NETWORK SECURITY

Network Security concepts

• Network Security Definition
• Current State of Affairs
• Reasons for Network Security
• Vectors of Network Attacks

Network Security Threats and Vulnerabilities

• Types of threats
• Threat Actor Tools
• Malware: Virus, Worm, Trojan Horse, Ransomware

Common Network Attacks

• Reconnaissance Attack
• Access Attack
• Social Engineering Attack
• Denial of Service Attack
• Buffer Overflows Attack
• Evasion Methods
Mitigating Network Threats
• Defending the Network
• Network Security Policies
Mitigating Common Network Attacks
• Security Tools, Platforms, and Services
• Mitigating Common Network Attacks
Layer 2 Security and attacks
• Endpoint Security
• Layer 2 Security Threats
• MAC Address Table Attack
• LAN Attacks
Mitigating LAN Attacks
• Implement Port Security
• Mitigate VLAN Attacks
• Mitigate DHCP Attacks
• Mitigate ARP Attacks
• Mitigate STP Attacks
Secure Device Access and Administrative Role
• Securing the Router SECURE DEVICE ACCESS AND ADMINISTRATIVE ROLE

• Secure Administrative Access

SECURING THE ROUTER
SECURE ADMINISTRATIVE ACCESS
CONFIGURE SSH
AUTHORIZATION USING PRIVILEGE LEVELS AND ROLE-BASED CLI
WIRELESS NETWORK SECURITY
INTRODUCTION TO WIRELESS NETWORK SECURITY
WIRELESS NETWORKS THREATS AND ATTACKS
WIRELESS NETWORKS SECURITY PROTOCOLS
MITIGATION OF WIRELESS NETWORKS THREATS AND ATTACKS
DEVICE MONITORING AND MANAGEMENT
ROUTING PROTOCOL AUTHENTICATION
SECURE MANAGEMENT AND REPORTING
NETWORK SECURITY USING SYSLOG
NTP CONFIGURATION

• Configure SSH
SNMP CONFIGURATION
AUTHENTICATION, AUTHORIZATION, AND ACCOUNTING (AAA)
AAA CHARACTERISTICS
LOCAL AAA AUTHENTICATION
SERVER-BASED AAA CHARACTERISTICS AND PROTOCOLS
CONFIGURE SERVER-BASED AUTHENTICATION, AUTHORIZATION AND ACCOUNTING
ACCESS CONTROL LISTS
INTRODUCTION TO ACCESS CONTROL LISTS
IMPLEMENT ACLS
MITIGATE ATTACKS WITH ACLS
FIREWALL TECHNOLOGIES
INTRODUCTION TO FIREWALLS
TYPES OF FIREWALLS
SECURE NETWORKS WITH FIREWALLS

• authorization using privilege levels and role-based CLI

FIREWALLS IN NETWORK DESIGN
IPS TECHNOLOGIES
IDS AND IPS CHARACTERISTICS
TYPES OF IDS AND IPS
IPS OPERATION AND IMPLEMENTATION
IPS IMPLEMENTATIONS
IDS IMPLEMENTATIONS
VPN AND IPSEC CONCEPTS
VPN TECHNOLOGY
TYPES OF VPNS
IPSEC

Wireless Network Security

•Secure Device Access and Administrative Role
•
•
Securing the Router
Secure Administrative Access

• Introduction to wireless Network Security

• Configure SSH
• authorization using privilege levels and role-based CLI
•Wireless Network Security
• Introduction to wireless Network Security

• Wireless Networks threats and attacks

• Wireless Networks threats and attacks
• Wireless Networks Security protocols
• Mitigation of Wireless Networks threats and attacks
•Device Monitoring and Management

• Wireless Networks Security protocols

• Routing Protocol Authentication
• Secure Management and Reporting
• Network Security Using Syslog
• NTP Configuration

• Mitigation of Wireless Networks threats and attacks

• SNMP Configuration
•Authentication, Authorization, and Accounting (AAA)
• AAA Characteristics
• Local AAA Authentication

Device Monitoring and Management

• Server-Based AAA Characteristics and Protocols
• Configure Server-Based Authentication, Authorization and Accounting
•Access Control Lists
• Introduction to Access Control Lists

• Routing Protocol Authentication

• Implement ACLs
• Mitigate Attacks with ACLs
•Firewall Technologies
• Introduction to firewalls

• Secure Management and Reporting

• Types of firewalls
• Secure Networks with Firewalls
• Firewalls in Network Design
•IPS Technologies
• IDS and IPS Characteristics

• Network Security Using Syslog

•

•
•
Types of IDS and IPS
•IPS Operation and Implementation
IPS Implementations
IDS Implementations

• NTP Configuration
•VPN and IPsec Concepts
•
•
•
VPN Technology
Types of VPNs
IPsec

• SNMP Configuration
Authentication, Authorization, and Accounting (AAA)
• AAA Characteristics
• Local AAA Authentication
• Server-Based AAA Characteristics and Protocols
• Configure Server-Based Authentication,
Authorization and Accounting
Access Control Lists
• Introduction to Access Control Lists
• Implement ACLs
• Mitigate Attacks with ACLs
Firewall Technologies
• Introduction to firewalls
• Types of firewalls
• Secure Networks with Firewalls
IPS Technologies
• IDS and IPS Characteristics
• Types of IDS and IPS

IPS Operation and Implementation

• IPS Implementations
• IDS Implementations

VPN and IPsec Concepts

• VPN Technology
• Types of VPNs
• IPsec
Network security
is the protection of the underlying
networking infrastructure from
unauthorized access, misuse, or theft.
It involves creating a secure
infrastructure for devices,
applications, users, and applications
to work in a secure manner.
Why Is Network Security
Important?
Whether you are a small or
medium business, you need to
have security measures in
place to protect your business
and keep your sensitive data
secure.
 REASONS FOR NETWORK
SECURITY
1. Protecting Your Own Sensitive Data
2. Keeping Your Client’s Data Safe
3. Many Industries Require Network Security
Measures
4. Improved Network Performance
5. Cyber Insurance Often Requires Increased
Protection to Qualify for a Payout
6. Cyber Attacks are Now More Frequent
7. If You Don’t Protect Networks it Can Be Costly
8. A Network Security Breach Can Harm Your
Reputation
 PROTECTING YOUR OWN
SENSITIVE DATA
• As a business, the integrity of your data is
of the utmost importance and needs to be
protected at all costs.
• A secure network connection coupled with
proactive security solutions is proven to
be the best way to prevent data loss.
 KEEPING YOUR CLIENT’S
DATA SAFE
• If you are a medical clinic,
accounting firm or business that
stores customer data, then it is
your responsibility to ensure it is
well protected and out of the hands
of hackers and unauthorized users .
Failure to do so could result in lost
reputation, clients leaving for your
competitor and even lawsuits.
MANY INDUSTRIES REQUIRE NETWORK
SECURITY MEASURES
• As a business you naturally want to protect
your sensitive data, but if you are a specific
business like a medical organization then you
are obligated to have a secure network to
meet medical regulations. There are stringent
requirements to follow, make sure you do.
IMPROVED NETWORK PERFORMANCE

• Having a network connection that is

safe and secure will do more than just
protect your business, it will also help
to make sure it runs smoothly. If you
have a system that is agile and not
bogged down by redundant tools it can
provide greater efficiency.
CYBER INSURANCE OFTEN REQUIRES INCREASED
PROTECTION TO QUALIFY FOR A PAYOUT

•Cyber insurance is an important

part of any organization’s risk
management and safety protocols.
CYBER ATTACKS ARE NOW MORE
FREQUENT
• As networks grow and 5G becomes the norm,
networks become more vulnerable as
sometimes the security in place is not sufficient
enough. 66% of small to medium-sized
businesses have experienced a cyber attack in
the past 12 months.
• And with plenty of SMBs never recovering from
most cyberattacks and being forced to close
down forever , the importance of network
security couldn’t be more pronounced.
IF YOU DON’T PROTECT NETWORKS, IT
CAN BE COSTLY
•With all the security breaches and
cyber crime going on, it has become
evident that if you do not have a solid
network security infrastructure, it
could cost you a lot of money if you
were to be hacked or someone had
access control to your network.
A NETWORK SECURITY BREACH CAN
HARM YOUR REPUTATION
•No matter what type of business you
are in, your reputation needs to always
be intact. So, it is important for you to
make sure you protect your brand and
your integrity. If not, you could lose
valuable clients and loss in revenue.
VECTORS OF NETWORK ATTACKS
What is a Network Attack?
Network attacks are unauthorized
actions on the digital assets within an
organizational network. Malicious parties
usually execute network attacks to alter,
destroy, or steal private data.
Perpetrators in network attacks tend
to target network perimeters to gain
access to internal systems.
A cyberattack
A cyberattack is a malicious and
deliberate attempt by an individual or
organization to breach the information
system of another individual or
organization. Usually, the attacker seeks
some type of benefit from disrupting the
victim’s network.
Active attacks:
Active attacks are a type of
cybersecurity attack in which an
attacker attempts to alter, destroy, or
disrupt the normal operation of a
system or network. Active attacks
involve the attacker taking direct action
against the target system or network,
and can be more dangerous than
Types of active attacks are as
follows:
•Masquerade
•Modification of messages
•Repudiation
•Replay
•Denial of Service
Masquerade –
Masquerade is a type of cybersecurity attack in which an attacker pretends to
be someone else in order to gain access to systems or data. This can involve
impersonating a legitimate user or system to trick other users or systems into
providing sensitive information or granting access to restricted areas.
There are several types of masquerade attacks, including:
•Username and password masquerade: In a username and password
masquerade attack, an attacker uses stolen or forged credentials to log into a
system or application as a legitimate user.
• IP address masquerade: In an IP address masquerade attack, an attacker
spoofs or forges their IP address to make it appear as though they are
accessing a system or application from a trusted source.
• Website masquerade: In a website masquerade attack, an attacker
creates a fake website that appears to be legitimate in order to trick users
into providing sensitive information or downloading malware.
•Email masquerade: In an email masquerade attack, an attacker sends an
email that appears to be from a trusted source, such as a bank or
government agency, in order to trick the recipient into providing sensitive
Modification of messages –
It means that some portion of a message is altered
or that message is delayed or reordered to produce
an unauthorized effect. Modification is an attack on
the integrity of the original data. It basically means
that unauthorized parties not only gain access to
data but also spoof the data by triggering denial-of-
service attacks, such as altering transmitted data
packets or flooding the network with fake data.
Manufacturing is an attack on authentication. For
example, a message meaning “Allow JOHN to read
confidential file X” is modified as “Allow Smith to
Repudiation –
Repudiation attacks are a type of cybersecurity attack in which an attacker
attempts to deny or repudiate actions that they have taken, such as making a
transaction or sending a message. These attacks can be a serious problem
because they can make it difficult to track down the source of the attack or
determine who is responsible for a particular action.
There are several types of repudiation attacks, including:
•Message repudiation attacks: In a message repudiation attack, an
attacker sends a message and then later denies having sent it. This can be
done by using spoofed or falsified headers or by exploiting vulnerabilities in
the messaging system.
•Transaction repudiation attacks: In a transaction repudiation attack, an
attacker makes a transaction, such as a financial transaction, and then later
denies having made it. This can be done by exploiting vulnerabilities in the
transaction processing system or by using stolen or falsified credentials.
•Data repudiation attacks: In a data repudiation attack, an attacker
modifies or deletes data and then later denies having done so. This can be
done by exploiting vulnerabilities in the data storage system or by using
Replay –
It involves the passive capture of a
message and its subsequent
transmission to produce an authorized
effect. In this attack, the basic aim of the
attacker is to save a copy of the data
originally present on that particular
network and later on use this data for
personal uses. Once the data is corrupted
or leaked it is insecure and unsafe for the
Denial of Service –
Denial of Service (DoS) is a type of cybersecurity attack that is designed to make a
system or network unavailable to its intended users by overwhelming it with traffic
or requests. In a DoS attack, an attacker floods a target system or network with
traffic or requests in order to consume its resources, such as bandwidth, CPU cycles,
or memory, and prevent legitimate users from accessing it.
There are several types of DoS attacks, including:
•Flood attacks: In a flood attack, an attacker sends a large number of packets or
requests to a target system or network in order to overwhelm its resources.
•Amplification attacks: In an amplification attack, an attacker uses a third-party
system or network to amplify their attack traffic and direct it towards the target
system or network, making the attack more effective.
To prevent DoS attacks, organizations can implement several measures,
such as:
1.Using firewalls and intrusion detection systems to monitor network traffic and
block suspicious activity.
2.Limiting the number of requests or connections that can be made to a system
or network.
3.Using load balancers and distributed systems to distribute traffic across
Passive attacks: A Passive attack attempts to learn or
make use of information from the system but does not
affect system resources. Passive Attacks are in the nature
of eavesdropping on or monitoring transmission. The goal
of the opponent is to obtain information that is being
transmitted. Passive attacks involve an attacker passively
monitoring or collecting data without altering or
destroying it. Examples of passive attacks include
eavesdropping, where an attacker listens in on network
traffic to collect sensitive information, and sniffing, where
an attacker captures and analyzes data packets to steal
sensitive information.
Types of Passive attacks are as follows:
•The release of message content
The release of message content –
Telephonic conversation, an electronic mail message, or a transferred file
may contain sensitive or confidential information. We would like to prevent
an opponent from learning the contents of these transmissions.
Traffic analysis –
Suppose that we had a way of masking (encryption) information, so that the
attacker even if captured the message could not extract any information
from the message.
The opponent could determine the location and identity of communicating
host and could observe the frequency and length of messages being
exchanged. This information might be useful in guessing the nature of the
communication that was taking place.
The most useful protection against traffic analysis is encryption of SIP traffic.
To do this, an attacker would have to access the SIP proxy (or its call log) to
determine who made the call.
What is malware?
Malware, short for malicious software, is a blanket term
for viruses, worms, trojans and other harmful computer
programs hackers use to wreak destruction and gain
access to sensitive information. In other words,
software is identified as malware based on its intended
malicious use, rather than a particular technique or
technology used to build it.
What Are Viruses?
Even though malware encompasses a wide variety of bad
software, we tend to think of viruses as the umbrella term. We
call any bit of malicious software that invades our computers a
virus, but viruses have their own idiosyncrasies that make them
uniquely terrible.
One of the main identifying factors with viruses is their ability to
self-replicate; this is what made Creeper a virus. Much like
biological viruses, computer viruses need to find a host to attach
themselves to. They arrive on the computer attached to files,
then find other files to infect.
What Are Worms?
Worms are very similar to viruses in that they are capable of
self-replicating; however, there are a few differences. Worms are
more self-efficient than viruses. Worms, unlike viruses, don't
need host files to attach to. They are standalone programs that
act on their own.
After a worm finds its spot on the hard drive or SSD, it can start
making copies of its own accord. Instead of spreading from file
to file, worms just make standalone copies of themselves.
Layer 2 Security and attacks
Layer 2 Attacks
Layer 2 attacks, also known as Data Link Layer attacks,
target vulnerabilities in the second layer of the OSI model.
This layer handles the addressing of devices using MAC
addresses and controls access to the physical transmission
medium.
The main attacks that occur at
Layer 2 include:
1.MAC Table Attacks
2.VLAN Attacks
3.ARP Attacks
4.DHCP Attacks
5.Address Spoofing Attacks
6.STP Attacks
MAC Table Flooding
For a switch to know which port to use to transmit a
frame, it must first learn which devices exist on each
port. As the switch learns the relationship of ports to
devices, it builds a table called a MAC address table.
This table is stored in content addressable memory
(CAM) which is a special type of memory used in high-
speed searching applications. For this reason, the MAC
address table is sometimes also called the CAM table. A
switch populates its MAC address table by recording the
source MAC address of each device connected to each of
its ports.
All MAC tables have a fixed size and consequently, a switch can
run out of resources in which to store MAC addresses. MAC
address flooding attacks take advantage of this limitation by
bombarding the switch with fake source MAC addresses until the
switch MAC address table is full.
The attacker initiates a MAC flooding attack by sending a large
number of Ethernet frames to the switch, each containing a
unique source MAC address. The switch attempts to learn these
MAC addresses and adds them to its table. However, when the
table is full, the switch starts broadcasting incoming frames to all
ports, as it can’t determine the appropriate port for certain MAC
addresses. This condition allows a threat actor to capture all of
the frames sent from one host to another on the local LAN or local
VLAN. Consider that the threat actor can only capture traffic
within the local LAN or VLAN to which the threat actor is
connected.
To mitigate MAC address table
overflow attacks, network
administrators must implement port
security. Port security will only allow
a specified number of source MAC
addresses to be learned on the port.
It allows an administrator to manually
configure MAC addresses for a port or
to permit the switch to dynamically
A switch is a layer 2 device used to forward
packet from one device to another within the
network. It forwards the packet through one of
its ports on the basis of destination MAC
address and the entry in the MAC table.
Following basic commands are used to
configure a new switch :1. Changing the
hostname of a switch to HNS :It is used to set
the name of the device.
switch(config)#hostname HNS
HNS(config)#
2. To add a banner message
:It provides a short message to the user
who wants to access the switch.
HNS(config)#banner motd &
Enter Text message. End with character '&’$
Text &
3. To set IP address in Switch :
IP address is the address of device in network.
HNS(config)#interface vlan1
HNS(config-if)#ip address 172.16.10.1
255.255.255.0
HNS(config-if)#exitGfg
Switch(config)#ip default-gateway 172.16.10.0
4. To set the current clock time :This is set the
current time stored in the switch.
HNS#clock set 3:03:14 June 25 2020
5. Apply password protection (enable password,
secret password, console password and vty
password) :Enable password :The enable password
is used for securing privilege mode.
HNS(config)#enable password hanifullah
secret password :
This is also used for securing privilege mode but
the difference is that it will be displayed as
ciphertext(*) on the configuration file.
HNS(config)#enable secret Noor
Line console password :When a person will take
access through console port then this password will be
asked.
HNS(config)#line console 0
HNS(config-line)#password haya
Switch(config-line)#login
Line VTY password :When a person want to access a
router through VTY lines (telnet or ssh) then this
password will be asked.
HNS(config)#line VTY 0 2
HNS(config-line)#password Haleema
Switch(config-line)#exit
6. Copy to startup-configuration file from
running-configuration file :
HNS#copy running-config startup-config
7. To watch startup-configuration file and
running-configuration file :
HNS#show startup-config
HNS#show running-config
8. Clear mac address table :Switch stores MAC
addresses in MAC address table
HNS#clear mac address-table
STATIC MAC CONFIGURATION
MAC Address configuration
SW(config)#interface ethernet 0/0
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security maximum 1
SW(config-if)#switchport port-security mac-address
sticky
SW(config-if)#switchport port-security violation
shutdown ("protect", Secure[2]--> "restrict", More
secure[1]--> "shutdown")
Here’s a brief explanation of each above commands:
1.switchport mode access: This command configures the switch interface to operate in
access mode, meaning that it will only forward traffic to and from devices connected
directly to that interface.
2.switchport port-security: This command enables port security on the switch interface. Port
security restricts the number of MAC addresses allowed to access the network through
that interface.
3.switchport port-security maximum 1: This command sets the maximum number of MAC
addresses allowed on the switch interface to 1. Only one MAC address will be allowed to
access the network through this interface.
4.switchport port-security mac-address sticky: This command enables sticky MAC address
learning on the switch interface. When enabled, the switch dynamically learns the MAC
addresses of devices connected to the interface and adds them to the running
configuration.
5.switchport port-security violation shutdown: This command configures the switch interface to
shut down if a violation of the port security settings occurs. Violations can happen when
the maximum number of MAC addresses is exceeded or when unauthorized MAC
addresses are detected.
VLAN Hopping Attacks
A VLAN hopping attack enables traffic from one VLAN to be seen by another VLAN
without the aid of a router.
A VLAN hopping attack can occur in one of two ways:
1.switch spoofing
2.double tagging
Switch spoofing
Cisco DTP (Dynamic Trunking Protocol) switch ports can indeed be configured into four
modes:
3.Access: This mode is used when the port is intended to carry traffic only for a single
VLAN.
4.Trunk: This mode is used when the port is intended to carry traffic for multiple
VLANs.
5.Dynamic Auto: This DTP mode causes the interface to wait passively for a
negotiation message to make itself a trunk, at which point the switch will respond and
negotiate whether or not to employ trunking.
6.Dynamic Desirable: This DTP mode allows a switch port to start trunking with
another switch port by sending a negotiation message that allows the switch port to
dynamically decide whether or not to start trunking.
Switch spoofing occurs when an attacker manipulates the Cisco Dynamic Trunking
VLAN CONFIGURATION AND ATTACKS
ARP Attacks
The Address Resolution Protocol (ARP) is used by
all network devices that connect to an Ethernet
network. Hosts broadcast ARP Requests to
determine the MAC address of a host with a
particular IPv4 address. ARP by itself is inherently
insecure because
The attacker devicesARP
sends falsified areresponses
told to trust
(ARP the
answers
Spoofing)they receive.
to both the victim and the target, associating
their own MAC address with the target’s IP address. As a
result, both devices update their ARP tables, directing
traffic intended for the target to the attacker’s system.
ARP CONFIGURATON AND ATTACKS
DHCP Attack Review
The goal of a DHCP starvation attack is to create a Denial of Service
(DoS) for connecting clients. DHCP starvation attacks require an attack
tool such as Gobbler. Recall that DHCP starvation attacks can be
effectively mitigated by using port security because Gobbler uses a
unique source MAC address for each DHCP request sent.
However, mitigating DHCP spoofing attacks requires more protection.
Gobbler could be configured to use the actual interface MAC address as
the source Ethernet address, but specify a different Ethernet address in
the DHCP payload. This would render port security ineffective because
the source MAC address would be legitimate.
DHCP spoofing attacks can be mitigated by using DHCP snooping on
trusted ports.
DHCP Snooping
DHCP snooping does not rely on source MAC addresses.
Instead, DHCP snooping determines whether DHCP messages
are from an administratively configured trusted or untrusted
source. It then filters DHCP messages and rate-limits DHCP
traffic from untrusted sources.
Devices under your administrative control, such as switches,
routers, and servers, are trusted sources. Any device beyond
the firewall or outside your network is an untrusted source. In
addition, all access ports are generally treated as untrusted
sources. The figure shows an example of trusted and untrusted
ports.
Steps to Implement DHCP Snooping
Use the following steps to enable DHCP snooping:
Step 1. Enable DHCP snooping by using the ip dhcp
snooping global configuration command.
Step 2. On trusted ports, use the ip dhcp snooping
trust interface configuration command.
Step 3. Limit the number of DHCP discovery messages that can be
received per second on untrusted ports by using the ip dhcp
snooping limit rate interface configuration command.
Step 4. Enable DHCP snooping by VLAN, or by a range of VLANs, by
using the ip dhcp snooping vlan global configuration command.
DHCP CONFIGURATION
DHCP Snooping Configuration Example
The reference topology for this DHCP snooping
example is shown in the figure. Notice that F0/5 is an
untrusted port because it connects to a PC. F0/1 is a
trusted port because it connects to the DHCP server.
The following is an example of how to configure DHCP
snooping on S1. Notice how DHCP snooping is first
enabled. Then the upstream interface to the DHCP server
is explicitly trusted. Next, the range of Fast Ethernet ports
from F0/5 to F0/24 are untrusted by default, so a rate limit
is set to six packets per second. Finally, DHCP snooping
is enabled on VLANS 5, 10, 50, 51, and 52.
S1(config)# ip dhcp snooping
S1(config)# interface f0/1
S1(config-if)# ip dhcp snooping trust
S1(config-if)# exit
S1(config)# interface range f0/5 - 24
S1(config-if-range)# ip dhcp snooping limit rate 6
S1(config-if)# exit
S1(config)# ip dhcp snooping vlan 5,10,50-52
S1(config)# end
S1#
Use the show ip dhcp
snooping privileged EXEC command to
verify DHCP snooping and show ip dhcp
snooping binding to view the clients that
have received DHCP information, as shown in
the example.
Note: DHCP snooping is also required by
Dynamic ARP Inspection (DAI), which is the
next topic
# show ip dhcp snooping
Enter interface configuration mode for g0/1 – 2,
trust the interfaces, and return to global
configuration mode.

S1(config)#interface range g0/1 - 2

S1(config-if-range)#ip dhcp snooping trust
S1(config-if-range)#exit
spanning Tree Protocol attack?
Spanning Tree Protocol (STP) attacks exploit
vulnerabilities in the protocol to create network loops or
bring down the network. Attackers can use a variety of
methods, such as sending malicious Bridge Protocol
Data Units (BPDU), to interfere with the STP
calculations and force the network to use a sub-optimal
path or even create a loop. STP attacks can cause
network congestion, broadcast storms, and even
network failures, which can have severe consequences
for organizations. To prevent STP attacks, network
administrators should disable unused switch ports,
enable port security, and use BPDU guards and root
Example of an STP attack
In the following example, we will simulate an STP attack using Cisco Packet Tracer.
The network topology consists of three switches, with Switch 1 being the root bridge.
Step 1: The attacker connects to the network through Switch3.
Step 2: The attacker sends fake BPDU messages to the switches, pretending to be the root
bridge.
Step 3: The switches receive the fake BPDU messages and recomputed the network topology,
with Switch3 becoming the new root bridge.
Step 4: A network loop is created, causing network disruptions.