1.7 Describe common access layer threat mitigation techniques

80% of attacks on a network come from within, so these are some threat mitigation techniquest that might.


It’s supposed to add an element of authentication to the LAN and WAN environment. It gained a lot of traction in the early days of wireless when the only security available was WEP (easy to break into and difficult to manage passwords).

802./x helped solve some of these problems. Rather than relying exclusively on preshared keys it can be extended to use other forms of security.

For example you could use domain memebership: If someone is a member of your AD domain then they can join the wireless. Or some other means of authentication such as biometric. It just lets it be handled by another service.

Example: running the dot1x system-auth-control command will enable 802.1x globally on a switch.

DHCP snooping

It’s very easy for a device to act as a DHCP server. It’s not uncommon for a device to be brought into a network and either delibrately or accidentally – and starts dishing out IP addresses that aren’t part of your subnet.
It could also be a malicious device that sends out poisoned payloads and makes the devices on your network vulnerable to attack / traffic interception.

This problem is solved with DHCP snooping. Using DHCP snooping a ports can be marked as trusted ports. Only these ports will let DHCP replies into them.
When a port that isn’t a trusted port receives a DHCP reply it will put the port into an error-disabled mode to stop all traffic from coming from it. You’re also given a notification that there is a device on the network attempting to give out DHCP information.

Nondefault native VLAN

This Cisco best practice for VLANS is that there should not be a VLAN1 in use anywhere on a network (especially on trunk connections). When a Cisco switch is fresh out the box all the traffic and all ports on it are tagged as VLAN1.
This means that the native VLAN is also VLAN1 by default. Administrative / switch management traffic uses the native VLAN, and if every port is a memeber of VLAN 1 then anyone on the network can listen to admin traffic using a traffic inspection tool like wireshark or tcpdump which is bad. This is why Cisco suggests using another VLAN for any user traffic, and ports that aren’t used should be put to a dead end port.