip any any option.”
I’m now officially done with the bootcamp. I would recommend this to everyone , when they are almost done with their Vol 1 labs. There was a big section in Day 5 about Strategies and tips to be followed during the lab and that was very insightful and i thoroughly enjoyed it 
To be honest, i don’t know what exactly i wanna do for the next couple of days/ weeks. I’m stuck between Vol 2 labs (or) Go through the CCIE-sec blueprint and configure each and every item in detail and also make a list of the Doc-CD references for each.
I’ll definitely have an answer soon .
I’m really lucky to have found an awesome support community online who continue to inspire/motivate/support me. Paul Stewart , Brian Almond and Ryan Schuett are some people i look up to someday i want to know as much as these dudes
Cheers,
TacACK
