LAN Switch Security: What Hackers Know About Your Switches
A practical guide to hardening Layer 2 devices and stopping campus network attacks
Christopher Paggen, CCIE® No. 2659
Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [STP], Cisco® Discovery Protocol [CDP], and so on) and data plane protocols, such as Address Routing Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP). LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches. Further, this book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. This book also includes a section on how to use an Ethernet switch to increase the security of a network and prevent future attacks.
Divided into four parts, LAN Switch Security provides you with steps you can take to ensure the integrity of both voice and data traffic traveling over Layer 2 devices. Part I covers vulnerabilities in Layer 2 protocols and how to configure switches to prevent attacks against those vulnerabilities. Part II addresses denial-of-service (DoS) attacks on an Ethernet switch and shows how those attacks can be mitigated. Part III shows how a switch can actually augment the security of a network through the utilization of wirespeed access control list (ACL) processing and IEEE 802.1x for user authentication and authorization. Part IV examines future developments from the LinkSec working group at the IEEE. For all parts, most of the content is vendor independent and is useful for all network architects deploying Ethernet switches.
After reading this book, you will have an in-depth understanding of LAN security and be prepared to plug the security holes that exist in a great number of campus networks.
Eric Vyncke has a master’s degree in computer science engineering from the University of Liège in Belgium. Since 1997, Eric has worked as a Distinguished Consulting Engineer for Cisco, where he is a technical consultant for security covering Europe. His area of expertise for 20 years has been mainly security from Layer 2 to applications. He is also guest professor at Belgian universities for security seminars.
Christopher Paggen, CCIE® No. 2659, obtained a degree in computer science from IESSL in Liège (Belgium) and a master’s degree in economics from University of Mons-Hainaut (UMH) in Belgium. He has been with Cisco since 1996 where he has held various positions in the fields of LAN switching and security, either as pre-sales support, post-sales support, network design engineer, or technical advisor to various engineering teams. Christopher is a frequent speaker at events, such as Networkers, and has filed several U.S. patents in the security area.
Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco.
Steinthor Bjarnason is a consulting engineer for Cisco.
Ken Hook is a switch security solution manager for Cisco.
Rajesh Bhandari is a technical leader and a network security solutions architect for Cisco.
Use port security to protect against CAM attacks
Prevent spanning-tree attacks
Isolate VLANs with proper configuration techniques
Protect against rogue DHCP servers
Block ARP snooping
Prevent IPv6 neighbor discovery and router solicitation exploitation
Identify Power over Ethernet vulnerabilities
Mitigate risks from HSRP and VRPP
Stop information leaks with CDP, PaGP, VTP, CGMP and other Cisco ancillary protocols
Understand and prevent DoS attacks against switches
Enforce simple wirespeed security policies with ACLs
Implement user authentication on a port base with IEEE 802.1x
Use new IEEE protocols to encrypt all Ethernet frames at wirespeed.
This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.
Category: Cisco Press–Security
Covers: Ethernet Switch Security
Table of Contents
- About the Authors
- About the Technical Reviewers
- Icons Used in This Book
- Command Syntax Conventions
I. Vulnerabilities and Mitigation Techniques
1. Introduction to Security
- Security Triad
- Risk Management
- Access Control and Identity Management
2. Defeating a Learning Bridge’s Forwarding Process
- Back to Basics: Ethernet Switching 101
- Exploiting the Bridging Table: MAC Flooding Attacks
- MAC Flooding Alternative: MAC Spoofing Attacks
- Preventing MAC Flooding and Spoofing Attacks
3. Attacking the Spanning Tree Protocol
- Introducing Spanning Tree Protocol
- Let the Games Begin!
- 4. Are VLANS Safe?
5. Leveraging DHCP Weaknesses
- DHCP Overview
- Attacks Against DHCP
- Countermeasures to DHCP Exhaustion Attacks
- DHCP Snooping Against IP/MAC Spoofing Attacks
6. Exploiting IPv4 ARP
- Back to ARP Basics
- Risk Analysis for ARP
- ARP Spoofing Attack
- Mitigating an ARP Spoofing Attack
- Mitigating Other ARP Vulnerabilities
7. Exploiting IPv6 Neighbor Discovery and Router Advertisement
- Introduction to IPv6
- Analyzing Risk for ND and Stateless Configuration
- Mitigating ND and RA Attacks
- Here Comes Secure ND
- 8. What About Power over Ethernet?
- 9. Is HSRP Resilient?
- 10. Can We Bring VRRP Down?
- 11. Information Leaks with Cisco Ancillary Protocols
- 1. Introduction to Security
II. How Can a Switch Sustain a Denial of Service Attack?
12. Introduction to Denial of Service Attacks
- How Does a DoS Attack Differ from a DDoS Attack?
- Initiating a DDoS Attack
- DoS and DDoS Attacks
- Attacking LAN Switches Using DoS and DDoS Attacks
13. Control Plane Policing
- Which Services Reside on the Control Plane?
- Securing the Control Plane on a Switch
- Implementing Hardware-Based CoPP
- Implementing Software-Based CoPP
- Mitigating Attacks Using CoPP
14. Disabling Control Plane Protocols
Configuring Switches Without Control Plane Protocols
- Safely Disabling Control Plane Activities
- Disabling Other Control Plane Activities
- Control Plane Activities That Cannot Be Disabled
- Best Practices for Control Plane
- Configuring Switches Without Control Plane Protocols
- 15. Using Switches to Detect a Data Plane DoS
- 12. Introduction to Denial of Service Attacks
III. Using Switches to Augment the Network Security
- 16. Wire Speed Access Control Lists
17. Identity-Based Networking Services with 802.1X
- Basic Identity Concepts
- Discovering Extensible Authentication Protocol
- Exploring IEEE 802.1X
- 802.1X Security
- Working with Multiple Devices
- Working with Devices Incapable of 802.1X
- Policy Enforcement
IV. What Is Next in LAN Security?
18. IEEE 802.1AE
- Enterprise Trends and Challenges
- Matters of Trust
- Road to Encryption: Brief History of WANs and WLANs
- Why Not Layer 2?
- Link Layer Security: IEEE 802.1AE/af
- Security Landscape: LinkSec’s Coexistence with Other Security Technologies
- Performance and Scalability
- End-to-End Versus Hop-by-Hop LAN-Based Cryptographic Protection
- 18. IEEE 802.1AE
- Combining IPsec with L2TPv3 for Secure Pseudowire
- Title: LAN Switch Security: What Hackers Know About Your Switches
- Release date: September 2007
- Publisher(s): Cisco Press
- ISBN: 9781587052569