Question 22
What is the best way to prevent a VLAN hopping attack?
A. Encapsulate trunk ports with IEEE 802.1Q.
B. Physically secure data closets.
C. Disable DTP negotiations.
D. Enable BDPU guard.
Answer: C
Explanation:
802.1Q and ISL Tagging Attack
Tagging attacks are malicious schemes that allow a user on a VLAN to get unauthorized access to another VLAN. For example, if a switch port were configured as DTP auto and were to receive a fake DTP packet, it might become a trunk port and it might start accepting traffic destined for any VLAN. Therefore, a malicious user could start communicating with other VLANs through that compromised port. Sometimes, even when simply receiving regular packets, a switch port may behave like a full-fledged trunk port (for example, accept packets for VLANs different from the native),even if it is not supposed to. This is commonly referred to as "VLAN leaking" (see [5] for are port on a similar issue).
No comments:
Post a Comment