Sign in Subscribe
Wildcard

Network Security Fundamentals: Threats and Defences

This post covers essential network security fundamentals including common attacks like MAC flooding, VLAN hopping, and ARP spoofing, along with their corresponding defenses such as port security, DHCP snooping, and 802.1X authentication. Practical CLI examples demonstrate how to implement each secu

Jay Whale

3 min read
Network Security Fundamentals: Threats and Defences

Network security forms the foundation of any robust IT infrastructure. As networks become more complex and threats more sophisticated, understanding common attack vectors and their corresponding defenses becomes critical for any network engineer. This post covers the most prevalent network-layer attacks you'll encounter and the proven defense mechanisms to protect against them.

Common Network Attacks

MAC Flooding

MAC flooding exploits the limited memory of switch CAM (Content Addressable Memory) tables. Attackers flood the switch with thousands of fake MAC addresses, filling the CAM table to capacity. When the table is full, the switch fails open and begins flooding all frames out every port, essentially turning it into a hub.

# Example of CAM table overflow detection
Switch# show mac address-table count
Mac Entries for Vlan   : 1
---------------------------
Dynamic Address Count  : 8192 (Maximum: 8192)
Static  Address Count  : 0
Total Mac Addresses    : 8192

VLAN Hopping

VLAN hopping allows attackers to access VLANs they shouldn't reach. The most common method involves double-tagging attacks where an attacker on VLAN 10 crafts a frame with two VLAN tags. The first switch strips the outer tag (VLAN 10) and forwards the frame with the inner tag (VLAN 20) to its destination.

ARP Spoofing

Address Resolution Protocol (ARP) spoofing involves sending fake ARP responses to associate the attacker's MAC address with a legitimate IP address, typically the default gateway. This redirects traffic through the attacker's machine, enabling eavesdropping and man-in-the-middle attacks.

DHCP Starvation

DHCP starvation exhausts the available IP addresses in a DHCP pool by rapidly requesting leases using different MAC addresses. Once legitimate addresses are unavailable, attackers can set up rogue DHCP servers to provide network configuration to new clients.

Essential Network Defenses

📡
Network monitoring I've deployed in production: I've rolled out both PRTG and SolarWinds across multiple client environments over the years. Both are solid. PRTG tends to be the better fit for SMBs and is far easier to get running quickly. SolarWinds scales better for large enterprise. If you're setting up monitoring for the first time, start with PRTG.

Port Security

Port security prevents MAC flooding by limiting the number of MAC addresses that can be learned on a switch port. When violated, the port can be configured to shut down, drop packets, or send alerts.

# Configure port security on interface Gi0/1
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security violation shutdown
Switch(config-if)# switchport port-security mac-address sticky

DHCP Snooping

DHCP snooping creates a database of legitimate DHCP transactions and designates trusted ports (connected to legitimate DHCP servers) and untrusted ports (connected to clients). It prevents rogue DHCP servers and builds a binding table for other security features.

# Enable DHCP snooping globally and on VLAN 10
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10
Switch(config)# interface gigabitethernet0/24
Switch(config-if)# ip dhcp snooping trust

Dynamic ARP Inspection (DAI)

Dynamic ARP Inspection validates ARP packets against the DHCP snooping binding table. It ensures that only hosts with valid IP-to-MAC address bindings can communicate, preventing ARP spoofing attacks.

# Configure DAI on VLAN 10
Switch(config)# ip arp inspection vlan 10
Switch(config)# interface gigabitethernet0/24
Switch(config-if)# ip arp inspection trust

802.1X Authentication

802.1X provides port-based network access control, requiring devices to authenticate before gaining network access. It uses three components: the supplicant (client), authenticator (switch), and authentication server (typically RADIUS).

# Basic 802.1X configuration
Switch(config)# aaa new-model
Switch(config)# radius server ISE
Switch(config-radius-server)# address ipv4 192.168.1.100
Switch(config-radius-server)# key SecureKey123
Switch(config)# dot1x system-auth-control
Switch(config)# interface range gi0/1-20
Switch(config-if-range)# dot1x port-control auto

Implementing Defense in Depth

Effective network security requires layering multiple defenses. Start with port security to prevent CAM table attacks, enable DHCP snooping to create trusted binding tables, implement DAI to prevent ARP attacks, and deploy 802.1X for comprehensive access control. Each defense mechanism complements the others, creating a robust security posture.

Remember to regularly monitor security logs and maintain up-to-date threat intelligence. Network security isn't a one-time configuration but an ongoing process of monitoring, updating, and adapting to new threats.

What's Next

Now that you understand fundamental network security threats and defenses, the next step is diving deeper into advanced threat detection and network monitoring techniques. We'll explore how to implement SIEM integration and automated threat response in upcoming posts.

🔧
While switch-based defenses are essential, complement them with network monitoring tools that can detect anomalous traffic patterns and alert you to potential attacks before they succeed. PRTG Network Monitor, SolarWinds NPM and ManageEngine OpManager.
🔧
Layer your network defenses with comprehensive endpoint protection that can identify and block advanced threats that bypass traditional network security controls. Bitdefender, CrowdStrike Falcon and Cisco Umbrella.