You are previewing LAN Switch Security: What Hackers Know About Your Switches.
O'Reilly logo
LAN Switch Security: What Hackers Know About Your Switches

Book Description

LAN Switch Security: What Hackers Know About Your Switches

A practical guide to hardening Layer 2 devices and stopping campus network attacks

Eric Vyncke

Christopher Paggen, CCIE® No. 2659

Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [STP], Cisco® Discovery Protocol [CDP], and so on) and data plane protocols, such as Address Routing Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP). LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches. Further, this book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. This book also includes a section on how to use an Ethernet switch to increase the security of a network and prevent future attacks.

Divided into four parts, LAN Switch Security provides you with steps you can take to ensure the integrity of both voice and data traffic traveling over Layer 2 devices. Part I covers vulnerabilities in Layer 2 protocols and how to configure switches to prevent attacks against those vulnerabilities. Part II addresses denial-of-service (DoS) attacks on an Ethernet switch and shows how those attacks can be mitigated. Part III shows how a switch can actually augment the security of a network through the utilization of wirespeed access control list (ACL) processing and IEEE 802.1x for user authentication and authorization. Part IV examines future developments from the LinkSec working group at the IEEE. For all parts, most of the content is vendor independent and is useful for all network architects deploying Ethernet switches.

After reading this book, you will have an in-depth understanding of LAN security and be prepared to plug the security holes that exist in a great number of campus networks.

Eric Vyncke has a master’s degree in computer science engineering from the University of Liège in Belgium. Since 1997, Eric has worked as a Distinguished Consulting Engineer for Cisco, where he is a technical consultant for security covering Europe. His area of expertise for 20 years has been mainly security from Layer 2 to applications. He is also guest professor at Belgian universities for security seminars.

Christopher Paggen, CCIE® No. 2659, obtained a degree in computer science from IESSL in Liège (Belgium) and a master’s degree in economics from University of Mons-Hainaut (UMH) in Belgium. He has been with Cisco since 1996 where he has held various positions in the fields of LAN switching and security, either as pre-sales support, post-sales support, network design engineer, or technical advisor to various engineering teams. Christopher is a frequent speaker at events, such as Networkers, and has filed several U.S. patents in the security area.

Contributing Authors:

Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco.

Steinthor Bjarnason is a consulting engineer for Cisco.

Ken Hook is a switch security solution manager for Cisco.

Rajesh Bhandari is a technical leader and a network security solutions architect for Cisco.

  • Use port security to protect against CAM attacks

  • Prevent spanning-tree attacks

  • Isolate VLANs with proper configuration techniques

  • Protect against rogue DHCP servers

  • Block ARP snooping

  • Prevent IPv6 neighbor discovery and router solicitation exploitation

  • Identify Power over Ethernet vulnerabilities

  • Mitigate risks from HSRP and VRPP

  • Stop information leaks with CDP, PaGP, VTP, CGMP and other Cisco ancillary protocols

  • Understand and prevent DoS attacks against switches

  • Enforce simple wirespeed security policies with ACLs

  • Implement user authentication on a port base with IEEE 802.1x

  • Use new IEEE protocols to encrypt all Ethernet frames at wirespeed.

  • This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

    Category: Cisco Press–Security

    Covers: Ethernet Switch Security

    Table of Contents

    1. Copyright
      1. Dedications
    2. About the Authors
      1. About the Contributing Authors
    3. About the Technical Reviewers
    4. Acknowledgments
    5. Icons Used in This Book
    6. Command Syntax Conventions
    7. Introduction
      1. Goals and Methods
      2. Who Should Read This Book?
      3. How This Book Is Organized
      4. Reference
    8. I. Vulnerabilities and Mitigation Techniques
      1. 1. Introduction to Security
        1. Security Triad
          1. Confidentiality
          2. Integrity
          3. Availability
          4. Reverse Security Triad
        2. Risk Management
          1. Risk Analysis
          2. Risk Control
        3. Access Control and Identity Management
        4. Cryptography
          1. Symmetric Cryptosystems
            1. Symmetric Encryption
            2. Hashing Functions
            3. Hash Message Authentication Code
          2. Asymmetric Cryptosystems
            1. Confidentiality with Asymmetric Cryptosystems
            2. Integrity and Authentication with Asymmetric Cryptosystems
            3. Key Distribution and Certificates
          3. Attacks Against Cryptosystems
        5. Summary
        6. References
      2. 2. Defeating a Learning Bridge’s Forwarding Process
        1. Back to Basics: Ethernet Switching 101
          1. Ethernet Frame Formats
          2. Learning Bridge
          3. Consequences of Excessive Flooding
        2. Exploiting the Bridging Table: MAC Flooding Attacks
          1. Forcing an Excessive Flooding Condition
          2. Introducing the macof Tool
        3. MAC Flooding Alternative: MAC Spoofing Attacks
          1. Not Just Theory
        4. Preventing MAC Flooding and Spoofing Attacks
          1. Detecting MAC Activity
          2. Port Security
          3. Unknown Unicast Flooding Protection
        5. Summary
        6. References
      3. 3. Attacking the Spanning Tree Protocol
        1. Introducing Spanning Tree Protocol
          1. Types of STP
            1. Understanding 802.1D and 802.1Q Common STP
            2. Understanding 802.1w Rapid STP
            3. Understanding 802.1s Multiple STP
          2. STP Operation: More Details
        2. Let the Games Begin!
          1. Attack 1: Taking Over the Root Bridge
            1. Root Guard
            2. BPDU-Guard
          2. Attack 2: DoS Using a Flood of Config BPDUs
            1. BPDU-Guard
            2. BPDU Filtering
            3. Layer 2 PDU Rate Limiter
          3. Attack 3: DoS Using a Flood of Config BPDUs
          4. Attack 4: Simulating a Dual-Homed Switch
        3. Summary
        4. References
      4. 4. Are VLANS Safe?
        1. IEEE 802.1Q Overview
          1. Frame Classification
          2. Go Native
          3. Attack of the 802.1Q Tag Stack
        2. Understanding Cisco Dynamic Trunking Protocol
          1. Crafting a DTP Attack
          2. Countermeasures to DTP Attacks
        3. Understanding Cisco VTP
          1. VTP Vulnerabilities
        4. Summary
        5. References
      5. 5. Leveraging DHCP Weaknesses
        1. DHCP Overview
        2. Attacks Against DHCP
          1. DHCP Scope Exhaustion: DoS Attack Against DHCP
            1. Yersinia
            2. Gobbler
          2. Hijacking Traffic Using DHCP Rogue Servers
        3. Countermeasures to DHCP Exhaustion Attacks
          1. Port Security
          2. Introducing DHCP Snooping
            1. Rate-Limiting DHCP Messages per Port
            2. DHCP Message Validation
            3. DHCP Snooping with Option 82
            4. Tips for Deploying DHCP Snooping
            5. Tips for Switches That Do Not Support DHCP Snooping
        4. DHCP Snooping Against IP/MAC Spoofing Attacks
        5. Summary
        6. References
      6. 6. Exploiting IPv4 ARP
        1. Back to ARP Basics
          1. Normal ARP Behavior
          2. Gratuitous ARP
        2. Risk Analysis for ARP
        3. ARP Spoofing Attack
          1. Elements of an ARP Spoofing Attack
          2. Mounting an ARP Spoofing Attack
        4. Mitigating an ARP Spoofing Attack
          1. Dynamic ARP Inspection
            1. DAI in Cisco IOS
            2. DAI in CatOS
          2. Protecting the Hosts
          3. Intrusion Detection
        5. Mitigating Other ARP Vulnerabilities
        6. Summary
        7. References
      7. 7. Exploiting IPv6 Neighbor Discovery and Router Advertisement
        1. Introduction to IPv6
          1. Motivation for IPv6
          2. What Does IPv6 Change?
          3. Neighbor Discovery
          4. Stateless Configuration with Router Advertisement
        2. Analyzing Risk for ND and Stateless Configuration
        3. Mitigating ND and RA Attacks
          1. In Hosts
          2. In Switches
        4. Here Comes Secure ND
          1. What Is SEND?
            1. Implementation
            2. Challenges
        5. Summary
        6. References
      8. 8. What About Power over Ethernet?
        1. Introduction to PoE
          1. How PoE Works
          2. Detection Mechanism
          3. Powering Mechanism
        2. Risk Analysis for PoE
          1. Types of Attacks
        3. Mitigating Attacks
          1. Defending Against Power Gobbling
          2. Defending Against Power-Changing Attacks
          3. Defending Against Shutdown Attacks
          4. Defending Against Burning Attacks
        4. Summary
        5. References
      9. 9. Is HSRP Resilient?
        1. HSRP Mechanics
          1. Digging into HSRP
        2. Attacking HSRP
          1. DoS Attack
          2. Man-in-the-Middle Attack
          3. Information Leakage
        3. Mitigating HSRP Attacks
          1. Using Strong Authentication
          2. Relying on Network Infrastructure
        4. Summary
        5. References
      10. 10. Can We Bring VRRP Down?
        1. Discovering VRRP
          1. Diving Deep into VRRP
        2. Risk Analysis for VRRP
        3. Mitigating VRRP Attacks
          1. Using Strong Authentication
          2. Relying on the Network Infrastructure
        4. Summary
        5. References
      11. 11. Information Leaks with Cisco Ancillary Protocols
        1. Cisco Discovery Protocol
          1. Diving Deep into CDP
          2. CDP Risk Analysis
          3. CDP Risk Mitigation
        2. IEEE Link Layer Discovery Protocol
        3. VLAN Trunking Protocol
          1. VTP Risk Analysis
          2. VTP Risk Mitigation
        4. Link Aggregation Protocols
          1. Risk Analysis
          2. Risk Mitigation
        5. Summary
        6. References
    9. II. How Can a Switch Sustain a Denial of Service Attack?
      1. 12. Introduction to Denial of Service Attacks
        1. How Does a DoS Attack Differ from a DDoS Attack?
        2. Initiating a DDoS Attack
          1. Zombie
          2. Botnet
        3. DoS and DDoS Attacks
          1. Attacking the Infrastructure
            1. Common Flooding Attacks
          2. Mitigating Attacks on Services
        4. Attacking LAN Switches Using DoS and DDoS Attacks
          1. Anatomy of a Switch
          2. Three Planes
            1. Data Plane
            2. Control Plane
            3. Management Plane
          3. Attacking the Switch
            1. Data Plane Attacks
            2. Control Plane Attacks
            3. Management Plane Attacks
            4. Switch Architecture Attacks
        5. Summary
        6. Reference
      2. 13. Control Plane Policing
        1. Which Services Reside on the Control Plane?
        2. Securing the Control Plane on a Switch
        3. Implementing Hardware-Based CoPP
          1. Configuring Hardware-Based CoPP on the Catalyst 6500
            1. Hardware Rate Limiters
            2. Hardware-Based CoPP
          2. Configuring Control Plane Security on the Cisco ME3400
        4. Implementing Software-Based CoPP
          1. Configuring Software-Based CoPP
        5. Mitigating Attacks Using CoPP
          1. Mitigating Attacks on the Catalyst 6500 Switch
            1. Telnet Flooding Without CoPP
            2. Telnet Flooding with CoPP
            3. TTL Expiry Attack
          2. Mitigating Attacks on Cisco ME3400 Series Switches
            1. CDP Flooding
            2. CDP Flooding with L2TP Tunneling
        6. Summary
        7. References
      3. 14. Disabling Control Plane Protocols
        1. Configuring Switches Without Control Plane Protocols
          1. Safely Disabling Control Plane Activities
            1. Disabling STP
            2. Disabling Link Aggregation Protocols
            3. Disabling VTP
            4. Disabling DTP
            5. Disabling Hot Standby Routing Protocol and Virtual Routing Redundancy Protocol
            6. Disabling Management Protocols and Routing Protocols
            7. Using an ACL
          2. Disabling Other Control Plane Activities
            1. Generating ICMP Messages
            2. Controlling CDP, IPv6, and IEEE 802.1X
            3. Using Smartports Macros
          3. Control Plane Activities That Cannot Be Disabled
          4. Best Practices for Control Plane
        2. Summary
      4. 15. Using Switches to Detect a Data Plane DoS
        1. Detecting DoS with NetFlow
          1. Enabling NetFlow on a Catalyst 6500
          2. NetFlow as a Security Tool
          3. Increasing Security with NetFlow Applications
        2. Securing Networks with RMON
        3. Other Techniques That Detect Active Worms
        4. Summary
        5. References
    10. III. Using Switches to Augment the Network Security
      1. 16. Wire Speed Access Control Lists
        1. ACLs or Firewalls?
        2. State or No State?
        3. Protecting the Infrastructure Using ACLs
        4. RACL, VACL, and PACL: Many Types of ACLs
          1. Working with RACL
          2. Working with VACL
          3. Working with PACL
        5. Technology Behind Fast ACL Lookups
          1. Exploring TCAM
        6. Summary
      2. 17. Identity-Based Networking Services with 802.1X
        1. Foundation
        2. Basic Identity Concepts
          1. Identification
          2. Authentication
          3. Authorization
        3. Discovering Extensible Authentication Protocol
        4. Exploring IEEE 802.1X
        5. 802.1X Security
          1. Integration Value-Add of 802.1X
            1. Spanning-Tree Considerations
              1. Enabling BPDU-Filter
              2. Enabling BPDU-Guard
            2. Trunking Considerations
            3. Information Leaks
          2. Keeping Insiders Honest
            1. Port-Security Integration
            2. DHCP-Snooping Integration
            3. Address Resolution Protocol Inspection Integration
            4. Putting It Together
        6. Working with Multiple Devices
          1. Single-Auth Mode
          2. Multihost Mode
        7. Working with Devices Incapable of 802.1X
          1. 802.1X Guest-VLAN
            1. 802.1X Guest-VLAN Timing
          2. MAC Authentication Primer
          3. MAB Operation
        8. Policy Enforcement
          1. VLAN Assignment
        9. Summary
        10. References
    11. IV. What Is Next in LAN Security?
      1. 18. IEEE 802.1AE
        1. Enterprise Trends and Challenges
        2. Matters of Trust
          1. Data Plane Traffic
          2. Control Plane Traffic
          3. Management Traffic
        3. Road to Encryption: Brief History of WANs and WLANs
        4. Why Not Layer 2?
        5. Link Layer Security: IEEE 802.1AE/af
          1. Current State: Authentication with 802.1X
          2. LinkSec: Extends 802.1X
          3. Authentication and Key Distribution
          4. Data Confidentiality and Integrity
            1. Data Confidentiality (Encryption)
            2. Data Integrity
          5. Frame Format
          6. Encryption Modes
        6. Security Landscape: LinkSec’s Coexistence with Other Security Technologies
        7. Performance and Scalability
        8. End-to-End Versus Hop-by-Hop LAN-Based Cryptographic Protection
        9. Summary
        10. References
    12. Combining IPsec with L2TPv3 for Secure Pseudowire
      1. Architecture
        1. Caveats
      2. Configuration
        1. Pseudowires
        2. Xconnect
        3. IPsec Crypto Maps
        4. IKE Authentication
        5. Debugging Information
          1. L2TP Tunnels
          2. Full Configuration