LAN Switch Security What Hackers Know About Your Switches

by ;
  • ISBN13:


  • ISBN10:


  • Edition: 1st
  • Format: Paperback
  • Copyright: 2007-09-06
  • Publisher: Cisco Press
  • Purchase Benefits
  • Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • Get Rewarded for Ordering Your Textbooks! Enroll Now
List Price: $69.99 Save up to $2.80
  • eBook
    Add to Cart


Supplemental Materials

What is included with this book?

  • The eBook copy of this book is not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.


LAN Switch Security: What Hackers Know About Your Switches A practical guide to hardening Layer 2 devices and stopping campus network attacks Eric Vyncke Christopher Paggen, CCIEreg; No. 2659 Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [STP], Ciscoreg; Discovery Protocol [CDP], and so on) and data plane protocols, such as Address Routing Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP). LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches. Further, this book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. This book also includes a section on how to use an Ethernet switch to increase the security of a network and prevent future attacks. Divided into four parts, LAN Switch Security provides you with steps you can take to ensure the integrity of both voice and data traffic traveling over Layer 2 devices. Part I covers vulnerabilities in Layer 2 protocols and how to configure switches to prevent attacks against those vulnerabilities. Part II addresses denial-of-service (DoS) attacks on an Ethernet switch and shows how those attacks can be mitigated. Part III shows how a switch can actually augment the security of a network through the utilization of wirespeed access control list (ACL) processing and IEEE 802.1x for user authentication and authorization. Part IV examines future developments from the LinkSec working group at the IEEE. For all parts, most of the content is vendor independent and is useful for all network architects deploying Ethernet switches. After reading this book, you will have an in-depth understanding of LAN security and be prepared to plug the security holes that exist in a great number of campus networks. Eric Vyncke has a masterrs"s degree in computer science engineering from the University of Liegrave;ge in Belgium. Since 1997, Eric has worked as a Distinguished Consulting Engineer for Cisco, where he is a technical consultant for security covering Europe. His area of expertise for 20 years has been mainly security from Layer 2 to applications. He is also guest professor at Belgian universities for security seminars. Christopher Paggen, CCIEreg; No. 2659, obtained a degree in computer science from IESSL in Liegrave;ge (Belgium) and a masterrs"s degree in economics from University of Mons-Hainaut (UMH) in Belgium. He has been with Cisco since 1996 where he has held various positions in the fields of LAN switching and security, either as pre-sales support, post-sales support, network design engineer, or technical advisor to various engineering teams. Christopher is a frequent speaker at events, such as Networkers, and has filed several U.S. patents in the security area. Contributing Authors: Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco. Steinthor Bjarnason is a consulting engineer for Cisco. Ken Hook is a switch security solution manager for Cisco. Rajesh Bhandari is a technical leader and a network security solutions architect for Cisco. Use port security to protect a

Author Biography


Eric Vyncke has a master’s degree in computer science engineering from the University of Liège in Belgium. He

worked as a research assistant in the same university before joining Network Research Belgium. At Network

Research Belgium, he was the head of R&D. He then joined Siemens as a project manager for security projects,

including a proxy firewall. Since 1997, he has worked as a distinguished consulting engineer for Cisco as a technical

consultant for security covering Europe. For 20 years, Eric’s area of expertise has been security from Layer 2 to

the application layer. He is also a guest professor at some Belgian universities for security seminars. Eric is also a

frequent speaker at security events (such as Networkers at Cisco Live and RSA Conference).

Christopher Paggen joined Cisco in 1996 where he has held various positions gravitating around LAN switching

and security technologies. Lately, he has been in charge of defining product requirements for the company’s current

and future high-end firewalls. Christopher holds several U.S. patents, one of which pertains to Dynamic ARP

Inspection (DAI). As CCIE No. 2659, Christopher also owns a B.S. in computer science from HEMES (Belgium)

and went on to study economics at UMH (Belgium) for two more years.

Table of Contents

Introductionp. xix
Vulnerabilities and Mitigation Techniquesp. 3
Introduction to Securityp. 5
Security Triadv5
Confidentialityp. 6
Integrityp. 7
Availabilityp. 8
Reverse Security Triadp. 8
Risk Managementp. 8
Risk Analysisp. 9
Risk Controlp. 10
Access Control and Identity Managementp. 10
Cryptographyp. 11
Symmetric Cryptosystemsp. 13
Symmetric Encryptionp. 13
Hashing Functionsp. 13
Hash Message Authentication Codep. 14
Asymmetric Cryptosystemsp. 15
Confidentiality with Asymmetric Cryptosystemsp. 16
Integrity and Authentication with Asymmetric Cryptosystemsp. 17
Key Distribution and Certificatesp. 18
Attacks Against Cryptosystemsp. 19
Summaryp. 21
Referencesp. 21
Defeating a Learning Bridge??A???a????a??s Forwarding Processp. 23
Back to Basics: Ethernet Switchingp. 101
23 Ethernet Frame Formatsp. 23
Learning Bridgep. 24
Consequences of Excessive Floodingp. 26
Exploiting the Bridging Table: MAC Flooding Attacksp. 27
Forcing an Excessive Flooding Conditionp. 28
Introducing the macof Toolp. 30
MAC Flooding Alternative: MAC Spoofing Attacksp. 34
Not Just Theoryp. 35
Preventing MAC Flooding and Spoofing Attacksv36
Detecting MAC Activityp. 36
Port Securityp. 37
Unknown Unicast Flooding Protectionp. 39
Summaryp. 40
Referencesp. 41
Attacking the Spanning Tree Protocolp. 43
Introducing Spanning Tree Protocolp. 43
Types of STPp. 46
Understanding 802.1D and 802.1Q Common STPp. 46
Understanding 802.1w Rapid STPp. 46
Understanding 802.1s Multiple STPp. 47
STP Operation: More Detailsp. 47
Let the Games Begin!p. 53
Attack 1: Taking Over the Root Bridgep. 55
Root Guardp. 58
BPDU-Guardp. 58
Attack 2: DoS Using a Flood of Config BPDUsp. 60
BPDU-Guardp. 62
BPDU Filteringp. 62
Layer 2 PDU Rate Limiterp. 63
Attack 3: DoS Using a Flood of Config BPDUsp. 63
Attack 4: Simulating a Dual-Homed Switchp. 63
Summaryp. 64
Referencesp. 65
Are VLANS Safe?p. 67
IEEE 802.1Q Overviewp. 67
Frame Classificationp. 68
Go Nativep. 69
Attack of the 802.1Q Tag Stackp. 71
Understanding Cisco Dynamic Trunking Protocolp. 76
Crafting a DTP Attackp. 76
Countermeasures to DTP Attacksp. 80
Understanding Cisco VTP 80 VTP Vulnerabilitiesp. 81
Summaryp. 82
Referencesp. 82
Leveraging DHCP Weaknessesp. 85
DHCP Overviewp. 85
Attacks Against DHCPp. 89
DHCP Scope Exhaustion: DoS Attack Against DHCPp. 89
Yensiniap. 89
Gobblerp. 90
Hijacking Traffic Using DHCP Rogue Serversp. 92
Countermeasures to DHCP Exhaustion Attacksp. 93
Port Securityp. 94
Introducing DHCP Snoopingp. 96
Rate-Limiting DHCP Messages per Portp. 97
DHCP Message Validationp. 97
DHCP Snooping with Optionp. 82
99 Tips for Deploying DHCP Snoopingp. 99
Tips for Switches That Do Not Support DHCP Snoopingv100
DHCP Snooping Against IP/MAC Spoofing Attacksp. 100
Summaryp. 103
Referencesp. 103
Exploiting IPv4 ARPp. 105
Back to ARP Basicsp. 105
Normal ARP Behaviorp. 105
Gratuitous ARPp. 107
Risk Analysis for ARPp. 108
ARP Spoofing Attackp. 108
Elements of an ARP Spoofing Attackp. 109
Mounting an ARP Spoofing Attackp. 111
Mitigating an ARP Spoofing Attackp. 112
Dynamic ARP Inspectionp. 112
DAI in Cisco IOSp. 112
DAI in CatOSp. 115
Protecting the Hostsp. 115
Intrusion Detectionp. 116
Mitigating Other ARP Vulnerabilitiesp. 117
Summaryp. 118
Referencesp. 118
Exploiting IPv6 Neighbor Discovery and Router Advertisementp. 121
Introduction to IPv6p. 121
Motivation for IPv6p. 121
What Does IPv6 Change?p. 122 Ne
Table of Contents provided by Publisher. All Rights Reserved.


= 0) {slash = '\\';} else {slash = '/';}openLoc = figLoc.substring(0, figLoc.lastIndexOf(slash) + 1);while (pPage.substring(0,3) == '../') {openLoc = openLoc.substring(0, openLoc.lastIndexOf(slash, openLoc.length - 2)+ 1);pPage = pPage.substring(3, pPage.length + 1);}popUpWin =window.open('','popWin','resizable=1,scrollbars=1,location=0,toolbar=0,width=525,height=394');figDoc = popUpWin.document;zhtm= ' ' + pPage + ' ';zhtm += ' ';zhtm += ' ';zhtm += ' ';zhtm += '' + pPage.substring(pPage.lastIndexOf('/') + 1, pPage.length) + '';zhtm += ' ';figDoc.write(zhtm);figDoc.close();}// modified 3.1.99 RWE v4.1 --> LAN Switch Security LAN Switch Security What Hackers Know About Your Switches IntroductionLAN and Ethernet switches are usually considered as plumbing. They are easy to install and configure, but it is easy to forget about security when things appear to be simple.Multiple vulnerabilities exist in Ethernet switches. Attack tools to exploit them started to appear a couple of years ago (for example, the well-knowndsniffpackage). By using those attack tools, a hacker can defeat the security myth of a switch, which incorrectly states that sniffing and packet interception are impossible with a switch. Indeed, withdsniff,cain, and other user-friendly tools on a Microsoft Windows or Linux system, a hacker can easily divert any traffic to his own PC to break the confidentiality or the integrity of this traffic.Most vulnerabilities are inherent to the Layer 2 protocols, ranging from Spanning Tree Protocol to IPv6 neighbor discovery. If Layer 2 is compromised, it is easier to build attacks on upper-layers protocols by using techniques such as man-in-the-middle (MITM) attacks. Because a hacker can intercept any traffic, he can insert himself in clear-text communication (such as HTTP or Telnet) and in encrypted channels (such as Secure Socket Layer SSL or secure shell SSH).To exploit Layer 2 vulnerabilities, an attacker must usually be Layer 2 adjacent to the target. Although it seems impossible for an external hacker to connect to a company LAN, it is not. Indeed, a hacker can use social engineering to gain access to the premises, or he can pretend to be an engineer called on site to fix a mechanical problem.Also, many attacks are run by an insider, such as an onsite employee. Traditionally, there has been an unwritten and, in some cases, written rule that employees are trusted entities. However, over the past decade, numerous cases and statistics prove that this assumption is false. The CSI/FBI 2006 Computer Crime and Security Survey 1 reported that 68 percent of the surveyed organizations' losses were partial

Rewards Program

Write a Review