LAN Switch Security: What Hackers Know About Your Switches

LAN Switch Security: What Hackers Know About Your Switches

by Eric Vyncke - CCIE No. 2659, Christopher Paggen - CCIE No. 2659
Released September 2007
Publisher(s): Cisco Press
ISBN: 9781587052569

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

LAN Switch Security: What Hackers Know About Your Switches

A practical guide to hardening Layer 2 devices and stopping campus network attacks

Eric Vyncke

Christopher Paggen, CCIE® No. 2659

Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [STP], Cisco® Discovery Protocol [CDP], and so on) and data plane protocols, such as Address Routing Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP). LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches. Further, this book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. This book also includes a section on how to use an Ethernet switch to increase the security of a network and prevent future attacks.

Divided into four parts, LAN Switch Security provides you with steps you can take to ensure the integrity of both voice and data traffic traveling over Layer 2 devices. Part I covers vulnerabilities in Layer 2 protocols and how to configure switches to prevent attacks against those vulnerabilities. Part II addresses denial-of-service (DoS) attacks on an Ethernet switch and shows how those attacks can be mitigated. Part III shows how a switch can actually augment the security of a network through the utilization of wirespeed access control list (ACL) processing and IEEE 802.1x for user authentication and authorization. Part IV examines future developments from the LinkSec working group at the IEEE. For all parts, most of the content is vendor independent and is useful for all network architects deploying Ethernet switches.

After reading this book, you will have an in-depth understanding of LAN security and be prepared to plug the security holes that exist in a great number of campus networks.

Eric Vyncke has a master’s degree in computer science engineering from the University of Liège in Belgium. Since 1997, Eric has worked as a Distinguished Consulting Engineer for Cisco, where he is a technical consultant for security covering Europe. His area of expertise for 20 years has been mainly security from Layer 2 to applications. He is also guest professor at Belgian universities for security seminars.

Christopher Paggen, CCIE® No. 2659, obtained a degree in computer science from IESSL in Liège (Belgium) and a master’s degree in economics from University of Mons-Hainaut (UMH) in Belgium. He has been with Cisco since 1996 where he has held various positions in the fields of LAN switching and security, either as pre-sales support, post-sales support, network design engineer, or technical advisor to various engineering teams. Christopher is a frequent speaker at events, such as Networkers, and has filed several U.S. patents in the security area.

Contributing Authors:

Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco.

Steinthor Bjarnason is a consulting engineer for Cisco.

Ken Hook is a switch security solution manager for Cisco.

Rajesh Bhandari is a technical leader and a network security solutions architect for Cisco.

  • Use port security to protect against CAM attacks

  • Prevent spanning-tree attacks

  • Isolate VLANs with proper configuration techniques

  • Protect against rogue DHCP servers

  • Block ARP snooping

  • Prevent IPv6 neighbor discovery and router solicitation exploitation

  • Identify Power over Ethernet vulnerabilities

  • Mitigate risks from HSRP and VRPP

  • Stop information leaks with CDP, PaGP, VTP, CGMP and other Cisco ancillary protocols

  • Understand and prevent DoS attacks against switches

  • Enforce simple wirespeed security policies with ACLs

  • Implement user authentication on a port base with IEEE 802.1x

  • Use new IEEE protocols to encrypt all Ethernet frames at wirespeed.

    • This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

    Category: Cisco Press–Security

    Covers: Ethernet Switch Security

    Table of contents

    1. About This eBook
    2. Title Page
    3. Copyright Page
    4. About the Authors
    5. About the Contributing Authors
    6. About the Technical Reviewers
    7. Dedications
    8. Acknowledgments
    9. This Book Is Safari Enabled
    10. Contents at a Glance
    11. Contents
    12. Icons Used in This Book
    13. Command Syntax Conventions
    14. Introduction
      1. Goals and Methods
      2. Who Should Read This Book?
      3. How This Book Is Organized
      4. Reference
    15. Part I: Vulnerabilities and Mitigation Techniques
      1. Chapter 1. Introduction to Security
        1. Security Triad
          1. Confidentiality
          2. Integrity
          3. Availability
          4. Reverse Security Triad
        2. Risk Management
          1. Risk Analysis
          2. Risk Control
        3. Access Control and Identity Management
        4. Cryptography
          1. Symmetric Cryptosystems
          2. Asymmetric Cryptosystems
          3. Attacks Against Cryptosystems
        5. Summary
        6. References
      2. Chapter 2. Defeating a Learning Bridge’s Forwarding Process
        1. Back to Basics: Ethernet Switching 101
          1. Ethernet Frame Formats
          2. Learning Bridge
          3. Consequences of Excessive Flooding
        2. Exploiting the Bridging Table: MAC Flooding Attacks
          1. Forcing an Excessive Flooding Condition
          2. Introducing the macof Tool
        3. MAC Flooding Alternative: MAC Spoofing Attacks
          1. Not Just Theory
        4. Preventing MAC Flooding and Spoofing Attacks
          1. Detecting MAC Activity
          2. Port Security
          3. Unknown Unicast Flooding Protection
        5. Summary
        6. References
      3. Chapter 3. Attacking the Spanning Tree Protocol
        1. Introducing Spanning Tree Protocol
          1. Types of STP
          2. STP Operation: More Details
        2. Let the Games Begin!
          1. Attack 1: Taking Over the Root Bridge
          2. Attack 2: DoS Using a Flood of Config BPDUs
          3. Attack 3: DoS Using a Flood of Config BPDUs
          4. Attack 4: Simulating a Dual-Homed Switch
        3. Summary
        4. References
      4. Chapter 4. Are VLANS Safe?
        1. IEEE 802.1Q Overview
          1. Frame Classification
          2. Go Native
          3. Attack of the 802.1Q Tag Stack
        2. Understanding Cisco Dynamic Trunking Protocol
        3. Understanding Cisco VTP
        4. Summary
        5. References
      5. Chapter 5. Leveraging DHCP Weaknesses
        1. DHCP Overview
        2. Attacks Against DHCP
          1. DHCP Scope Exhaustion: DoS Attack Against DHCP
          2. Hijacking Traffic Using DHCP Rogue Servers
        3. Countermeasures to DHCP Exhaustion Attacks
          1. Port Security
          2. Introducing DHCP Snooping
        4. DHCP Snooping Against IP/MAC Spoofing Attacks
        5. Summary
        6. References
      6. Chapter 6. Exploiting IPv4 ARP
        1. Back to ARP Basics
          1. Normal ARP Behavior
          2. Gratuitous ARP
        2. Risk Analysis for ARP
        3. ARP Spoofing Attack
          1. Elements of an ARP Spoofing Attack
          2. Mounting an ARP Spoofing Attack
        4. Mitigating an ARP Spoofing Attack
          1. Dynamic ARP Inspection
          2. Protecting the Hosts
          3. Intrusion Detection
        5. Mitigating Other ARP Vulnerabilities
        6. Summary
        7. References
      7. Chapter 7. Exploiting IPv6 Neighbor Discovery and Router Advertisement
        1. Introduction to IPv6
          1. Motivation for IPv6
          2. What Does IPv6 Change?
          3. Neighbor Discovery
          4. Stateless Configuration with Router Advertisement
        2. Analyzing Risk for ND and Stateless Configuration
        3. Mitigating ND and RA Attacks
          1. In Hosts
          2. In Switches
        4. Here Comes Secure ND
          1. What Is SEND?
        5. Summary
        6. References
      8. Chapter 8. What About Power over Ethernet?
        1. Introduction to PoE
          1. How PoE Works
          2. Detection Mechanism
          3. Powering Mechanism
        2. Risk Analysis for PoE
          1. Types of Attacks
        3. Mitigating Attacks
          1. Defending Against Power Gobbling
          2. Defending Against Power-Changing Attacks
          3. Defending Against Shutdown Attacks
          4. Defending Against Burning Attacks
        4. Summary
        5. References
      9. Chapter 9. Is HSRP Resilient?
        1. HSRP Mechanics
          1. Digging into HSRP
        2. Attacking HSRP
          1. DoS Attack
          2. Man-in-the-Middle Attack
          3. Information Leakage
        3. Mitigating HSRP Attacks
          1. Using Strong Authentication
          2. Relying on Network Infrastructure
        4. Summary
        5. References
      10. Chapter 10. Can We Bring VRRP Down?
        1. Discovering VRRP
          1. Diving Deep into VRRP
        2. Risk Analysis for VRRP
        3. Mitigating VRRP Attacks
          1. Using Strong Authentication
          2. Relying on the Network Infrastructure
        4. Summary
        5. References
      11. Chapter 11. Information Leaks with Cisco Ancillary Protocols
        1. Cisco Discovery Protocol
          1. Diving Deep into CDP
          2. CDP Risk Analysis
          3. CDP Risk Mitigation
        2. IEEE Link Layer Discovery Protocol
        3. VLAN Trunking Protocol
          1. VTP Risk Analysis
          2. VTP Risk Mitigation
        4. Link Aggregation Protocols
          1. Risk Analysis
          2. Risk Mitigation
        5. Summary
        6. References
    16. Part II: How Can a Switch Sustain a Denial of Service Attack?
      1. Chapter 12. Introduction to Denial of Service Attacks
        1. How Does a DoS Attack Differ from a DDoS Attack?
        2. Initiating a DDoS Attack
          1. Zombie
          2. Botnet
        3. DoS and DDoS Attacks
          1. Attacking the Infrastructure
          2. Mitigating Attacks on Services
        4. Attacking LAN Switches Using DoS and DDoS Attacks
          1. Anatomy of a Switch
          2. Three Planes
          3. Attacking the Switch
        5. Summary
        6. Reference
      2. Chapter 13. Control Plane Policing
        1. Which Services Reside on the Control Plane?
        2. Securing the Control Plane on a Switch
        3. Implementing Hardware-Based CoPP
          1. Configuring Hardware-Based CoPP on the Catalyst 6500
          2. Configuring Control Plane Security on the Cisco ME3400
        4. Implementing Software-Based CoPP
          1. Configuring Software-Based CoPP
        5. Mitigating Attacks Using CoPP
          1. Mitigating Attacks on the Catalyst 6500 Switch
          2. Mitigating Attacks on Cisco ME3400 Series Switches
        6. Summary
        7. References
      3. Chapter 14. Disabling Control Plane Protocols
        1. Configuring Switches Without Control Plane Protocols
          1. Safely Disabling Control Plane Activities
          2. Disabling Other Control Plane Activities
          3. Control Plane Activities That Cannot Be Disabled
          4. Best Practices for Control Plane
        2. Summary
      4. Chapter 15. Using Switches to Detect a Data Plane DoS
        1. Detecting DoS with NetFlow
          1. Enabling NetFlow on a Catalyst 6500
          2. NetFlow as a Security Tool
          3. Increasing Security with NetFlow Applications
        2. Securing Networks with RMON
        3. Other Techniques That Detect Active Worms
        4. Summary
        5. References
    17. Part III: Using Switches to Augment the Network Security
      1. Chapter 16. Wire Speed Access Control Lists
        1. ACLs or Firewalls?
        2. State or No State?
        3. Protecting the Infrastructure Using ACLs
        4. RACL, VACL, and PACL: Many Types of ACLs
          1. Working with RACL
          2. Working with VACL
          3. Working with PACL
        5. Technology Behind Fast ACL Lookups
          1. Exploring TCAM
        6. Summary
      2. Chapter 17. Identity-Based Networking Services with 802.1X
        1. Foundation
        2. Basic Identity Concepts
          1. Identification
          2. Authentication
          3. Authorization
        3. Discovering Extensible Authentication Protocol
        4. Exploring IEEE 802.1X
        5. 802.1X Security
          1. Integration Value-Add of 802.1X
          2. Keeping Insiders Honest
        6. Working with Multiple Devices
          1. Single-Auth Mode
          2. Multihost Mode
        7. Working with Devices Incapable of 802.1X
          1. 802.1X Guest-VLAN
          2. MAC Authentication Primer
          3. MAB Operation
        8. Policy Enforcement
          1. VLAN Assignment
        9. Summary
        10. References
    18. Part IV: What Is Next in LAN Security?
      1. Chapter 18. IEEE 802.1AE
        1. Enterprise Trends and Challenges
        2. Matters of Trust
          1. Data Plane Traffic
          2. Control Plane Traffic
          3. Management Traffic
        3. Road to Encryption: Brief History of WANs and WLANs
        4. Why Not Layer 2?
        5. Link Layer Security: IEEE 802.1AE/af
          1. Current State: Authentication with 802.1X
          2. LinkSec: Extends 802.1X
          3. Authentication and Key Distribution
          4. Data Confidentiality and Integrity
          5. Frame Format
          6. Encryption Modes
        6. Security Landscape: LinkSec’s Coexistence with Other Security Technologies
        7. Performance and Scalability
        8. End-to-End Versus Hop-by-Hop LAN-Based Cryptographic Protection
        9. Summary
        10. References
    19. Appendix. Combining IPsec with L2TPv3 for Secure Pseudowire
      1. Architecture
        1. Caveats
      2. Configuration
        1. Pseudowires
        2. Xconnect
        3. IPsec Crypto Maps
        4. IKE Authentication
        5. Debugging Information
    20. Index
    21. Code Snippets

    Product information

    • Title: LAN Switch Security: What Hackers Know About Your Switches
    • Author(s): Eric Vyncke - CCIE No. 2659, Christopher Paggen - CCIE No. 2659
    • Release date: September 2007
    • Publisher(s): Cisco Press
    • ISBN: 9781587052569