Exam N10-008 topic 1 question 166 discussion

Mike Meyers "A classic on-path attack would be a person using special software on a wireless network to make all the clients think his laptop is an access point. He could then listen in on that wireless network, gathering up all the conversations and gaining access to passwords, shared keys, or other sensitive information. On-path attacks are commonly perpetrated using ARP spoofing." "The way to mitigate ARP spoofing, described in Objective 4.2, is through dynamic ARP inspection. ARP replies are checked against a database, and if they contain invalid or conflicting values, they are dropped. Therefore, they won’t be sent by switches to hosts, those ARP caches would subsequently be poisoned."

The best practice to mitigate an on-path attack is dynamic ARP inspection. It helps prevent ARP spoofing attacks, which are a type of on-path attack. Dynamic ARP inspection uses information in the DHCP snooping table to validate ARP packets and ensure that the source IP address and MAC address in each packet match the sender's DHCP bindings. If the information does not match, the packet is dropped. Therefore, dynamic ARP inspection helps to prevent malicious users from intercepting network traffic by poisoning ARP caches on other devices.

Based on CompTIA... "A control plane policing policy is designed to mitigate the risk from route processor vulnerabilities. Such a policy can use ACLs to allow or deny control traffic from certain sources and apply rate-limiting if a source threatens to overwhelm the route processor." "A malicious host may use a spoofed MAC address to try to perform ARP cache poisoning against other hosts on the network and perpetrate an on-path attack. A switch port security feature such as dynamic ARP inspection (DAI) prevents a host attached to an untrusted port from flooding the segment with gratuitous ARP replies. ARP inspection maintains a trusted database of IP:ARP mappings. It also ensures that ARP packets are validly constructed and use valid IP addresses."

Dynamic ARP Inspection (DAI) is a security feature that validates Address Resolution Protocol (ARP) packets in a network. DAI allows a network administrator to intercept, log, and discard ARP packets with invalid MAC address to IP address bindings. A virtual LAN (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2).

GPT picks (A): To mitigate the threat of a malicious user using special software to perform an on-path attack, the best practice to configure is (A) Dynamic ARP Inspection. Dynamic ARP Inspection (DAI) is a security feature that helps prevent ARP spoofing and other on-path attacks by validating ARP requests and responses. It ensures that the MAC-to-IP address mappings are legitimate and prevents attackers from redirecting network traffic to their devices. By inspecting and filtering ARP messages, DAI adds an extra layer of protection to the network infrastructure. Control Plane Policing (B) is a different security feature that helps protect the control plane of network devices from excessive traffic, but it may not directly address on-path attacks like ARP spoofing."

Correct answer is A. DAI protects from on-path attacks, while CoPP from DOS (CoPP enables to limit the RATE of traffic to network devices).

Another bad question because the question creator creates question by just reading one part of a book he has access to. I guess here he read the question on the Mac Spoofing as an option. But if he read another chapter and used his imagination to know that a man-in-the-middle attack can be achieved with multiple vulnerabilities, he would not ask this question

C. Control plane policing (CoPP) is a security feature that can be used to protect network devices from various types of attacks, including on-path attacks. CoPP enables administrators to define policies that limit the rate of traffic sent to a network device's control plane, which is the part of the device that processes and manages network protocols, such as ARP (Address Resolution Protocol) and routing protocols.

C. Control plane policing Control plane policing is a best practice that can help mitigate on-path attacks by limiting the rate at which packets can be sent to the control plane of a network device. On-path attacks typically involve intercepting and modifying network traffic as it passes through a network device, which can potentially overwhelm the device's control plane and cause it to crash or become unresponsive. Control plane policing can help prevent this by limiting the rate at which packets are sent to the control plane, thus reducing the risk of overload or exhaustion. While dynamic ARP inspection, role-based access, and MAC filtering are all important security measures, they are not specifically designed to address the threat of on-path attacks.

A. Dynamic ARP inspection Dynamic ARP inspection (DAI) is a security feature that helps to protect networks against ARP spoofing attacks. It works by comparing ARP requests and responses to a pre-configured IP-to-MAC address binding table, and discards ARP packets that do not match the expected binding. This can help to prevent an attacker from performing an on-path attack by intercepting and modifying ARP traffic.

Dynamic ARP Inspection (DAI) is a security feature that validates Address Resolution Protocol (ARP) packets in a network. DAI allows a network administrator to intercept, log, and discard ARP packets with invalid MAC address to IP address bindings. This capability protects the network from certain “man-in-the-middle” attacks.