Common Attacks - Juniper JUNOS OS 10.3 - SOFTWARE Manual

Complete Software Guide for Junos
Related
Documentation
Understanding How to Protect Access Ports on EX Series Switches from Common
Attacks
2826
®
OS for EX Series Ethernet Switches, Release 10.3
decisions are made based on the results of those comparisons. You enable this feature
on VLANs.
MAC limiting—Protects against flooding of the Ethernet switching table (also known
as the MAC forwarding table or Layer 2 forwarding table). You enable this feature on
access interfaces (ports).
MAC move limiting—Detects MAC movement and MAC spoofing on access ports. You
enable this feature on VLANs.
Trusted DHCP server—With a DHCP server on a trusted port, protects against rogue
DHCP servers sending leases. You enable this feature on interfaces (ports). By default,
access ports are untrusted and trunk ports are trusted. (Access ports are the switch
ports that connect to Ethernet endpoints such as user PCs and laptops, servers, and
printers. Trunk ports are the switch ports that connect to other Ethernet switches or
to routers.)
IP source guard—Mitigates the effects of IP address spoofing attacks on the Ethernet
LAN. You enable this feature on VLANs. With IP source guard enabled, the source IP
address in the packet sent from an untrusted access interface is validated against the
source MAC address in the DHCP snooping database. The packet is allowed for further
processing if the source IP address to source MAC address binding is valid; if the binding
is not valid, the packet is discarded.
DHCP option 82—Also known as the DHCP relay agent information option. Helps
protect the EX Series switch against attacks such as spoofing of IP addresses and MAC
addresses and DHCP IP address starvation. Option 82 provides information about the
network location of a DHCP client, and the DHCP server uses this information to
implement IP addresses or other parameters for the client.
Security Features for EX Series Switches Overview on page 18
Understanding DHCP Snooping for Port Security on EX Series Switches on page 2829
Understanding DAI for Port Security on EX Series Switches on page 2836
Understanding MAC Limiting and MAC Move Limiting for Port Security on EX Series
Switches on page 2838
Understanding IP Source Guard for Port Security on EX Series Switches on page 2843
Understanding DHCP Option 82 for Port Security on EX Series Switches on page 2840
Understanding How to Protect Access Ports on EX Series Switches from Common
Attacks on page 2826
Port security features can protect the Juniper Networks EX Series Ethernet Switch against
various types of attacks. Protection methods against some common attacks are:
Mitigation of Ethernet Switching Table Overflow Attacks on page 2827
Mitigation of Rogue DHCP Server Attacks on page 2827
Copyright © 2010, Juniper Networks, Inc.