New security features have been added to many enterprise switches. The availability of those features varies based on what vendor’s equipment you’re using (as well as the software version) and each vendor offers similar features but call them by different names.
The following table illustrates a few.
|Cisco||HP||Problem||Benefit||Watch out for|
|DHCP snooping||DHCP snooping||DHCP, a critical network service, is inherently trusted and easily spoofed.||Creates a database of DHCP exchanges, tracking IP, MAC, and port information. Detects rogue DHCP servers and denies access or sends an alert.||Any new DHCP server, including yours, will be identified as a rogue. Configure switches to recognize new servers.|
|Dynamic ARP inspection||Dynamic ARP protection||ARP maps MAC address to IP address with no security checks. Attackers can easily spoof ARP, leading to man-in-the-middle and denial-of-service attacks.||Detects spoofed MAC addresses and ARP flooding attacks. Also uses the DHCP database to dynamically identify MAC addresses early.||A downstream access switch won’t see DHCP exchanges on upstream switches, so this feature could disrupt communications.|
|IP source guard||Dynamic IP lockdown||DHCP can be bypassed by statically assigning hosts IP addresses.||Creates a database of successful DHCP exchanges, mapping IP leases to MAC address, ports, and VLANs.||DHCP database isn’t centralized. Hosts with statically assigned IP address have to be manually entered.|
|Port security||MAC lockdown||Attackers can disconnect an existing device like a printer and plug in their own computer on the fully configured port.||You can statically define which MAC addresses can appear on a port and all others can be denied.||Not completely effective since MAC addresses can be learned and spoofed.|
|Protected ports||Source port filtering||Computers on the same switch and VLAN can communicate directly, bypassing any network-based security features.||Protected ports stop adjacent computers communicating directly with each other, essentially segmenting computers.||Stops P2P tasks like file sharing, IN, and other host-to-host communications between computers in the same broadcast domain.|