LAN Switch Security: What Hackers Know About Your Switches

A practical guide to hardening Layer 2 devices and stopping campus network attacks

Eric Vyncke

Christopher Paggen, CCIE® No. 2659

Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [STP], Cisco® Discovery Protocol [CDP], and so on) and data plane protocols, such as Address Routing Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP). LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches. Further, this book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. This book also includes a section on how to use an Ethernet switch to increase the security of a network and prevent future attacks.

Divided into four parts, LAN Switch Security provides you with steps you can take to ensure the integrity of both voice and data traffic traveling over Layer 2 devices. Part I covers vulnerabilities in Layer 2 protocols and how to configure switches to prevent attacks against those vulnerabilities. Part II addresses denial-of-service (DoS) attacks on an Ethernet switch and shows how those attacks can be mitigated. Part III shows how a switch can actually augment the security of a network through the utilization of wirespeed access control list (ACL) processing and IEEE 802.1x for user authentication and authorization. Part IV examines future developments from the LinkSec working group at the IEEE. For all parts, most of the content is vendor independent and is useful for all network architects deploying Ethernet switches.

After reading this book, you will have an in-depth understanding of LAN security and be prepared to plug the security holes that exist in a great number of campus networks.

Eric Vyncke has a master’s degree in computer science engineering from the University of Liège in Belgium. Since 1997, Eric has worked as a Distinguished Consulting Engineer for Cisco, where he is a technical consultant for security covering Europe. His area of expertise for 20 years has been mainly security from Layer 2 to applications. He is also guest professor at Belgian universities for security seminars.

Christopher Paggen, CCIE® No. 2659, obtained a degree in computer science from IESSL in Liège (Belgium) and a master’s degree in economics from University of Mons-Hainaut (UMH) in Belgium. He has been with Cisco since 1996 where he has held various positions in the fields of LAN switching and security, either as pre-sales support, post-sales support, network design engineer, or technical advisor to various engineering teams. Christopher is a frequent speaker at events, such as Networkers, and has filed several U.S. patents in the security area.

Contributing Authors:

Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco.

Steinthor Bjarnason is a consulting engineer for Cisco.

Ken Hook is a switch security solution manager for Cisco.

Rajesh Bhandari is a technical leader and a network security solutions architect for Cisco.

• Use port security to protect against CAM attacks

• Prevent spanning-tree attacks

• Isolate VLANs with proper configuration techniques

• Protect against rogue DHCP servers

• Block ARP snooping

• Prevent IPv6 neighbor discovery and router solicitation exploitation

• Identify Power over Ethernet vulnerabilities

• Mitigate risks from HSRP and VRPP

• Stop information leaks with CDP, PaGP, VTP, CGMP and other Cisco ancillary protocols

• Understand and prevent DoS attacks against switches

• Enforce simple wirespeed security policies with ACLs

• Implement user authentication on a port base with IEEE 802.1x

• Use new IEEE protocols to encrypt all Ethernet frames at wirespeed.

This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Category: Cisco Press—Security

Covers: Ethernet Switch Security

$60.00 USA / $69.00 CAN

LAN Switch Security: What Hackers Know About Your Switches

A practical guide to hardening Layer 2 devices and stopping campus network attacks

Eric Vyncke

Christopher Paggen, CCIE® No. 2659

Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [STP], Cisco® Discovery Protocol [CDP], and so on) and data plane protocols, such as Address Routing Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP). LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches. Further, this book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. This book also includes a section on how to use an Ethernet switch to increase the security of a network and prevent future attacks.

Divided into four parts, LAN Switch Security provides you with steps you can take to ensure the integrity of both voice and data traffic traveling over Layer 2 devices. Part I covers vulnerabilities in Layer 2 protocols and how to configure switches to prevent attacks against those vulnerabilities. Part II addresses denial-of-service (DoS) attacks on an Ethernet switch and shows how those attacks can be mitigated. Part III shows how a switch can actually augment the security of a network through the utilization of wirespeed access control list (ACL) processing and IEEE 802.1x for user authentication and authorization. Part IV examines future developments from the LinkSec working group at the IEEE. For all parts, most of the content is vendor independent and is useful for all network architects deploying Ethernet switches.

After reading this book, you will have an in-depth understanding of LAN security and be prepared to plug the security holes that exist in a great number of campus networks.

Eric Vyncke has a master’s degree in computer science engineering from the University of Liège in Belgium. Since 1997, Eric has worked as a Distinguished Consulting Engineer for Cisco, where he is a technical consultant for security covering Europe. His area of expertise for 20 years has been mainly security from Layer 2 to applications. He is also guest professor at Belgian universities for security seminars.

Christopher Paggen, CCIE® No. 2659, obtained a degree in computer science from IESSL in Liège (Belgium) and a master’s degree in economics from University of Mons-Hainaut (UMH) in Belgium. He has been with Cisco since 1996 where he has held various positions in the fields of LAN switching and security, either as pre-sales support, post-sales support, network design engineer, or technical advisor to various engineering teams. Christopher is a frequent speaker at events, such as Networkers, and has filed several U.S. patents in the security area.

Contributing Authors:

Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco.

Steinthor Bjarnason is a consulting engineer for Cisco.

Ken Hook is a switch security solution manager for Cisco.

Rajesh Bhandari is a technical leader and a network security solutions architect for Cisco.

• Use port security to protect against CAM attacks

• Prevent spanning-tree attacks

• Isolate VLANs with proper configuration techniques

• Protect against rogue DHCP servers

• Block ARP snooping

• Prevent IPv6 neighbor discovery and router solicitation exploitation

• Identify Power over Ethernet vulnerabilities

• Mitigate risks from HSRP and VRPP

• Stop information leaks with CDP, PaGP, VTP, CGMP and other Cisco ancillary protocols

• Understand and prevent DoS attacks against switches

• Enforce simple wirespeed security policies with ACLs

• Implement user authentication on a port base with IEEE 802.1x

• Use new IEEE protocols to encrypt all Ethernet frames at wirespeed.

This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Category: Cisco Press–Security

Covers: Ethernet Switch Security

$60.00 USA / $69.00 CAN

Amazon.com® Reader Reviews (Ranked by Helpfulness)

Average Amazon.com® Rating:  Based on 10 Ratings

The layer 2 attack and defense master piece - 2008-07-10
Reviewer Rating:
I have been promoting the need to protect access to local network infrastructures (against the insider threat) for so many years that I'm even tired of sending the same message again and again these days, but I do not give up. I never understood why if we require authentication to each and every technology resource, such as your computer operating system, servers, databases, applications, and even physical facilities, why this has not been the case to access the network. Still today, lots of local networks from big companies and organizations are "free", that is, if the attacker gets physical access to an Ethernet port (RJ-45 connector) he is in! (the network). This is one of the attacker's dreams, and we can simply mitigate this threat through the 802.1X protocol. The expansion of wireless networks has helped a lot to promote it, but still it must be applied to most wired networks out there.

802.1X is just one of the multiple additions you can make to your layer 2 security stance in order to protect the local (layer 2) network infrastructure from several attacks. Definitely, you need to stop thinking about IP (layer 3) attacks only, and move one level down. Honestly, one of the layer 2 attacks that works 99% of the times I'm running an internal penetration test is ARP spoofing or poisoning. I tried to emphasize the impact of this attack and the associated defenses on my first GIAC paper for the Incident Handler (GCIH) certification in 2003, "Real World ARP Spoofing".

The book covers most of the vulnerabilities, design flaws, and security holes associated to the layer 2 protocols we currently and extensively use on our networks, such as MAC flooding and spoofing attacks, and STP, VLAN, DHCP, ARP, PoE, HSRP, VRRP, CDP, VTP, LAP and even layer-2 IPv6 related attacks. However, and starting with the minimum privilege principle (if you don't need it, why it is enabled?), the main focus of this book (and specially Part I) is to provide the reader with the knowledge and specific details to detect these attacks and protect the network and network devices (mainly switches) against all these threats. For each protocol and attack it describes the proper settings for a secure implementation.

Parts II of the book focuses on Denial of Service (DoS and DDoS) attacks on layer 2 devices and provide an excellent overview of switches architectures, internal implementation details (mainly Cisco focused), the relationships between the Control Plane and the Data Plane, the protocols each layer deals with, and the security implications on the internal operation of switches. If you want to know how your switches really work and the security implications of enabling/disabling certain capabilities, this is the section of the book you must read.

Part III then provides an introduction to more advanced access control options, through multiple ACL types, and layer-2 authentication (802.1X). It's a good introduction to go deeper into serious layer-2 access control and authentication projects and deployments.

Simplifying the threat, the attackers have a single tool (in fact they have multiple but this is THE tool) to do real damage at layer 2, Yersinia, co-develop by a Spanish security colleague, David. We, as defenders, need to properly design and deploy all the layer 2 technologies and protocols considering the security implications of its presence on the network. Fortunately enough, the countermeasures available to mitigate layer 2 risks are available in some current network devices, mainly switches. BTW, I encourage you to use the attack tools, like Yersinia, to audit your network. Some of the book countermeasures are trivial to apply, while some others require a very carefully thought-out planning. The book provides the guidance you need to start accomplishing the goal of getting a definitive layer 2 protected network by exposing the complexity, advantages and disadvantages of each solution.

The book is structured in small, easy to read, chapters that describe each of the technologies analyzed and its operation, the security issues and attack examples, and the detection and protection mechanisms you need to apply, straight to the most relevant implementation details. It also includes practical examples and describes multiple scenarios where each countermeasure can be applied, as well as the main decision factors to apply it in a given way. If you are busy (and who is not these days?), I recommend you to select a layer 2 protocol or technology you are using, select the appropriate chapter (a 30-45 minutes read at most), and start planning and applying the related security best practices. You can repeat this chapter selection process every couple of weeks, and in 2-3 months your network will be what I would like to see on all my customers. The book allows network administrators and infosec professionals to independently digest any of the chapters and start protecting the associated technology. Obviously, the main goal should be to apply all the book recommendations to your infrastructure in the short-mid term. Unfortunately, not all the countermeasures mentioned are available in all switches; there is still lot of work to be done by the vendors to implement all them.

The book opens the doors to a whole set of layer-2 threats, but it is not a complete guide to implement all the related protections, neither a command documentation book. It is up to the reader to check his switch documentation (Cisco or others) to get the full syntax details and multiple options for each of the countermeasures detailed. If you have managed Cisco devices, you know syntax also changes between IOS/CatOS versions, so I prefer this approach rather than a detailed syntax compendium that may be unusable on my specific IOS/CatOS version.

Even this is a Cisco Press book, and obviously it is focused on the current solutions available from Cisco, it is fair to admit that Cisco is leading the networking market and includes some of the most advanced layer 2 protection mechanisms in its switches, such as port security, UUFP, root and BPDU guard, BPDU filtering and rate-limiting, VLAN and layer-2 protocols best practices, DHCP snooping, DHCP rate-limiting and validation, IP source guard, DAI (Dynamic ARP Inspection), PoE defenses, HSRP and VRRP strong authentication, 802.1X, and lots of ACLs types: . RACL, VACL, PACLs, etc. Therefore, as this is the way to go, other vendors (if they do not already have these) should provide similar protection capabilities on their layer 2 network devices.

I specially liked how the book ends up (Part IV) covering LinkSec, 802.1AE and 802.1af, future standards that will finally provide confidentiality and integrity at layer 2 at wire-speeds, similarly to what be have today in wireless networks with 802.11i (WPA and WPA2). Why don't you start checking if these standards are supported by your endpoint (client, servers, printers, VoIP phones, etc) and network devices? The sooner we use it, the better.

The only portion missing on the book IMHO is the inclusion of layer 2 QoS protocols, such as 802.1p. Apart from that, chapter 1 is a light intro to security. If you have been in the field for a while, you can directly jump over it. I think it could have been omitted.

Before reading this book, I had an extensive previous experience on layer 2 security, switches, layer 2 penetration testing, and layer 2 network security architectures and design, and I really enjoyed the book, specially its practical focus, broad scope on layer 2 issues, the format and examples. If you are a penetration tester, I'm sure you will get a few ideas too for your next challenge, and you can easily apply them as most attack tools are publicly available and included on the latest Backtrack 3 version. Definitely, if you are a network security professional or network administrator in any way, shape or form, this book must be in your shelves.

Full-review: http://radajo.blogspot.com/2008/07/security-book-review-lan-switch.html

Good switching book - 2008-02-27
Reviewer Rating:
This is a thin book, its about an inch thick. I like the way the book is layed out. First there is an overview of the technology, then the vulnerability is discussed, then a recommendation is made to correct the problem. I think the authors make excellent explanitions of the technologies without a lot of code and command line examples.

I think the detailed explanitions of the technologies are insiteful for experts as well as understandable and helpful for thoughs new to the field. This book is not going to give exaustive commandline text output. It does help explain each subject using meaningful words.

A truly needed book - 2008-01-10
Reviewer Rating:
This book leaps into layer 2 action with a MAC flooding attack. In the next chapter we take aim at Spanning Tree Protocol (STP). Surely this is an intentional decision by the authors to get the reader saying where is the defense?

Chapter 4, is one of my favorites, a security discussion on VLANS including an introductory use of the attack tool, Yersinia ( the swiss army knife of layer 2 attacks). The material is challenging, very technical, but the authors take pains to be as clear as possible.

As the book moves on, with the solid foundation we build, we then consider DHCP, ARP, IPv6 discovery, Power over Ethernet, HSRP, more esoteric protocols. A real jewel is found in part II of the book, I learned so much about how a switch works ( or can be made not to work ). We finish off with Denial of Service, netflow, RMON, and worms. Well, not exactly, great book, you will never think about layer 2 the same way again. You will never think of a switch as a mindless toaster or an appliance that is not significant from a security perspective.

The beginning and the ending of the book is the reason I did not score it five stars, but let me be clear, the middle of the book is more than worth the cost of buying LAN Switch Security and the time it takes to read it. Just start at Chapter 2.

I wish the authors could have skipped chapter 1, the introduction to security. It is such a high level overview that it really does not help. Cisco book do this a lot, may I suggest that the title series manager create a really good introduction to security and just have all the Cisco books link to it. Anyone who has a prayer of understanding the stuff after Chapter 1, already knows all the content in Chapter 1. They also try to cover 802.1X in a chapter, wheeee! Other than those two nits, you have to give this book two thumbs up!

Should Be Required Reading For Pentesters - 2008-06-09
Reviewer Rating:
LAN Switch Security provides enough information to leverage the most common layer 2 attacks a pentester would be interested in; MAC Flooding, VLAN Hopping, DTP attacks, and CDP Snarfing along with plenty of switching protocol details for the Cisco ninja wannabe.

With the exception of the white paper for the tool Yersinia there isn't much in the way of resources out there for conducting Layer 2 attacks and certainly nothing written to the technical level of LSS.

The discussion of Layer 2 attacks in the first few chapters of this book are excellent and easily worth the price of the book especially if you are responsible for securing switches or just breaking into and abusing them. Chapter 4's ("Are VLANS Safe?") discussion on Dynamic Trunking Protocol is probably the most valuable for pentesters. The chapter covers using Yersinia to (hopefully) turn the port the attacker is connected to into a trunk port. This enables the attacker to see all traffic on all VLANS (pretty handy). In addition to exceptional background material on switching protocols and information on breaking the different switching protocols the book gives us quality information on securing those same protocols to include a good chunk of the IOS commands to implement the recommended changes.

Pros:
-All the chapters using Yersinia for attacks and the overview of Yersinia
-The structure (Technology Overview, Discussion of the Vulnerability, Remediation) of each chapter works well
-Plenty of Cisco IOS command line specifics to get the job done
-Really good overviews of the switching protocols, how to break them, and how to secure them
-Discussion of data planes and control planes

Cons:
-Check out the cons of Richard Bejtlich & Stephen Northcutt...all valid
-No discussion of minimum lab requirements to set up a lab to reproduce the attacks
-I lost interest from part II onward, probably because most of the attacks don't give you much (if any) in the way of privileges and it got fairly deep into switching protocols I don't usually deal with and the book seems to drift. I'm not sure what happened but the book doesn't end as strong as it begins.
-Some repeating of material in different chapters

I gave the book 4 stars mostly due to editing issues, lack of lab guidance to reproduce the attacks,and the fact that I lost interest in the book toward the end. Even though I lost interest toward the end I still recommend this book for anyone interested in breaking Layer 2 or securing it.

Fills a void that had existed far too long - 2007-12-26
Reviewer Rating:
Vyncke and Paggen delve deep into Layer 2 in "LAN Switch Security", and with a twist: where the run-of-the-mill switching work mainly discusses how Layer 2 works, this book is exclusively focussed on how it breaks.

They start with straightfoward stuff, e.g. how a bridge learns MAC addresses, and how this process can be frustrated by means of flooding a switch with large numbers of spoofed MAC addresses, or how ARP poisoning can be used to play man-in-the-middle. Quickly, however, they move into more avdanced topics, like manipulating the spanning tree protocol process, VLAN hopping by means of stacking .1q tags, and a variety of indecent tricks to play on a HRSP or VRRP redundant router
setup. And that is but a tiny subset of the range they treat. Other technolgies extensively discussed are DTP, DHCP, IPv6, PoE, CDP, VTP, CoPP, NetFlow, ACLs, .1x, and .1ae. In each case the intriguing angle is "OK, we know how it works, can we learn how it breaks?".

The text is well enriched with examples, down to IOS CLI examples, and examples of attack tooling like yersinia. These examples are rather Cisco centric, but it is easy to see how the same ideas would apply generically, so that is not a big issue. What I also like it that the authors sometimes take a step back from the bits and bytes, and try to see a bigger picture, e.g. discussing the fundamental differences between data plane attacks and control plane attacks.

For each topic, the authors discuss various alternatives of mitigation, sometimes to the point where it seems rather obvious ("Disable this functionality when you do not need it", "Do not expose trunk protocols towards end stations"). I feel especialy the later chapters could have benefitted from the scruntity of a professional editor, as the text sometimes drifts away into vagueness. That is a pity, as on the whole, the book is well written.

What got me most excited about "LAN Switch Security" is that, as far as I know, no previous book was ever dedicatedly devoted to breaking Layer 2. Also, for many of the protocols discussed (CDP, VTP, DTP) it is almost impossible to find usefull detailed information in a high-level book, as these protocols are mostly only discussed in the context of certification course material, which the generally interested reader would not so easily read, and with good reason.

In my opinion this book is mandatory reading for two categories of readers. First, the network designer / administrator who is busy on a day-to-day basis designing / administrating a corporate network should read this, so he becomes actutely aware of the tremendous amount of rope they he has in his hands, and how he probably has been hanging himself with it.

Secondly, the IT security architect who has a deep knowledge of how complex systems invariably become insure systems, should read this so he gains a better knowledge of relevant aspects of Layer 2 networking.

As my colleague recently put it: "Layer 2 is big fun". I could not agree more, and heartily thank Vyncke and Paggen for finally writing the book that fills a void that had existed far too long in this area.

Dr. Jan Joris Vereijken, CISSP

Browse Similar Topics

Top Level Categories:
Networking

Sub-Categories:
Networking > LAN
Networking > Security