DHCP Snooping, Dynamic ARP Inspection and IP Source Guard

With a client going for an ISO standard which dictates stringent controls over both the external and the internal network resources I decided to put in some additional controls to ensure confidentiality, integrity and availability of the internal network. As the client uses Cisco hardware on premise, this consisted of a trio of additional measures … Continue reading DHCP Snooping, Dynamic ARP Inspection and IP Source Guard

Controlling Logons to Cisco Devices with Active Directory

Something I see quite often is local passwords being used to authenticate network administrators onto switches and routers. While this is fine for smaller organisations with a small IT team and few network devices, it can quickly become a headache when trying to update the password across all devices or add a new user. There are … Continue reading Controlling Logons to Cisco Devices with Active Directory

802.1x MAC Authentication Bypass (MAB) to an NPS Server

Continuing to build on earlier posts where we setup 802.1x to authenticate users and place them in predefined VLANs, then extended this to dynamically assign the VLAN, this post will look at what to do for devices that don't speak 802.1x such as printers etc. While there is a guest VLAN command for dot1x we could use … Continue reading 802.1x MAC Authentication Bypass (MAB) to an NPS Server

Sniffing Attacks

Just like sitting in a café and listening to other peoples conversations, sniffing the network involves passively capturing traffic as it flows through the network segment that an attacker is connected to. One common tool to capture traffic (often for legitimate reasons) is Wireshark, which is a freely available "protocol analyser", that will reveal what … Continue reading Sniffing Attacks