HAPPY BOOKSGIVING
Use code BOOKSGIVING during checkout to save 40%-55% on books and eBooks. Shop now.
Register your product to gain access to bonus material or receive a coupon.
This eBook includes the following formats, accessible from your Account page after purchase:
EPUB The open industry format known for its reflowable content and usability on supported mobile devices.
PDF The popular standard, used most often with the free Acrobat® Reader® software.
This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
LAN Switch Security: What Hackers Know About Your Switches
A practical guide to hardening Layer 2 devices and stopping campus network attacks
Eric Vyncke
Christopher Paggen, CCIE® No. 2659
Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [STP], Cisco® Discovery Protocol [CDP], and so on) and data plane protocols, such as Address Routing Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP). LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches. Further, this book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. This book also includes a section on how to use an Ethernet switch to increase the security of a network and prevent future attacks.
Divided into four parts, LAN Switch Security provides you with steps you can take to ensure the integrity of both voice and data traffic traveling over Layer 2 devices. Part I covers vulnerabilities in Layer 2 protocols and how to configure switches to prevent attacks against those vulnerabilities. Part II addresses denial-of-service (DoS) attacks on an Ethernet switch and shows how those attacks can be mitigated. Part III shows how a switch can actually augment the security of a network through the utilization of wirespeed access control list (ACL) processing and IEEE 802.1x for user authentication and authorization. Part IV examines future developments from the LinkSec working group at the IEEE. For all parts, most of the content is vendor independent and is useful for all network architects deploying Ethernet switches.
After reading this book, you will have an in-depth understanding of LAN security and be prepared to plug the security holes that exist in a great number of campus networks.
Eric Vyncke has a master’s degree in computer science engineering from the University of Liège in Belgium. Since 1997, Eric has worked as a Distinguished Consulting Engineer for Cisco, where he is a technical consultant for security covering Europe. His area of expertise for 20 years has been mainly security from Layer 2 to applications. He is also guest professor at Belgian universities for security seminars.
Christopher Paggen, CCIE® No. 2659, obtained a degree in computer science from IESSL in Liège (Belgium) and a master’s degree in economics from University of Mons-Hainaut (UMH) in Belgium. He has been with Cisco since 1996 where he has held various positions in the fields of LAN switching and security, either as pre-sales support, post-sales support, network design engineer, or technical advisor to various engineering teams. Christopher is a frequent speaker at events, such as Networkers, and has filed several U.S. patents in the security area.
Contributing Authors:
Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco.
Steinthor Bjarnason is a consulting engineer for Cisco.
Ken Hook is a switch security solution manager for Cisco.
Rajesh Bhandari is a technical leader and a network security solutions architect for Cisco.
Use port security to protect against CAM attacks
Prevent spanning-tree attacks
Isolate VLANs with proper configuration techniques
Protect against rogue DHCP servers
Block ARP snooping
Prevent IPv6 neighbor discovery and router solicitation exploitation
Identify Power over Ethernet vulnerabilities
Mitigate risks from HSRP and VRPP
Stop information leaks with CDP, PaGP, VTP, CGMP and other Cisco ancillary protocols
Understand and prevent DoS attacks against switches
Enforce simple wirespeed security policies with ACLs
Implement user authentication on a port base with IEEE 802.1x
Use new IEEE protocols to encrypt all Ethernet frames at wirespeed.
This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.
Category: Cisco Press–Security
Covers: Ethernet Switch Security
Contents
Introduction xix
Part I
Vulnerabilities and Mitigation Techniques 3
Chapter 1
Introduction to Security 5
Security Triad 5
Confidentiality 6
Integrity 7
Availability 8
Reverse Security Triad 8
Risk Management 8
Risk Analysis 9
Risk Control 10
Access Control and Identity Management 10
Cryptography 11
Symmetric Cryptosystems 13
Symmetric Encryption 13
Hashing Functions 13
Hash Message Authentication Code 14
Asymmetric Cryptosystems 15
Confidentiality with Asymmetric Cryptosystems 16
Integrity and Authentication with Asymmetric Cryptosystems 17
Key Distribution and Certificates 18
Attacks Against Cryptosystems 19
Summary 21
References 21
Chapter 2
Defeating a Learning Bridge’s Forwarding Process 23
Back to Basics: Ethernet Switching 101 23
Ethernet Frame Formats 23
Learning Bridge 24
Consequences of Excessive Flooding 26
Exploiting the Bridging Table: MAC Flooding Attacks 27
Forcing an Excessive Flooding Condition 28
Introducing the macof Tool 30
MAC Flooding Alternative: MAC Spoofing Attacks 34
Not Just Theory 35
Preventing MAC Flooding and Spoofing Attacks 36
Detecting MAC Activity 36
Port Security 37
Unknown Unicast Flooding Protection 39
Summary 40
References 41
Chapter 3
Attacking the Spanning Tree Protocol 43
Introducing Spanning Tree Protocol 43
Types of STP 46
Understanding 802.1D and 802.1Q Common STP 46
Understanding 802.1w Rapid STP 46
Understanding 802.1s Multiple STP 47
STP Operation: More Details 47
Let the Games Begin! 53
Attack 1: Taking Over the Root Bridge 55
Root Guard 58
BPDU-Guard 58
Attack 2: DoS Using a Flood of Config BPDUs 60
BPDU-Guard 62
BPDU Filtering 62
Layer 2 PDU Rate Limiter 63
Attack 3: DoS Using a Flood of Config BPDUs 63
Attack 4: Simulating a Dual-Homed Switch 63
Summary 64
References 65
Chapter 4
Are VLANS Safe? 67
IEEE 802.1Q Overview 67
Frame Classification 68
Go Native 69
Attack of the 802.1Q Tag Stack 71
Understanding Cisco Dynamic Trunking Protocol 76
Crafting a DTP Attack 76
Countermeasures to DTP Attacks 80
Understanding Cisco VTP 80
VTP Vulnerabilities 81
Summary 82
References 82
Chapter 5
Leveraging DHCP Weaknesses 85
DHCP Overview 85
Attacks Against DHCP 89
DHCP Scope Exhaustion: DoS Attack Against DHCP 89
Yensinia 89
Gobbler 90
Hijacking Traffic Using DHCP Rogue Servers 92
Countermeasures to DHCP Exhaustion Attacks 93
Port Security 94
Introducing DHCP Snooping 96
Rate-Limiting DHCP Messages per Port 97
DHCP Message Validation 97
DHCP Snooping with Option 82 99
Tips for Deploying DHCP Snooping 99
Tips for Switches That Do Not Support DHCP Snooping 100
DHCP Snooping Against IP/MAC Spoofing Attacks 100
Summary 103
References 103
Chapter 6
Exploiting IPv4 ARP 105
Back to ARP Basics 105
Normal ARP Behavior 105
Gratuitous ARP 107
Risk Analysis for ARP 108
ARP Spoofing Attack 108
Elements of an ARP Spoofing Attack 109
Mounting an ARP Spoofing Attack 111
Mitigating an ARP Spoofing Attack 112
Dynamic ARP Inspection 112
DAI in Cisco IOS 112
DAI in CatOS 115
Protecting the Hosts 115
Intrusion Detection 116
Mitigating Other ARP Vulnerabilities 117
Summary 118
References 118
Chapter 7
Exploiting IPv6 Neighbor Discovery and Router Advertisement 121
Introduction to IPv6 121
Motivation for IPv6 121
What Does IPv6 Change? 122
Neighbor Discovery 126
Stateless Configuration with Router Advertisement 127
Analyzing Risk for ND and Stateless Configuration 129
Mitigating ND and RA Attacks 130
In Hosts 130
In Switches 130
Here Comes Secure ND 131
What Is SEND? 131
Implementation 133
Challenges 133
Summary 133
References 133
Chapter 8
What About Power over Ethernet? 135
Introduction to PoE 135
How PoE Works 136
Detection Mechanism 136
Powering Mechanism 138
Risk Analysis for PoE 139
Types of Attacks 139
Mitigating Attacks 140
Defending Against Power Gobbling 140
Defending Against Power-Changing Attacks 141
Defending Against Shutdown Attacks 141
Defending Against Burning Attacks 142
Summary 143
References 143
Chapter 9
Is HSRP Resilient? 145
HSRP Mechanics 145
Digging into HSRP 147
Attacking HSRP 148
DoS Attack 149
Man-in-the-Middle Attack 150
Information Leakage 151
Mitigating HSRP Attacks 151
Using Strong Authentication 151
Relying on Network Infrastructure 153
Summary 155
References 155
Chapter 10
Can We Bring VRRP Down? 157
Discovering VRRP 157
Diving Deep into VRRP 159
Risk Analysis for VRRP 161
Mitigating VRRP Attacks 161
Using Strong Authentication 162
Relying on the Network Infrastructure 162
Summary 163
References 163
Chapter 11
Information Leaks with Cisco Ancillary Protocols 165
Cisco Discovery Protocol 165
Diving Deep into CDP 165
CDP Risk Analysis 167
CDP Risk Mitigation 169
IEEE Link Layer Discovery Protocol 169
VLAN Trunking Protocol 170
VTP Risk Analysis 172
VTP Risk Mitigation 173
Link Aggregation Protocols 174
Risk Analysis 176
Risk Mitigation 177
Summary 178
References 178
Part II
How Can a Switch Sustain a Denial of Service Attack? 181
Chapter 12
Introduction to Denial of Service Attacks 183
How Does a DoS Attack Differ from a DDoS Attack? 183
Initiating a DDoS Attack 184
Zombie 184
Botnet 185
DoS and DDoS Attacks 186
Attacking the Infrastructure 186
Common Flooding Attacks 187
Mitigating Attacks on Services 187
Attacking LAN Switches Using DoS and DDoS Attacks 188
Anatomy of a Switch 188
Three Planes 189
Data Plane 189
Control Plane 190
Management Plane 190
Attacking the Switch 190
Data Plane Attacks 192
Control Plane Attacks 192
Management Plane Attacks 193
Switch Architecture Attacks 193
Summary 194
Reference 194
Chapter 13
Control Plane Policing 197
Which Services Reside on the Control Plane? 198
Securing the Control Plane on a Switch 198
Implementing Hardware-Based CoPP 200
Configuring Hardware-Based CoPP on the Catalyst 6500 200
Hardware Rate Limiters 201
Hardware-Based CoPP 203
Configuring Control Plane Security on the Cisco ME3400 203
Implementing Software-Based CoPP 206
Configuring Software-Based CoPP 207
Mitigating Attacks Using CoPP 211
Mitigating Attacks on the Catalyst 6500 Switch 211
Telnet Flooding Without CoPP 211
Telnet Flooding with CoPP 212
TTL Expiry Attack 215
Mitigating Attacks on Cisco ME3400 Series Switches 218
CDP Flooding 218
CDP Flooding with L2TP Tunneling 219
Summary 222
References 222
Chapter 14
Disabling Control Plane Protocols 225
Configuring Switches Without Control Plane Protocols 225
Safely Disabling Control Plane Activities 227
Disabling STP 227
Disabling Link Aggregation Protocols 228
Disabling VTP 228
Disabling DTP 228
Disabling Hot Standby Routing Protocol and Virtual Routing Redundancy
Protocol 228
Disabling Management Protocols and Routing Protocols 229
Using an ACL 230
Disabling Other Control Plane Activities 232
Generating ICMP Messages 232
Controlling CDP, IPv6, and IEEE 802.1X 233
Using Smartports Macros 234
Control Plane Activities That Cannot Be Disabled 235
Best Practices for Control Plane 236
Summary 236
Chapter 15
Using Switches to Detect a Data Plane DoS 239
Detecting DoS with NetFlow 239
Enabling NetFlow on a Catalyst 6500 244
NetFlow as a Security Tool 246
Increasing Security with NetFlow Applications 247
Securing Networks with RMON 249
Other Techniques That Detect Active Worms 252
Summary 255
References 255
Part III
Using Switches to Augment the Network Security 257
Chapter 16
Wire Speed Access Control Lists 259
ACLs or Firewalls? 260
State or No State? 261
Protecting the Infrastructure Using ACLs 261
RACL, VACL, and PACL: Many Types of ACLs 263
Working with RACL 264
Working with VACL 265
Working with PACL 267
Technology Behind Fast ACL Lookups 267
Exploring TCAM 268
Summary 270
Chapter 17
Identity-Based Networking Services with 802.1X 273
Foundation 273
Basic Identity Concepts 274
Identification 274
Authentication 274
Authorization 275
Discovering Extensible Authentication Protocol 275
Exploring IEEE 802.1X 277
802.1X Security 279
Integration Value-Add of 802.1X 281
Spanning-Tree Considerations 281
Trunking Considerations 283
Information Leaks 283
Keeping Insiders Honest 285
Port-Security Integration 285
DHCP-Snooping Integration 286
Address Resolution Protocol Inspection Integration 286
Putting It Together 287
Working with Multiple Devices 288
Single-Auth Mode 288
Multihost Mode 289