Mitigating Attacks
For all antecedent attacks, several acknowledgment techniques exist. Some are accessible to implement
(such as a changeless agreement of the ability settings); others are big-ticket (such as burying
the CAT5 cable to ensure that it won’t be cut).
Defending Adjoin Ability Gobbling
All the above-mentioned attacks are affiliated to the abridgement of affidavit and allotment in the
detection agreement (being Cisco prestandard or IEEE 802.3af). The activating agreement is,
therefore, an accessible aperture to attacks because the antagonist can affected the signaling.
The best able way to adverse these types of attacks is to use a changeless agreement for
all ports. For all ports area an accustomed PES can affix to, the about-face configuration
will acquiesce for the exact bulk of ability to be delivered.
For all added ports, ability apprehension should be disabled, and no ability will anytime be delivered
to the end station. This absolutely prevents power-gobbling and power-stealing attacks by
blocking admission to the ability sources.
On the Cisco IOS switch, the all-encompassing command to administer ability to an interface is as follows:
Router(config-if)# ability inline {auto [max max-milli-watts]} | never | {static [max
max-milli-watts]}}
Mitigating Attacks 141
The absence wattage of a anchorage is 15.4 W, which is too abundant for several devices. Therefore,
if anchorage 2/1 is a buzz whose wattage is 7.0 W best (7000 mW), it can be configured
as follows:
Router(config)# interface fastethernet 2/1
Router(config-if)# ability inline changeless max 7000
If anchorage 2/2 has no PES affiliated to it, it needs to be configured as follows (to anticipate power
stealing):
Router(config)# interface fastethernet 2/2
Router(config-if)# ability inline never
On CatOS, the all-encompassing command to administer ability to a anchorage is
Console> (enable) set anchorage inlinepower mod/port {{auto | changeless | limit}
[wattage] | off}
Therefore, if anchorage 2/1 is a buzz whose wattage is 7.0 W best (7000 mW), it can be
configured as
Console> (enable) set anchorage inlinepower 2/1 changeless 7000
If ports 2/2–48 accept no PESs affiliated to them, they charge be configured as follows (to
prevent ability stealing):
Console> (enable) set anchorage inlinepower 2/2-48 off
CatOS additionally sends a Simple Network Management Agreement (SNMP) allurement back the power
budget exceeds a beginning (this could be a assurance of ability gobbling):
Console> (enable) set inlinepower notify-threshold 80 mod 2
Module 2 inlinepower notify-threshold is set to 80%.
Defending Adjoin Power-Changing Attacks
A power-changing advance reduces the electrical ability of a affiliated end base to where
it becomes so low that the end base absolutely shuts down. There is no accessible way to mitigate
this attack, except for the Cisco prestandard accomplishing area it is accessible to disable
CDP on the port. This causes a abridgement of authentic ability account per port, which leads to an
excess of globally computed ability account (making buzz agreement difficult).
Defending Adjoin Abeyance Attacks
The alone way to anticipate a abeyance advance is to add an uninterruptible ability accumulation (UPS)
to the switches and defended the twisted-pair cable. An antagonist cannot cut the CAT5 cable if
its aisle is either absolutely in walls or brownish tubes. (If this is not possible, do not use
PoE for analytical devices.)
142 Chapter 8: What About Ability over Ethernet?
Defending Adjoin Afire Attacks
There is no way to assure a non-PES from a afire attack, alike if the changeless configuration
of the wattage can advice absolute the accident to the absorbed device. The afire advance requires
physical admission to inject the signaling to force 42 V into the CAT5 cable. If an antagonist has
access to the cable, he can additionally inject 110–220 V into it, which causes added accident in the
PES. Therefore, the accident of this advance does not access by enabling PoE on the port.
NOTE A accompanying affair is back a powered accessory is broken and addition one is immediately
connected: The ability is still applied. It takes a brace of abnormal for a about-face to discover
that a PES has been disconnected, so delay 10 abnormal afore you affix a new device.
Oftentimes, an antagonist abbreviate cuts the ability commitment of a PES in a arrogant advance to damage
the switch. It is arrogant indeed—short-circuit aegis is congenital into all the switch’s powered
ports. The aforementioned chip additionally prevents the commitment of added ability than negotiated.
NOTE Some band cards absolutely shut bottomward the ability on all ports back audition a abbreviate cut on
a distinct port. Therefore, analytical PES—such as surveillance cameras—should not be placed
on the aforementioned band agenda as noncritical PES (such as an IP buzz in a lobby).
For a quick-reference account or apparatus on how to avert adjoin attacks, use the countermeasures
shown in Table 8-1.
Table 8-1 Countermeasures
Attack Countermeasure
Power acquisitive Configuration: Configure the exact bulk of ability per port.
Power alteration Configuration: Configure the exact bulk of ability per port. For Cisco
prestandard, you can additionally attenuate CDP on the port.
Shutting bottomward Provide UPS to the about-face and physically assure the cable.
Burning Mostly a abstract attack. Physical aegis is a acceptable countermeasure.
References 143
Summary
On Cisco devices, you can bear ability to end stations in two ways: Cisco prestandard and
IEEE 802.3af.
Several attacks abide adjoin these systems, such as variations of DoS and burglary power
from an crooked end station.
Luckily, best of these attacks crave an antagonist to be physically present; they cannot be
launched from a alien location.
A austere and changeless about-face agreement mitigates best of these attacks. Physical security
and UPS abate the blow of them.
References
1 Cisco. Ability over Ethernet: Cisco Inline Ability and IEEE 802.3af. April 2004.
2 IEEE. Std 802.3af-2003: Data Terminal Equipment (DTE) Ability via Media Dependent
Interface (MDI). June 2003.