cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

324
Views
0
Helpful
5
Replies
Highlighted
Beginner

L2 attacks and 802.1X

Hello,

I was watching several L2 attacks like:

MAC flooding attacks/CAM table overflow
ARP Spoofing/PoisoningOther Security Subjects,
DHCP Server Spoofing
MAC address spoofing

Some of them can be mitigated with por example Port security others by DHCP snooping, etc

The question is with 802.1x wich of those attacks are mitigated? and which of them you need other security feature to prevent it.

Thank you
Regards.

Everyone's tags (1)
5 REPLIES 5
VIP Advisor

Re: L2 attacks and 802.1X

There was a good presentation on L2 Attacks have a look :

 

https://www.cisco.com/c/dam/global/en_ae/assets/exposaudi2009/assets/docs/layer2-attacks-and-mitigation-t.pdf

 

802.1x supplicant help you, is this big network and do you ISE kind of tool to identify and put the port in disabled if any attacks will occur. ?

 

BB
*** Rate All Helpful Responses ***
Beginner

Re: L2 attacks and 802.1X

Hello,

 

that does not answer my doubt.

I want to know if I enable 802.1x which of those attacks I am mitigating (besides all the benefits of 802.1x).

 

Regards

VIP Advisor

Re: L2 attacks and 802.1X

Sure it will be in short answer.

BB
*** Rate All Helpful Responses ***
Beginner

Re: L2 attacks and 802.1X

Could you or anyone elaborate that answer?

 

For example I am not sure if enabling dot1x I am mitigatin ARP attacks, I think I should configure DAI besides dot1x.

 

Regards

 

 

Enthusiast

Re: L2 attacks and 802.1X

To expand on @balaji.bandi answer of yes it will mitigate the attacks: There are a ton of factors that play into the 8021x solution as a whole. Deploying/using different components would result in utilizing 8021x with different approaches. A few components and design considerations would include:
What type of protocol will you use in regard to eap?
Do you wish to authenticate both the user and computer or just one of them?
Will you allow mab as a fall back solution if 8021x process terminates for whatever reason?
What types of devices are in your environment?
What supplicant will you use on your end nodes?
How often do you wish end nodes/users to reauthenticate?

Using eap-tls is some fashion in your 8021x solution is one of the more secure methods. However, this requires you to have the ability to manage your own internal pki or utilize someone else. If you implement mab you can utilize your AAA server to manage L2 endpoint groups. One thing you may consider is configuring anomalous endpoint detection and enforcement if you use ISE. This would aide in identifying mac spoofing attempts. Basically if ISE determines that attributes obtained via probes have changed and a device gets re-profiled (even though it sees same MAC) you can configure CoA to shut port down, reauthenticate host, etc.

I hope this additional information helps you!