LAN Switch Security: What Hackers Know About Your Switches (Networking Technology: Security) (Paperback)

by Eric Vyncke (Author), Christopher Paggen (Author)
Key Phrases: information leaks, spanning tree protocol, trunking protocol, Cisco Catalyst, Identity-Based Networking Services, Using Switches (more...)

Editorial Reviews

Product Description

LAN Switch Security: What Hackers Know About Your Switches

A practical guide to hardening Layer 2 devices and stopping campus network attacks

Eric Vyncke

Christopher Paggen, CCIE® No. 2659

Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [STP], Cisco® Discovery Protocol [CDP], and so on) and data plane protocols, such as Address Routing Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP). LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches. Further, this book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. This book also includes a section on how to use an Ethernet switch to increase the security of a network and prevent future attacks.

Divided into four parts, LAN Switch Security provides you with steps you can take to ensure the integrity of both voice and data traffic traveling over Layer 2 devices. Part I covers vulnerabilities in Layer 2 protocols and how to configure switches to prevent attacks against those vulnerabilities. Part II addresses denial-of-service (DoS) attacks on an Ethernet switch and shows how those attacks can be mitigated. Part III shows how a switch can actually augment the security of a network through the utilization of wirespeed access control list (ACL) processing and IEEE 802.1x for user authentication and authorization. Part IV examines future developments from the LinkSec working group at the IEEE. For all parts, most of the content is vendor independent and is useful for all network architects deploying Ethernet switches.

After reading this book, you will have an in-depth understanding of LAN security and be prepared to plug the security holes that exist in a great number of campus networks.

Eric Vyncke has a master’s degree in computer science engineering from the University of Liège in Belgium. Since 1997, Eric has worked as a Distinguished Consulting Engineer for Cisco, where he is a technical consultant for security covering Europe. His area of expertise for 20 years has been mainly security from Layer 2 to applications. He is also guest professor at Belgian universities for security seminars.

Christopher Paggen, CCIE® No. 2659, obtained a degree in computer science from IESSL in Liège (Belgium) and a master’s degree in economics from University of Mons-Hainaut (UMH) in Belgium. He has been with Cisco since 1996 where he has held various positions in the fields of LAN switching and security, either as pre-sales support, post-sales support, network design engineer, or technical advisor to various engineering teams. Christopher is a frequent speaker at events, such as Networkers, and has filed several U.S. patents in the security area.

Contributing Authors:

Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco.

Steinthor Bjarnason is a consulting engineer for Cisco.

Ken Hook is a switch security solution manager for Cisco.

Rajesh Bhandari is a technical leader and a network security solutions architect for Cisco.

• Use port security to protect against CAM attacks

• Prevent spanning-tree attacks

• Isolate VLANs with proper configuration techniques

• Protect against rogue DHCP servers

• Block ARP snooping

• Prevent IPv6 neighbor discovery and router solicitation exploitation

• Identify Power over Ethernet vulnerabilities

• Mitigate risks from HSRP and VRPP

• Stop information leaks with CDP, PaGP, VTP, CGMP and other Cisco ancillary protocols

• Understand and prevent DoS attacks against switches

• Enforce simple wirespeed security policies with ACLs

• Implement user authentication on a port base with IEEE 802.1x

• Use new IEEE protocols to encrypt all Ethernet frames at wirespeed.

This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Category: Cisco Press—Security

Covers: Ethernet Switch Security

$60.00 USA / $69.00 CAN

LAN Switch Security: What Hackers Know About Your Switches

A practical guide to hardening Layer 2 devices and stopping campus network attacks

Eric Vyncke

Christopher Paggen, CCIE® No. 2659

Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [STP], Cisco® Discovery Protocol [CDP], and so on) and data plane protocols, such as Address Routing Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP). LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches. Further, this book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. This book also includes a section on how to use an Ethernet switch to increase the security of a network and prevent future attacks.

Divided into four parts, LAN Switch Security provides you with steps you can take to ensure the integrity of both voice and data traffic traveling over Layer 2 devices. Part I covers vulnerabilities in Layer 2 protocols and how to configure switches to prevent attacks against those vulnerabilities. Part II addresses denial-of-service (DoS) attacks on an Ethernet switch and shows how those attacks can be mitigated. Part III shows how a switch can actually augment the security of a network through the utilization of wirespeed access control list (ACL) processing and IEEE 802.1x for user authentication and authorization. Part IV examines future developments from the LinkSec working group at the IEEE. For all parts, most of the content is vendor independent and is useful for all network architects deploying Ethernet switches.

After reading this book, you will have an in-depth understanding of LAN security and be prepared to plug the security holes that exist in a great number of campus networks.

Eric Vyncke has a master’s degree in computer science engineering from the University of Liège in Belgium. Since 1997, Eric has worked as a Distinguished Consulting Engineer for Cisco, where he is a technical consultant for security covering Europe. His area of expertise for 20 years has been mainly security from Layer 2 to applications. He is also guest professor at Belgian universities for security seminars.

Christopher Paggen, CCIE® No. 2659, obtained a degree in computer science from IESSL in Liège (Belgium) and a master’s degree in economics from University of Mons-Hainaut (UMH) in Belgium. He has been with Cisco since 1996 where he has held various positions in the fields of LAN switching and security, either as pre-sales support, post-sales support, network design engineer, or technical advisor to various engineering teams. Christopher is a frequent speaker at events, such as Networkers, and has filed several U.S. patents in the security area.

Contributing Authors:

Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco.

Steinthor Bjarnason is a consulting engineer for Cisco.

Ken Hook is a switch security solution manager for Cisco.

Rajesh Bhandari is a technical leader and a network security solutions architect for Cisco.

• Use port security to protect against CAM attacks

• Prevent spanning-tree attacks

• Isolate VLANs with proper configuration techniques

• Protect against rogue DHCP servers

• Block ARP snooping

• Prevent IPv6 neighbor discovery and router solicitation exploitation

• Identify Power over Ethernet vulnerabilities

• Mitigate risks from HSRP and VRPP

  ...
  
  About the Author
  

   

  Eric Vyncke has a master’s degree in computer science engineering from the University of Liège in Belgium. He

  worked as a research assistant in the same university before joining Network Research Belgium. At Network

  Research Belgium, he was the head of R&D. He then joined Siemens as a project manager for security projects,

  including a proxy firewall. Since 1997, he has worked as a distinguished consulting engineer for Cisco as a technical

  consultant for security covering Europe. For 20 years, Eric’s area of expertise has been security from Layer 2 to

  the application layer. He is also a guest professor at some Belgian universities for security seminars. Eric is also a

  frequent speaker at security events (such as Networkers at Cisco Live and RSA Conference).

  Christopher Paggen joined Cisco in 1996 where he has held various positions gravitating around LAN switching

  and security technologies. Lately, he has been in charge of defining product requirements for the company’s current

  and future high-end firewalls. Christopher holds several U.S. patents, one of which pertains to Dynamic ARP

  Inspection (DAI). As CCIE No. 2659, Christopher also owns a B.S. in computer science from HEMES (Belgium)

  and went on to study economics at UMH (Belgium) for two more years.

  
  
  See all Editorial Reviews

Product Details

• Paperback: 360 pages
• Publisher: Cisco Press; 1 edition (September 16, 2007)
• Language: English
• ISBN-10: 1587052563
• ISBN-13: 978-1587052569
• Product Dimensions: 9.2 x 7.6 x 0.7 inches
• Shipping Weight: 1.2 pounds (View shipping rates and policies)
• Average Customer Review: 4.5 out of 5 stars See all reviews (10 customer reviews)
• Amazon.com Sales Rank: #522,367 in Books (See Bestsellers in Books)

Customer Reviews

Most Helpful Customer Reviews

2 of 2 people found the following review helpful:

5.0 out of 5 stars A MANDATORY Read for All Network Administrators, October 14, 2007

By	Jon R. Kibler "Jon R. Kibler" (Charleston, SC USA) - See all my reviews (REAL NAME)

Awesome. Horrorifing. Fantastic. Scary. Phenomenal. Terrorifing. The best book I have read all year. If you thought you didn't need to worry about layer 2 security, think again!

This is probably the best practical hacking book to come out in several years. It clearly illustrates that the majority of LANs and CANs implemented today are full of configuration issues that can lead to serious exploits. A MANDATORY read for all network administrators.

The book does not cover any new ground, but it does an excellent job of bringing together a lot of information -- both theory and practice -- into one well written text. It shows the strengths (few) and weaknesses (many) of all the most common L2 protocols and how they can be exploited by anyone with access to any system on your network. It also shows how to lock down Cisco devices to minimize or prevent many of the exploits discussed.

The only complaint I have about the book is the poor editing job that was done, with glaring typos in several places in the book. Many of the typos are laughable (Catalyst Supervisor Engineer), but some leave you scratching your head and having to compare text to graphics to figure out which is correct. While annoying, and something I am sure that will be fixed in a later printing, it does not diminish the tremendous amount of information presented, and the well developed examples and demonstration exploits.

Now, if someone would only publish a generic version of this book that addressed the specific issues and fixes in L2 implementations by other vendors!

Again, a MANDATORY read for all network administrators. Pen testers and security admins should also read this book.

2 of 2 people found the following review helpful:

5.0 out of 5 stars Very good title, September 26, 2007

By	Hedley Lamarr "Toto" (Tornado Alley) - See all my reviews

I picked up this book a few days after it hit the proverbial shelves. I've read it twice since then. The book actually taught me many things that I simply didn't know. I always knew that Cisco access ports had numerous services enabled on them by default. I disable many of them myself with the interface templates that I've built. I didn't realize that there were this many enabled services.

The book has 2 good chapters on securing both the control-plane and the data-plane including the use of CoPP. One thing that I absolutely love about the control-plane chapter is how they point out the specifics of configuring CoPP on particular hardware platforms, in this case the 6500 and the ME3400. This hits home with me since I admin a number of 7600s. Prior to this I could not find a reference that would help me with my specific platform.

As always my standard gripes about these smaller Cisco Press books apply. The book is only available as a softback which is crap. Cisco Press: we'll pay the extra $$$ for a book that won't be dog-eared from day one. Stop skimping out on us! Next, while this book does go into a good amount of detail on almost all sections I personally want more detail. I want Cisco Press to give me 200 pages on securing the control-plane, not 40. I want detailed examples, sample configs, detailed discussion about why you'd implement CoPP in a particular way on one platform or another (7200s vs 7600s vs ISRs) etc. I want all that detail in a one stop shop. I want appendixes with sample interface templates for certain applications (customer-facing, infrastructure, internal user-facing, printers, servers, etc). I'm all about the details. Don't wet my pallet and cut me short; stop teasing me. And as always, give me a access to a PDF version of the book. You do it for some Cisco Press books for free. I'm tired of carrying this book to work everyday and no I am not going to buy a second copy.

Overall a very good title that all Cisco network people should own. I guarantee you that there are things in her that you do not know.

1 of 1 people found the following review helpful:

5.0 out of 5 stars The layer 2 attack and defense master piece, July 10, 2008

By	Raul Siles "www.raulsiles.com" - See all my reviews (REAL NAME)

I have been promoting the need to protect access to local network infrastructures (against the insider threat) for so many years that I'm even tired of sending the same message again and again these days, but I do not give up. I never understood why if we require authentication to each and every technology resource, such as your computer operating system, servers, databases, applications, and even physical facilities, why this has not been the case to access the network. Still today, lots of local networks from big companies and organizations are "free", that is, if the attacker gets physical access to an Ethernet port (RJ-45 connector) he is in! (the network). This is one of the attacker's dreams, and we can simply mitigate this threat through the 802.1X protocol. The expansion of wireless networks has helped a lot to promote it, but still it must be applied to most wired networks out there.

802.1X is just one of the multiple additions you can make to your layer 2 security stance in order to protect the local (layer 2) network infrastructure from several attacks. Definitely, you need to stop thinking about IP (layer 3) attacks only, and move one level down. Honestly, one of the layer 2 attacks that works 99% of the times I'm running an internal penetration test is ARP spoofing or poisoning. I tried to emphasize the impact of this attack and the associated defenses on my first GIAC paper for the Incident Handler (GCIH) certification in 2003, "Real World ARP Spoofing".

The book covers most of the vulnerabilities, design flaws, and security holes associated to the layer 2 protocols we currently and extensively use on our networks, such as MAC flooding and spoofing attacks, and STP, VLAN, DHCP, ARP, PoE, HSRP, VRRP, CDP, VTP, LAP and even layer-2 IPv6 related attacks. However, and starting with the minimum privilege principle (if you don't need it, why it is enabled?), the main focus of this book (and specially Part I) is to provide the reader with the knowledge and specific details to detect these attacks and protect the network and network devices (mainly switches) against all these threats. For each protocol and attack it describes the proper settings for a secure implementation.

Parts II of the book focuses on Denial of Service (DoS and DDoS) attacks on layer 2 devices and provide an excellent overview of switches architectures, internal implementation details (mainly Cisco focused), the relationships between the Control Plane and the Data Plane, the protocols each layer deals with, and the security implications on the internal operation of switches. If you want to know how your switches really work and the security implications of enabling/disabling certain capabilities, this is the section of the book you must read.

Part III then provides an introduction to more advanced access control options, through multiple ACL types, and layer-2 authentication (802.1X). It's a good introduction to go deeper into serious layer-2 access control and authentication projects and deployments.

Simplifying the threat, the attackers have a single tool (in fact they have multiple but this is THE tool) to do real damage at layer 2, Yersinia, co-develop by a Spanish security colleague, David. We, as defenders, need to properly design and deploy all the layer 2 technologies and protocols considering the security implications of its presence on the network. Fortunately enough, the countermeasures available to mitigate layer 2 risks are available in some current network devices, mainly switches. BTW, I encourage you to use the attack tools, like Yersinia, to audit your network. Some of the book countermeasures are trivial to apply, while some others require a very carefully thought-out planning. The book provides the guidance you need to start accomplishing the goal of getting a definitive layer 2 protected network by exposing the complexity, advantages and disadvantages of each solution.

The book is structured in small, easy to read, chapters that describe each of the technologies analyzed and its operation, the security issues and attack examples, and the detection and protection mechanisms you need to apply, straight to the most relevant implementation details. It also includes practical examples and describes multiple scenarios where each countermeasure can be applied, as well as the main decision factors to apply it in a given way. If you are busy (and who is not these days?), I recommend you to select a layer 2 protocol or technology you are using, select the appropriate chapter (a 30-45 minutes read at most), and start planning and applying the related security best practices. You can repeat this chapter selection process every couple of weeks, and in 2-3 months your network will be what I would like to see on all my customers. The book allows network administrators and infosec professionals to independently digest any of the chapters and start protecting the associated technology. Obviously, the main goal should be to apply all the book recommendations to your infrastructure in the short-mid term. Unfortunately, not all the countermeasures mentioned are available in all switches; there is still lot of work to be done by the vendors to implement all them.

The book opens the doors to a whole set of layer-2 threats, but it is not a complete guide to implement all the related protections, neither a command documentation book. It is up to the reader to check his switch documentation (Cisco or others) to get the full syntax details and multiple options for each of the countermeasures detailed. If you have managed Cisco devices, you know syntax also changes between IOS/CatOS versions, so I prefer this approach rather than a detailed syntax compendium that may be unusable on my specific IOS/CatOS version.

Even this is a Cisco Press book, and obviously it is focused on the current solutions available from Cisco, it is fair to admit that Cisco is leading the networking market and includes some of the most advanced layer 2 protection mechanisms in its switches, such as port security, UUFP, root and BPDU guard, BPDU filtering and rate-limiting, VLAN and layer-2 protocols best practices, DHCP snooping, DHCP rate-limiting and validation, IP source guard, DAI (Dynamic ARP Inspection), PoE defenses, HSRP and VRRP strong authentication, 802.1X, and lots of ACLs types: . RACL, VACL, PACLs, etc. Therefore, as this is the way to go, other vendors (if they do not already have these) should provide similar protection capabilities on their layer 2 network devices.

I specially liked how the book ends up (Part IV) covering LinkSec, 802.1AE and 802.1af, future standards that will finally provide confidentiality and integrity at layer 2 at wire-speeds, similarly to what be have today in wireless networks with 802.11i (WPA and WPA2). Why don't you start checking if these standards are supported by your endpoint (client, servers, printers, VoIP phones, etc) and network devices? The sooner we use it, the better.

The only portion missing on the book IMHO is the inclusion of layer 2 QoS protocols, such as 802.1p. Apart from that, chapter 1 is a light intro to security. If you have been in the field for a while, you can directly jump over it. I think it could have been omitted.

Before reading this book, I had an extensive previous experience on layer 2 security, switches, layer 2 penetration testing, and layer 2 network security architectures and design, and I really enjoyed the book, specially its practical focus, broad scope on layer 2 issues, the format and examples. If you are a penetration tester, I'm sure you will get a few ideas too for your next challenge, and you can easily apply them as most attack tools are publicly available and included on the latest Backtrack 3 version. Definitely, if you are a network security professional or network administrator in any way, shape or form, this book must be in your shelves.

Full-review: http://radajo.blogspot.com/2008/07/security-book-review-lan-switch.html