Introduction

As your network expands to include an increasing number of mobile devices, continuous Internet access, and new classes of users (such as partners, temporary employees, and visitors), additional protection from attacks launched from both inside and outside your internal network is often necessary.

Advanced threat protection can detect port scans and hackers who try to access a port or the switch itself. The following software features provide advanced threat protection and are described here:

  • DHCP snooping: Protects your network from common DHCP attacks, such as:
    • Address spoofing in which an invalid IP address or network gateway address is assigned by a rogue DHCP server

    • Address exhaustion of available addresses in the network DHCP server, caused by repeated attacker access to the network and numerous IP address requests

  • Dynamic ARP protection: Protects your network from ARP cache poisoning as in the following cases:
    • An unauthorized device forges an illegitimate ARP response and network devices use the response to update their ARP caches

    • A denial-of-service (DoS) attack from unsolicited ARP responses changes the network gateway IP address so that outgoing traffic is prevented from leaving the network and overwhelms network devices

  • Instrumentation monitor: Protects your network from a variety of other common attacks besides DHCP and ARP attacks, including:
    • Attempts at a port scan to expose a vulnerability in the switch, indicated by an excessive number of packets sent to closed TCP/UDP ports.

    • Attempts to fill all IP address entries in the switch’s forwarding table and cause legitimate traffic to be dropped, indicated by an increased number of learned IP destination addresses.

    • Attempts to spread viruses, indicated by an increased number of ARP request packets

    • Attempts to exhaust system resources so that sufficient resources are not available to transmit legitimate traffic, indicated by an unusually high use of specific system resources

    • Attempts to attack the switch’s CPU and introduce delay in system response time to new network events

    • Attempts by hackers to access the switch, indicated by an excessive number of failed logins or port authentication failures

    • Attempts to deny switch service by filling the forwarding table, indicated by an increased number of learned MAC addresses or a high number of MAC address moves from one port to another

    • Attempts to exhaust available CPU resources, indicated by an increased number of learned MAC address events being discarded