book

LAN Switch Security: What Hackers Know About Your Switches

Name: LAN Switch Security: What Hackers Know About Your Switches
ISBN: 9781587052569

by Eric Vyncke - CCIE No. 2659, Christopher Paggen - CCIE No. 2659

September 2007

Intermediate to advanced

360 pages

9h 30m

English

Cisco Press

Read now

Unlock full access

About This eBook
Title Page
Copyright Page
About the Authors
About the Contributing Authors
About the Technical Reviewers
Dedications
Acknowledgments
This Book Is Safari Enabled
Contents at a Glance

Contents
Icons Used in This Book
Command Syntax Conventions
Introduction
Goals and MethodsWho Should Read This Book?How This Book Is OrganizedReference
Part I: Vulnerabilities and Mitigation Techniques
Chapter 1. Introduction to Security
Security TriadConfidentialityIntegrityAvailabilityReverse Security TriadRisk ManagementRisk AnalysisRisk ControlAccess Control and Identity ManagementCryptographySymmetric CryptosystemsAsymmetric CryptosystemsAttacks Against CryptosystemsSummaryReferences
Chapter 2. Defeating a Learning Bridge’s Forwarding Process
Back to Basics: Ethernet Switching 101Ethernet Frame FormatsLearning BridgeConsequences of Excessive FloodingExploiting the Bridging Table: MAC Flooding AttacksForcing an Excessive Flooding ConditionIntroducing the macof ToolMAC Flooding Alternative: MAC Spoofing AttacksNot Just TheoryPreventing MAC Flooding and Spoofing AttacksDetecting MAC ActivityPort SecurityUnknown Unicast Flooding ProtectionSummaryReferences
Chapter 3. Attacking the Spanning Tree Protocol
Introducing Spanning Tree ProtocolTypes of STPSTP Operation: More DetailsLet the Games Begin!Attack 1: Taking Over the Root BridgeAttack 2: DoS Using a Flood of Config BPDUsAttack 3: DoS Using a Flood of Config BPDUsAttack 4: Simulating a Dual-Homed SwitchSummaryReferences
Chapter 4. Are VLANS Safe?
IEEE 802.1Q OverviewFrame ClassificationGo NativeAttack of the 802.1Q Tag StackUnderstanding Cisco Dynamic Trunking ProtocolUnderstanding Cisco VTPSummaryReferences
Chapter 5. Leveraging DHCP Weaknesses
DHCP OverviewAttacks Against DHCPDHCP Scope Exhaustion: DoS Attack Against DHCPHijacking Traffic Using DHCP Rogue ServersCountermeasures to DHCP Exhaustion AttacksPort SecurityIntroducing DHCP SnoopingDHCP Snooping Against IP/MAC Spoofing AttacksSummaryReferences
Chapter 6. Exploiting IPv4 ARP
Back to ARP BasicsNormal ARP BehaviorGratuitous ARPRisk Analysis for ARPARP Spoofing AttackElements of an ARP Spoofing AttackMounting an ARP Spoofing AttackMitigating an ARP Spoofing AttackDynamic ARP InspectionProtecting the HostsIntrusion DetectionMitigating Other ARP VulnerabilitiesSummaryReferences
Chapter 7. Exploiting IPv6 Neighbor Discovery and Router Advertisement
Introduction to IPv6Motivation for IPv6What Does IPv6 Change?Neighbor DiscoveryStateless Configuration with Router AdvertisementAnalyzing Risk for ND and Stateless ConfigurationMitigating ND and RA AttacksIn HostsIn SwitchesHere Comes Secure NDWhat Is SEND?SummaryReferences
Chapter 8. What About Power over Ethernet?
Introduction to PoEHow PoE WorksDetection MechanismPowering MechanismRisk Analysis for PoETypes of AttacksMitigating AttacksDefending Against Power GobblingDefending Against Power-Changing AttacksDefending Against Shutdown AttacksDefending Against Burning AttacksSummaryReferences
Chapter 9. Is HSRP Resilient?
HSRP MechanicsDigging into HSRPAttacking HSRPDoS AttackMan-in-the-Middle AttackInformation LeakageMitigating HSRP AttacksUsing Strong AuthenticationRelying on Network InfrastructureSummaryReferences
Chapter 10. Can We Bring VRRP Down?
Discovering VRRPDiving Deep into VRRPRisk Analysis for VRRPMitigating VRRP AttacksUsing Strong AuthenticationRelying on the Network InfrastructureSummaryReferences
Chapter 11. Information Leaks with Cisco Ancillary Protocols
Cisco Discovery ProtocolDiving Deep into CDPCDP Risk AnalysisCDP Risk MitigationIEEE Link Layer Discovery ProtocolVLAN Trunking ProtocolVTP Risk AnalysisVTP Risk MitigationLink Aggregation ProtocolsRisk AnalysisRisk MitigationSummaryReferences
Part II: How Can a Switch Sustain a Denial of Service Attack?
Chapter 12. Introduction to Denial of Service Attacks
How Does a DoS Attack Differ from a DDoS Attack?Initiating a DDoS AttackZombieBotnetDoS and DDoS AttacksAttacking the InfrastructureMitigating Attacks on ServicesAttacking LAN Switches Using DoS and DDoS AttacksAnatomy of a SwitchThree PlanesAttacking the SwitchSummaryReference
Chapter 13. Control Plane Policing
Which Services Reside on the Control Plane?Securing the Control Plane on a SwitchImplementing Hardware-Based CoPPConfiguring Hardware-Based CoPP on the Catalyst 6500Configuring Control Plane Security on the Cisco ME3400Implementing Software-Based CoPPConfiguring Software-Based CoPPMitigating Attacks Using CoPPMitigating Attacks on the Catalyst 6500 SwitchMitigating Attacks on Cisco ME3400 Series SwitchesSummaryReferences
Chapter 14. Disabling Control Plane Protocols
Configuring Switches Without Control Plane ProtocolsSafely Disabling Control Plane ActivitiesDisabling Other Control Plane ActivitiesControl Plane Activities That Cannot Be DisabledBest Practices for Control PlaneSummary
Chapter 15. Using Switches to Detect a Data Plane DoS
Detecting DoS with NetFlowEnabling NetFlow on a Catalyst 6500NetFlow as a Security ToolIncreasing Security with NetFlow ApplicationsSecuring Networks with RMONOther Techniques That Detect Active WormsSummaryReferences
Part III: Using Switches to Augment the Network Security
Chapter 16. Wire Speed Access Control Lists
ACLs or Firewalls?State or No State?Protecting the Infrastructure Using ACLsRACL, VACL, and PACL: Many Types of ACLsWorking with RACLWorking with VACLWorking with PACLTechnology Behind Fast ACL LookupsExploring TCAMSummary
Chapter 17. Identity-Based Networking Services with 802.1X
FoundationBasic Identity ConceptsIdentificationAuthenticationAuthorizationDiscovering Extensible Authentication ProtocolExploring IEEE 802.1X802.1X SecurityIntegration Value-Add of 802.1XKeeping Insiders HonestWorking with Multiple DevicesSingle-Auth ModeMultihost ModeWorking with Devices Incapable of 802.1X802.1X Guest-VLANMAC Authentication PrimerMAB OperationPolicy EnforcementVLAN AssignmentSummaryReferences
Part IV: What Is Next in LAN Security?
Chapter 18. IEEE 802.1AE
Enterprise Trends and ChallengesMatters of TrustData Plane TrafficControl Plane TrafficManagement TrafficRoad to Encryption: Brief History of WANs and WLANsWhy Not Layer 2?Link Layer Security: IEEE 802.1AE/afCurrent State: Authentication with 802.1XLinkSec: Extends 802.1XAuthentication and Key DistributionData Confidentiality and IntegrityFrame FormatEncryption ModesSecurity Landscape: LinkSec’s Coexistence with Other Security TechnologiesPerformance and ScalabilityEnd-to-End Versus Hop-by-Hop LAN-Based Cryptographic ProtectionSummaryReferences
Appendix. Combining IPsec with L2TPv3 for Secure Pseudowire
ArchitectureCaveatsConfigurationPseudowiresXconnectIPsec Crypto MapsIKE AuthenticationDebugging Information
Index
Code Snippets

Content preview from LAN Switch Security: What Hackers Know About Your Switches

Appendix. Combining IPsec with L2TPv3 for Secure Pseudowire

As described in Chapter 18, “IEEE 802.1AE,” IEEE 802.1AE protects all Layer 2 traffic with encryption and authentication. Not all existing switches support IEEE 802.1AE; therefore, in the short term, an alternative solution might be attractive. This solution relies on IPsec for the security features. Although IPsec is convenient and suitable to protect IP traffic, it sometimes requires you to also protect all Layer 2 communication between two sites, such as spanning a LAN over a confidential tunnel. IPsec alone cannot fulfill this requirement because it is only applicable to IP traffic.

This appendix describes how two Cisco IOS features (IPsec and Layer 2 Tunnel Protocol version 3 [L2TPv3] ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Router Security Strategies: Securing IP Network Traffic Planes

Gregg Schudel - CCIE No. 9591, David J. Smith - CCIE No. 1986

Integrated Security Technologies and Solutions - Volume I: Cisco Security Solutions for Advanced Threat Protection with Next Generation Firewall, Intrusion Prevention, AMP, and Content Security, First edition

Aaron Woland, Vivek Santuka, Mason Harris, Jamie Sanbower

Integrated Security Technologies and Solutions - Volume II: Cisco Security Solutions for Network Access Control, Segmentation, Context Sharing, Secure Connectivity and Virtualization

Chad Mitchell, Jamie Sanbower, Aaron Woland, Vivek Santuka

Network Your Computers & Devices Step by Step

Ciprian Adrian Rusen and 7 Tutorials

Publisher Resources

ISBN: 9781587052569Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

LAN Switch Security: What Hackers Know About Your Switches

by Eric Vyncke - CCIE No. 2659, Christopher Paggen - CCIE No. 2659

Appendix. Combining IPsec with L2TPv3 for Secure Pseudowire

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.