[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: STP mitm attack idea

Jann Horn <jannhorn@xxxxxxxxxxxxxx> wrote on 04/28/2010 12:20:55 PM:
> From:
> Jann Horn <jannhorn@xxxxxxxxxxxxxx>
> If you had a WLAN-link, you could simplify that a lot - as far as I
> understand, you are able to make the switches redirect the traffic to
> your machines.
> Anyway, this attack sounds like something a good switch can easily
> prevent by having a list of "STP trusted ports" or something like that.
> Doesn't that exist?

Best practice is to implement layer 2 security mechanisms which would
identify these ports as "access" ports and shut them down if any STP
traffic was received through these interfaces. On Cisco equipment,
this is known as BPDU guard.