This filtering mechanism protects against IP and
MAC address spoofing.
Figure 7-5. Preventing IP Spoofing Using IP Source Guard
Note
The IP Source Guard feature will not prevent an MITM type of attack. Use Dynamic ARP Inspection (DAI)
to prevent MITM, as discussed in the section "ARP Spoofing Attack" later in this chapter.
Packet Classification and Marking Techniques
Cisco IOS provides an unparalleled and comprehensive set of Quality of Service (QoS) features. These tools can
be leveraged in the context of security implementations and mitigating network attacks. QoS technologies are
becoming increasingly important and critical to maintaining network availability and security.
Several QoS techniques exist for various types of application protocols because not all techniques work for all
protocols. These methods apply in different phases of a protocol transition; for example, packets are first
characterized (classified) using classification and marking techniques, then policed and dropped, or other action
is taken depending on the requirement. With the QoS technology framework, a proactive approach (explicitly
protecting critical traffic) is more effective than a reactive approach (trying to identify and squelch bad traffic).
Pages:
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372