larger cover

Add To My Wish List

Register your product to gain access to bonus material or receive a coupon.

LAN Switch Security: What Hackers Know About Your Switches

eBook (Watermarked)

  • Your Price: $44.79
  • List Price: $55.99
  • Includes EPUB, MOBI, and PDF
  • About eBook Formats
  • This eBook includes the following formats, accessible from your Account page after purchase:

    ePub EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    MOBI MOBI The eBook format compatible with the Amazon Kindle and Amazon Kindle applications.

    Adobe Reader PDF The popular standard, used most often with the free Adobe® Reader® software.

    This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.

  • Description
  • Sample Content
  • Updates
  • Copyright 2008
  • Dimensions: 7-3/8" x 9-1/8"
  • Edition: 1st
  • eBook (Watermarked)
  • ISBN-10: 0-13-343343-9
  • ISBN-13: 978-0-13-343343-2

LAN Switch Security: What Hackers Know About Your Switches


A practical guide to hardening Layer 2 devices and stopping campus network attacks


Eric Vyncke

Christopher Paggen, CCIE® No. 2659


Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [STP], Cisco® Discovery Protocol [CDP], and so on) and data plane protocols, such as Address Routing Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP). LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches. Further, this book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. This book also includes a section on how to use an Ethernet switch to increase the security of a network and prevent future attacks.


Divided into four parts, LAN Switch Security provides you with steps you can take to ensure the integrity of both voice and data traffic traveling over Layer 2 devices. Part I covers vulnerabilities in Layer 2 protocols and how to configure switches to prevent attacks against those vulnerabilities. Part II addresses denial-of-service (DoS) attacks on an Ethernet switch and shows how those attacks can be mitigated. Part III shows how a switch can actually augment the security of a network through the utilization of wirespeed access control list (ACL) processing and IEEE 802.1x for user authentication and authorization. Part IV examines future developments from the LinkSec working group at the IEEE. For all parts, most of the content is vendor independent and is useful for all network architects deploying Ethernet switches.


After reading this book, you will have an in-depth understanding of LAN security and be prepared to plug the security holes that exist in a great number of campus networks.


Eric Vyncke has a master’s degree in computer science engineering from the University of Liège in Belgium. Since 1997, Eric has worked as a Distinguished Consulting Engineer for Cisco, where he is a technical consultant for security covering Europe. His area of expertise for 20 years has been mainly security from Layer 2 to applications. He is also guest professor at Belgian universities for security seminars.


Christopher Paggen, CCIE® No. 2659, obtained a degree in computer science from IESSL in Liège (Belgium) and a master’s degree in economics from University of Mons-Hainaut (UMH) in Belgium. He has been with Cisco since 1996 where he has held various positions in the fields of LAN switching and security, either as pre-sales support, post-sales support, network design engineer, or technical advisor to various engineering teams. Christopher is a frequent speaker at events, such as Networkers, and has filed several U.S. patents in the security area.


Contributing Authors:

Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco.

Steinthor Bjarnason is a consulting engineer for Cisco.

Ken Hook is a switch security solution manager for Cisco.

Rajesh Bhandari is a technical leader and a network security solutions architect for Cisco.


  • Use port security to protect against CAM attacks

  • Prevent spanning-tree attacks

  • Isolate VLANs with proper configuration techniques

  • Protect against rogue DHCP servers

  • Block ARP snooping

  • Prevent IPv6 neighbor discovery and router solicitation exploitation

  • Identify Power over Ethernet vulnerabilities

  • Mitigate risks from HSRP and VRPP

  • Stop information leaks with CDP, PaGP, VTP, CGMP and other Cisco ancillary protocols

  • Understand and prevent DoS attacks against switches

  • Enforce simple wirespeed security policies with ACLs

  • Implement user authentication on a port base with IEEE 802.1x

  • Use new IEEE protocols to encrypt all Ethernet frames at wirespeed.


This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.


Category: Cisco Press–Security

Covers: Ethernet Switch Security


Table of Contents

Contents

Introduction xix

Part I

Vulnerabilities and Mitigation Techniques 3

Chapter 1

Introduction to Security 5

Security Triad 5

Confidentiality 6

Integrity 7

Availability 8

Reverse Security Triad 8

Risk Management 8

Risk Analysis 9

Risk Control 10

Access Control and Identity Management 10

Cryptography 11

Symmetric Cryptosystems 13

Symmetric Encryption 13

Hashing Functions 13

Hash Message Authentication Code 14

Asymmetric Cryptosystems 15

Confidentiality with Asymmetric Cryptosystems 16

Integrity and Authentication with Asymmetric Cryptosystems 17

Key Distribution and Certificates 18

Attacks Against Cryptosystems 19

Summary 21

References 21

Chapter 2

Defeating a Learning Bridge’s Forwarding Process 23

Back to Basics: Ethernet Switching 101 23

Ethernet Frame Formats 23

Learning Bridge 24

Consequences of Excessive Flooding 26

Exploiting the Bridging Table: MAC Flooding Attacks 27

Forcing an Excessive Flooding Condition 28

Introducing the macof Tool 30

MAC Flooding Alternative: MAC Spoofing Attacks 34

Not Just Theory 35

Preventing MAC Flooding and Spoofing Attacks 36

Detecting MAC Activity 36

Port Security 37

Unknown Unicast Flooding Protection 39

Summary 40

References 41

Chapter 3

Attacking the Spanning Tree Protocol 43

Introducing Spanning Tree Protocol 43

Types of STP 46

Understanding 802.1D and 802.1Q Common STP 46

Understanding 802.1w Rapid STP 46

Understanding 802.1s Multiple STP 47

STP Operation: More Details 47

Let the Games Begin! 53

Attack 1: Taking Over the Root Bridge 55

Root Guard 58

BPDU-Guard 58

Attack 2: DoS Using a Flood of Config BPDUs 60

BPDU-Guard 62

BPDU Filtering 62

Layer 2 PDU Rate Limiter 63

Attack 3: DoS Using a Flood of Config BPDUs 63

Attack 4: Simulating a Dual-Homed Switch 63

Summary 64

References 65

Chapter 4

Are VLANS Safe? 67

IEEE 802.1Q Overview 67

Frame Classification 68

Go Native 69

Attack of the 802.1Q Tag Stack 71

Understanding Cisco Dynamic Trunking Protocol 76

Crafting a DTP Attack 76

Countermeasures to DTP Attacks 80

Understanding Cisco VTP 80

VTP Vulnerabilities 81

Summary 82

References 82

Chapter 5

Leveraging DHCP Weaknesses 85

DHCP Overview 85

Attacks Against DHCP 89

DHCP Scope Exhaustion: DoS Attack Against DHCP 89

Yensinia 89

Gobbler 90

Hijacking Traffic Using DHCP Rogue Servers 92

Countermeasures to DHCP Exhaustion Attacks 93

Port Security 94

Introducing DHCP Snooping 96

Rate-Limiting DHCP Messages per Port 97

DHCP Message Validation 97

DHCP Snooping with Option 82 99

Tips for Deploying DHCP Snooping 99

Tips for Switches That Do Not Support DHCP Snooping 100

DHCP Snooping Against IP/MAC Spoofing Attacks 100

Summary 103

References 103

Chapter 6

Exploiting IPv4 ARP 105

Back to ARP Basics 105

Normal ARP Behavior 105

Gratuitous ARP 107

Risk Analysis for ARP 108

ARP Spoofing Attack 108

Elements of an ARP Spoofing Attack 109

Mounting an ARP Spoofing Attack 111

Mitigating an ARP Spoofing Attack 112

Dynamic ARP Inspection 112

DAI in Cisco IOS 112

DAI in CatOS 115

Protecting the Hosts 115

Intrusion Detection 116

Mitigating Other ARP Vulnerabilities 117

Summary 118

References 118

Chapter 7

Exploiting IPv6 Neighbor Discovery and Router Advertisement 121

Introduction to IPv6 121

Motivation for IPv6 121

What Does IPv6 Change? 122

Neighbor Discovery 126

Stateless Configuration with Router Advertisement 127

Analyzing Risk for ND and Stateless Configuration 129

Mitigating ND and RA Attacks 130

In Hosts 130

In Switches 130

Here Comes Secure ND 131

What Is SEND? 131

Implementation 133

Challenges 133

Summary 133

References 133

Chapter 8

What About Power over Ethernet? 135

Introduction to PoE 135

How PoE Works 136

Detection Mechanism 136

Powering Mechanism 138

Risk Analysis for PoE 139

Types of Attacks 139

Mitigating Attacks 140

Defending Against Power Gobbling 140

Defending Against Power-Changing Attacks 141

Defending Against Shutdown Attacks 141

Defending Against Burning Attacks 142

Summary 143

References 143

Chapter 9

Is HSRP Resilient? 145

HSRP Mechanics 145

Digging into HSRP 147

Attacking HSRP 148

DoS Attack 149

Man-in-the-Middle Attack 150

Information Leakage 151

Mitigating HSRP Attacks 151

Using Strong Authentication 151

Relying on Network Infrastructure 153

Summary 155

References 155

Chapter 10

Can We Bring VRRP Down? 157

Discovering VRRP 157

Diving Deep into VRRP 159

Risk Analysis for VRRP 161

Mitigating VRRP Attacks 161

Using Strong Authentication 162

Relying on the Network Infrastructure 162

Summary 163

References 163

Chapter 11

Information Leaks with Cisco Ancillary Protocols 165

Cisco Discovery Protocol 165

Diving Deep into CDP 165

CDP Risk Analysis 167

CDP Risk Mitigation 169

IEEE Link Layer Discovery Protocol 169

VLAN Trunking Protocol 170

VTP Risk Analysis 172

VTP Risk Mitigation 173

Link Aggregation Protocols 174

Risk Analysis 176

Risk Mitigation 177

Summary 178

References 178

Part II

How Can a Switch Sustain a Denial of Service Attack? 181

Chapter 12

Introduction to Denial of Service Attacks 183

How Does a DoS Attack Differ from a DDoS Attack? 183

Initiating a DDoS Attack 184

Zombie 184

Botnet 185

DoS and DDoS Attacks 186

Attacking the Infrastructure 186

Common Flooding Attacks 187

Mitigating Attacks on Services 187

Attacking LAN Switches Using DoS and DDoS Attacks 188

Anatomy of a Switch 188

Three Planes 189

Data Plane 189

Control Plane 190

Management Plane 190

Attacking the Switch 190

Data Plane Attacks 192

Control Plane Attacks 192

Management Plane Attacks 193

Switch Architecture Attacks 193

Summary 194

Reference 194

Chapter 13

Control Plane Policing 197

Which Services Reside on the Control Plane? 198

Securing the Control Plane on a Switch 198

Implementing Hardware-Based CoPP 200

Configuring Hardware-Based CoPP on the Catalyst 6500 200

Hardware Rate Limiters 201

Hardware-Based CoPP 203

Configuring Control Plane Security on the Cisco ME3400 203

Implementing Software-Based CoPP 206

Configuring Software-Based CoPP 207

Mitigating Attacks Using CoPP 211

Mitigating Attacks on the Catalyst 6500 Switch 211

Telnet Flooding Without CoPP 211

Telnet Flooding with CoPP 212

TTL Expiry Attack 215

Mitigating Attacks on Cisco ME3400 Series Switches 218

CDP Flooding 218

CDP Flooding with L2TP Tunneling 219

Summary 222

References 222

Chapter 14

Disabling Control Plane Protocols 225

Configuring Switches Without Control Plane Protocols 225

Safely Disabling Control Plane Activities 227

Disabling STP 227

Disabling Link Aggregation Protocols 228

Disabling VTP 228

Disabling DTP 228

Disabling Hot Standby Routing Protocol and Virtual Routing Redundancy

Protocol 228

Disabling Management Protocols and Routing Protocols 229

Using an ACL 230

Disabling Other Control Plane Activities 232

Generating ICMP Messages 232

Controlling CDP, IPv6, and IEEE 802.1X 233

Using Smartports Macros 234

Control Plane Activities That Cannot Be Disabled 235

Best Practices for Control Plane 236

Summary 236

Chapter 15

Using Switches to Detect a Data Plane DoS 239

Detecting DoS with NetFlow 239

Enabling NetFlow on a Catalyst 6500 244

NetFlow as a Security Tool 246

Increasing Security with NetFlow Applications 247

Securing Networks with RMON 249

Other Techniques That Detect Active Worms 252

Summary 255

References 255

Part III

Using Switches to Augment the Network Security 257

Chapter 16

Wire Speed Access Control Lists 259

ACLs or Firewalls? 260

State or No State? 261

Protecting the Infrastructure Using ACLs 261

RACL, VACL, and PACL: Many Types of ACLs 263

Working with RACL 264

Working with VACL 265

Working with PACL 267

Technology Behind Fast ACL Lookups 267

Exploring TCAM 268

Summary 270

Chapter 17

Identity-Based Networking Services with 802.1X 273

Foundation 273

Basic Identity Concepts 274

Identification 274

Authentication 274

Authorization 275

Discovering Extensible Authentication Protocol 275

Exploring IEEE 802.1X 277

802.1X Security 279

Integration Value-Add of 802.1X 281

Spanning-Tree Considerations 281

Trunking Considerations 283

Information Leaks 283

Keeping Insiders Honest 285

Port-Security Integration 285

DHCP-Snooping Integration 286

Address Resolution Protocol Inspection Integration 286

Putting It Together 287

Working with Multiple Devices 288

Single-Auth Mode 288

Multihost Mode 289

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020