Configuring Advanced Threat Protection

Introduction

Introduction

As your network expands to include an increasing number of mobile devices, continuous Internet access, and new classes of users (such as partners, temporary employees, and visitors), additional protection from attacks launched from both inside and outside your internal network is often neces- sary.

Advanced threat protection can detect port scans and hackers who try to access a port or the switch itself. The following software features provide advanced threat protection and are described in this chapter:

DHCP snooping: Protects your network from common DHCP attacks, such as:

Address spoofing in which an invalid IP address or network gateway address is assigned by a rogue DHCP server.

Address exhaustion of available addresses in the network DHCP server, caused by repeated attacker access to the network and numer- ous IP address requests.

Dynamic ARP protection: Protects your network from ARP cache poisoning as in the following cases:

An unauthorized device forges an illegitimate ARP response and network devices use the response to update their ARP caches.

A denial-of-service (DoS) attack from unsolicited ARP responses changes the network gateway IP address so that outgoing traffic is prevented from leaving the network and overwhelms network devices.

Instrumentation monitor: Protects your network from a variety of other common attacks besides DHCP and ARP attacks, including:

Attempts at a port scan to expose a vulnerability in the switch, indicated by an excessive number of packets sent to closed TCP/UDP ports

Attempts to fill all IP address entries in the switch’s forwarding table and cause legitimate traffic to be dropped, indicated by an increased number of learned IP destination addresses

Attempts to spread viruses, indicated by an increased number of ARP request packets

8-3