On Fri, Dec 2, 2011 at 8:09 PM, Oluwagbenga Oyebande < [email protected]> wrote:
> *IPSG checks IP Packets.* If I want to ensure that only host with IP > addresses allocated by my DHCP servers (or static IPSG bindings) are > allowed onto the network then I would use IPSG. > > Let's say 192.168.X.90 IP is allocated up to half of the network > bandwidth and a smart guy wanted to use that IP on his host when x.90 is > offline, then *source guard wouldn't let him in on his own choice of IP*. > It's my choice :) . Some guys even try to use the gateway IP (and IPSG > wouldn't allow them to cause an IP adddress conflict, the switch just > blocks them). That wouldn't work for them either. > > IPSG does not protect from man-in-the-middle attacks (page 27: > http://www.cisco.at/endkunden/pdf/Tkrewedl_abrauma_CISF_SW_L2_Sec_TK.pdf) > DAI does that. Man-in-the-middle attack is done using gratuitous arps (DAI > can block these, IPSG cannot) or faked DHCP replies (neither DAI or IPSG > can block these if it comes in on a trusted port). The DHCP snooping > untrusted port feature can help you define the ports where you have your > DHCP servers. > > *DAI only checks ARP packets. *When a bad guy wants to divert all the > traffic for an important host or the gateway to pass through itself > (man-in-the-middle attack using gratuitous arp to present itself as an > important host/gateway) DAI would use the snooping database or referenced > ARP ACLs to detect that this ARP response is false and hence a MITM attack. > Usually the MITM attack mechanism would ensure that the diverted packets > are finally delivered to expected destination so as to remain stealth. > > So they both have different functions. I think Cisco layer 2 best practice > (under SAFE) recommends both where applicable. But in an environment where > you have multiple admins or smart users It would be difficult to maintain a > stable network without IPSG anyway, because users could actually choose > their IPs carelessly or junior admins could mistakenly use the Gateway IP > on hosts. IPSG is also useful to prevent some internally generated DDoS > attacks. You may want to use DAI to protect your network traffic from MITM > attacker/worm. > > Olugbenga Oyebande > > > On Fri, Dec 2, 2011 at 3:05 AM, Josh Chamberlain <[email protected]>wrote: > >> Trying to get my head around these two features. The way I understand it: >> >> - DAI: applied per VLAN and used to prevent an evil host from poisoning >> your ARP cache and thus intercepting traffic on its way to the legit >> destination >> - SG: applied per port and used to prevent an evil host from spoofing an >> IP >> address and intercepting your traffic >> Both build off of the DHCP snooping database and provide a means of >> entering static information >> >> Configuration doesn't seem that difficult either, but what I can't quite >> grasp is when it would be best to use one over the other. While they're >> two >> different features that go about their goals in different ways, it seems >> to >> me they both achieve the same objective of preventing said evil host from >> getting your data. >> >> Or am I missing something? >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> >> http://onlinestudylist.com/mailman/listinfo/ccie_rs >> > > > > -- > -- > Olugbenga Oyebande > MD, DAIT > 234-803-302-5287 > http://www.dait-ng.com > Cisco Unified Network, VPN > DAIT Enterprise Network Servers > Broadband Internet Deployment & ISP Consultancy > > -- -- Olugbenga Oyebande MD, DAIT 234-803-302-5287 http://www.dait-ng.com Cisco Unified Network, VPN DAIT Enterprise Network Servers Broadband Internet Deployment & ISP Consultancy _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
