LAN Switch Security
16%
off

LAN Switch Security : What Hackers Know About Your Switches

4.66 (6 ratings by Goodreads)
By (author)  , By (author) 

Free delivery worldwide

Available. Dispatched from the UK in 11 business days
When will my order arrive?

Description

LAN Switch Security: What Hackers Know About Your SwitchesA practical guide to hardening Layer 2 devices and stopping campus network attacksEric VynckeChristopher Paggen, CCIE (R) No. 2659Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [STP], Cisco (R) Discovery Protocol [CDP], and so on) and data plane protocols, such as Address Routing Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP). LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches. Further, this book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. This book also includes a section on how to use an Ethernet switch to increase the security of a network and prevent future attacks.Divided into four parts, LAN Switch Security provides you with steps you can take to ensure the integrity of both voice and data traffic traveling over Layer 2 devices. Part I covers vulnerabilities in Layer 2 protocols and how to configure switches to prevent attacks against those vulnerabilities. Part II addresses denial-of-service (DoS) attacks on an Ethernet switch and shows how those attacks can be mitigated. Part III shows how a switch can actually augment the security of a network through the utilization of wirespeed access control list (ACL) processing and IEEE 802.1x for user authentication and authorization. Part IV examines future developments from the LinkSec working group at the IEEE. For all parts, most of the content is vendor independent and is useful for all network architects deploying Ethernet switches.After reading this book, you will have an in-depth understanding of LAN security and be prepared to plug the security holes that exist in a great number of campus networks. Eric Vyncke has a master's degree in computer science engineering from the University of Liege in Belgium. Since 1997, Eric has worked as a Distinguished Consulting Engineer for Cisco, where he is a technical consultant for security covering Europe. His area of expertise for 20 years has been mainly security from Layer 2 to applications. He is also guest professor at Belgian universities for security seminars. Christopher Paggen, CCIE (R) No. 2659, obtained a degree in computer science from IESSL in Liege (Belgium) and a master's degree in economics from University of Mons-Hainaut (UMH) in Belgium. He has been with Cisco since 1996 where he has held various positions in the fields of LAN switching and security, either as pre-sales support, post-sales support, network design engineer, or technical advisor to various engineering teams. Christopher is a frequent speaker at events, such as Networkers, and has filed several U.S. patents in the security area.Contributing Authors:Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco.Steinthor Bjarnason is a consulting engineer for Cisco.Ken Hook is a switch security solution manager for Cisco.Rajesh Bhandari is a technical leader and a network security solutions architect for Cisco.Use port security to protect against CAM attacksPrevent spanning-tree attacks Isolate VLANs with proper configuration techniquesProtect against rogue DHCP serversBlock ARP snoopingPrevent IPv6 neighbor discovery and router solicitation exploitationIdentify Power over Ethernet vulnerabilitiesMitigate risks from HSRP and VRPPStop information leaks with CDP, PaGP, VTP, CGMP and other Cisco ancillary protocolsUnderstand and prevent DoS attacks against switchesEnforce simple wirespeed security policies with ACLsImplement user authentication on a port base with IEEE 802.1xUse new IEEE protocols to encrypt all Ethernet frames at wirespeed.This security book is part of the Cisco Press (R) Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.Category: Cisco Press-SecurityCovers: Ethernet Switch Securityshow more

Product details

  • Paperback | 360 pages
  • 193.04 x 233.68 x 17.78mm | 544.31g
  • Pearson Education (US)
  • Cisco Press
  • Indianapolis, United States
  • English
  • 1587052563
  • 9781587052569
  • 875,443

About Eric Vyncke

Eric Vyncke has a master's degree in computer science engineering from the University of Liege in Belgium. Heworked as a research assistant in the same university before joining Network Research Belgium. At NetworkResearch Belgium, he was the head of R&D. He then joined Siemens as a project manager for security projects,including a proxy firewall. Since 1997, he has worked as a distinguished consulting engineer for Cisco as a technicalconsultant for security covering Europe. For 20 years, Eric's area of expertise has been security from Layer 2 tothe application layer. He is also a guest professor at some Belgian universities for security seminars. Eric is also afrequent speaker at security events (such as Networkers at Cisco Live and RSA Conference).Christopher Paggen joined Cisco in 1996 where he has held various positions gravitating around LAN switchingand security technologies. Lately, he has been in charge of defining product requirements for the company's currentand future high-end firewalls. Christopher holds several U.S. patents, one of which pertains to Dynamic ARPInspection (DAI). As CCIE No. 2659, Christopher also owns a B.S. in computer science from HEMES (Belgium)and went on to study economics at UMH (Belgium) for two more years.show more

Back cover copy

"LAN Switch Security: What Hackers Know About Your Switches" A practical guide to hardening Layer 2 devices and stopping campus network attacks Eric Vyncke Christopher Paggen, CCIE(R) No. 2659 Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [STP], Cisco(R) Discovery Protocol [CDP], and so on) and data plane protocols, such as Address Routing Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP). LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches. Further, this book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. This book also includes a section on how to use an Ethernet switch to increase the security of a network and prevent future attacks. Divided into four parts, LAN Switch Security provides you with steps you can take to ensure the integrity of both voice and data traffic traveling over Layer 2 devices. Part I covers vulnerabilities in Layer 2 protocols and how to configure switches to prevent attacks against those vulnerabilities. Part II addresses denial-of-service (DoS) attacks on an Ethernet switch and shows how those attacks can be mitigated. Part III shows how a switch can actually augment the security of a network through the utilization of wirespeed access control list (ACL) processing and IEEE 802.1x for user authentication and authorization. Part IV examines future developments from the LinkSec working group at the IEEE. For all parts, most of the content is vendor independent and is useful for all network architects deploying Ethernet switches. After reading this book, you will have an in-depth understanding of LAN security and be prepared to plug the security holes that exist in a great number of campus networks. Eric Vyncke has a master's degree in computer science engineering from the University of Liege in Belgium. Since 1997, Eric has worked as a Distinguished Consulting Engineer for Cisco, where he is a technical consultant for security covering Europe. His area of expertise for 20 years has been mainly security from Layer 2 to applications. He is also guest professor at Belgian universities for security seminars. Christopher Paggen, CCIE(R) No. 2659, obtained a degree in computer science from IESSL in Liege (Belgium) and a master's degree in economics from University of Mons-Hainaut (UMH) in Belgium. He has been with Cisco since 1996 where he has held various positions in the fields of LAN switching and security, either as pre-sales support, post-sales support, network design engineer, or technical advisor to various engineering teams. Christopher is a frequent speaker at events, such as Networkers, and has filed several U.S. patents in the security area. Contributing Authors: Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco. Steinthor Bjarnason is a consulting engineer for Cisco. Ken Hook is a switch security solution manager for Cisco. Rajesh Bhandari is a technical leader and a network security solutions architect for Cisco. Use port security to protect against CAM attacks Prevent spanning-tree attacks Isolate VLANs with proper configuration techniques Protect against rogue DHCP servers Block ARP snooping Prevent IPv6 neighbor discovery and router solicitation exploitation Identify Power over Ethernet vulnerabilities Mitigate risks from HSRP and VRPP Stop information leaks with CDP, PaGP, VTP, CGMP and other Cisco ancillary protocols Understand and prevent DoS attacks against switches Enforce simple wirespeed security policies with ACLs Implement user authentication on a port base with IEEE 802.1x Use new IEEE protocols to encrypt all Ethernet frames at wirespeed. This security book is part of the Cisco Press(R) Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks. Category: Cisco Press-Security Covers: Ethernet Switch Security $60.00 USA / $69.00 CAN "LAN Switch Security: What Hackers Know About Your Switches" A practical guide to hardening Layer 2 devices and stopping campus network attacks Eric Vyncke Christopher Paggen, CCIE(R) No. 2659 Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [STP], Cisco(R) Discovery Protocol [CDP], and so on) and data plane protocols, such as Address Routing Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP). LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches. Further, this book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. This book also includes a section on how to use an Ethernet switch to increase the security of a network and prevent future attacks. Divided into four parts, LAN Switch Security provides you with steps you can take to ensure the integrity of both voice and data traffic traveling over Layer 2 devices. Part I covers vulnerabilities in Layer 2 protocols and how to configure switches to prevent attacks against those vulnerabilities. Part II addresses denial-of-service (DoS) attacks on an Ethernet switch and shows how those attacks can be mitigated. Part III shows how a switch can actually augment the security of a network through the utilization of wirespeed access control list (ACL) processing and IEEE 802.1x for user authentication and authorization. Part IV examines future developments from the LinkSec working group at the IEEE. For all parts, most of the content is vendor independent and is useful for all network architects deploying Ethernet switches. After reading this book, you will have an in-depth understanding of LAN security and be prepared to plug the security holes that exist in a great number of campus networks. Eric Vyncke has a master's degree in computer science engineering from the University of Liege in Belgium. Since 1997, Eric has worked as a Distinguished Consulting Engineer for Cisco, where he is a technical consultant for security covering Europe. His area of expertise for 20 years has been mainly security from Layer 2 to applications. He is also guest professor at Belgian universities for security seminars. Christopher Paggen, CCIE(R) No. 2659, obtained a degree in computer science from IESSL in Liege (Belgium) and a master's degree in economics from University of Mons-Hainaut (UMH) in Belgium. He has been with Cisco since 1996 where he has held various positions in the fields of LAN switching and security, either as pre-sales support, post-sales support, network design engineer, or technical advisor to various engineering teams. Christopher is a frequent speaker at events, such as Networkers, and has filed several U.S. patents in the security area. Contributing Authors: Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco. Steinthor Bjarnason is a consulting engineer for Cisco. Ken Hook is a switch security solution manager for Cisco. Rajesh Bhandari is a technical leader and a network security solutions architect for Cisco. Use port security to protect against CAM attacks Prevent spanning-tree attacks Isolate VLANs with proper configuration techniques Protect against rogue DHCP servers Block ARP snooping Prevent IPv6 neighbor discovery and router solicitation exploitation Identify Power over Ethernet vulnerabilities Mitigate risks from HSRP and VRPP Stop information leaks with CDP, PaGP, VTP, CGMP and other Cisco ancillary protocols Understand and prevent DoS attacks against switches Enforce simple wirespeed security policies with ACLs Implement user authentication on a port base with IEEE 802.1x Use new IEEE protocols to encrypt all Ethernet frames at wirespeed. This security book is part of the Cisco Press(R) Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks. Category: Cisco Press-Security Covers: Ethernet Switch Security $60.00 USA / $69.00 CANshow more

Table of contents

ContentsIntroduction xixPart IVulnerabilities and Mitigation Techniques 3Chapter 1Introduction to Security 5Security Triad 5Confidentiality 6Integrity 7Availability 8Reverse Security Triad 8Risk Management 8Risk Analysis 9Risk Control 10Access Control and Identity Management 10Cryptography 11Symmetric Cryptosystems 13Symmetric Encryption 13Hashing Functions 13Hash Message Authentication Code 14Asymmetric Cryptosystems 15Confidentiality with Asymmetric Cryptosystems 16Integrity and Authentication with Asymmetric Cryptosystems 17Key Distribution and Certificates 18Attacks Against Cryptosystems 19Summary 21References 21Chapter 2Defeating a Learning Bridge's Forwarding Process 23Back to Basics: Ethernet Switching 101 23Ethernet Frame Formats 23Learning Bridge 24Consequences of Excessive Flooding 26Exploiting the Bridging Table: MAC Flooding Attacks 27Forcing an Excessive Flooding Condition 28Introducing the macof Tool 30MAC Flooding Alternative: MAC Spoofing Attacks 34Not Just Theory 35Preventing MAC Flooding and Spoofing Attacks 36Detecting MAC Activity 36Port Security 37Unknown Unicast Flooding Protection 39Summary 40References 41Chapter 3Attacking the Spanning Tree Protocol 43Introducing Spanning Tree Protocol 43Types of STP 46Understanding 802.1D and 802.1Q Common STP 46Understanding 802.1w Rapid STP 46Understanding 802.1s Multiple STP 47STP Operation: More Details 47Let the Games Begin! 53Attack 1: Taking Over the Root Bridge 55Root Guard 58BPDU-Guard 58Attack 2: DoS Using a Flood of Config BPDUs 60BPDU-Guard 62BPDU Filtering 62Layer 2 PDU Rate Limiter 63Attack 3: DoS Using a Flood of Config BPDUs 63Attack 4: Simulating a Dual-Homed Switch 63Summary 64References 65Chapter 4Are VLANS Safe? 67IEEE 802.1Q Overview 67Frame Classification 68Go Native 69Attack of the 802.1Q Tag Stack 71Understanding Cisco Dynamic Trunking Protocol 76Crafting a DTP Attack 76Countermeasures to DTP Attacks 80Understanding Cisco VTP 80VTP Vulnerabilities 81Summary 82References 82Chapter 5Leveraging DHCP Weaknesses 85DHCP Overview 85Attacks Against DHCP 89DHCP Scope Exhaustion: DoS Attack Against DHCP 89Yensinia 89Gobbler 90Hijacking Traffic Using DHCP Rogue Servers 92Countermeasures to DHCP Exhaustion Attacks 93Port Security 94Introducing DHCP Snooping 96Rate-Limiting DHCP Messages per Port 97DHCP Message Validation 97DHCP Snooping with Option 82 99Tips for Deploying DHCP Snooping 99Tips for Switches That Do Not Support DHCP Snooping 100DHCP Snooping Against IP/MAC Spoofing Attacks 100Summary 103References 103Chapter 6Exploiting IPv4 ARP 105Back to ARP Basics 105Normal ARP Behavior 105Gratuitous ARP 107Risk Analysis for ARP 108ARP Spoofing Attack 108Elements of an ARP Spoofing Attack 109Mounting an ARP Spoofing Attack 111Mitigating an ARP Spoofing Attack 112Dynamic ARP Inspection 112DAI in Cisco IOS 112DAI in CatOS 115Protecting the Hosts 115Intrusion Detection 116Mitigating Other ARP Vulnerabilities 117Summary 118References 118Chapter 7Exploiting IPv6 Neighbor Discovery and Router Advertisement 121Introduction to IPv6 121Motivation for IPv6 121What Does IPv6 Change? 122Neighbor Discovery 126Stateless Configuration with Router Advertisement 127Analyzing Risk for ND and Stateless Configuration 129Mitigating ND and RA Attacks 130In Hosts 130In Switches 130Here Comes Secure ND 131What Is SEND? 131Implementation 133Challenges 133Summary 133References 133Chapter 8What About Power over Ethernet? 135Introduction to PoE 135How PoE Works 136Detection Mechanism 136Powering Mechanism 138Risk Analysis for PoE 139Types of Attacks 139Mitigating Attacks 140Defending Against Power Gobbling 140Defending Against Power-Changing Attacks 141Defending Against Shutdown Attacks 141Defending Against Burning Attacks 142Summary 143References 143Chapter 9Is HSRP Resilient? 145HSRP Mechanics 145Digging into HSRP 147Attacking HSRP 148DoS Attack 149Man-in-the-Middle Attack 150Information Leakage 151Mitigating HSRP Attacks 151Using Strong Authentication 151Relying on Network Infrastructure 153Summary 155References 155Chapter 10Can We Bring VRRP Down? 157Discovering VRRP 157Diving Deep into VRRP 159Risk Analysis for VRRP 161Mitigating VRRP Attacks 161Using Strong Authentication 162Relying on the Network Infrastructure 162Summary 163References 163Chapter 11Information Leaks with Cisco Ancillary Protocols 165Cisco Discovery Protocol 165Diving Deep into CDP 165CDP Risk Analysis 167CDP Risk Mitigation 169IEEE Link Layer Discovery Protocol 169VLAN Trunking Protocol 170VTP Risk Analysis 172VTP Risk Mitigation 173Link Aggregation Protocols 174Risk Analysis 176Risk Mitigation 177Summary 178References 178Part IIHow Can a Switch Sustain a Denial of Service Attack? 181Chapter 12Introduction to Denial of Service Attacks 183How Does a DoS Attack Differ from a DDoS Attack? 183Initiating a DDoS Attack 184Zombie 184Botnet 185DoS and DDoS Attacks 186Attacking the Infrastructure 186Common Flooding Attacks 187Mitigating Attacks on Services 187Attacking LAN Switches Using DoS and DDoS Attacks 188Anatomy of a Switch 188Three Planes 189Data Plane 189Control Plane 190Management Plane 190Attacking the Switch 190Data Plane Attacks 192Control Plane Attacks 192Management Plane Attacks 193Switch Architecture Attacks 193Summary 194Reference 194Chapter 13Control Plane Policing 197Which Services Reside on the Control Plane? 198Securing the Control Plane on a Switch 198Implementing Hardware-Based CoPP 200Configuring Hardware-Based CoPP on the Catalyst 6500 200Hardware Rate Limiters 201Hardware-Based CoPP 203Configuring Control Plane Security on the Cisco ME3400 203Implementing Software-Based CoPP 206Configuring Software-Based CoPP 207Mitigating Attacks Using CoPP 211Mitigating Attacks on the Catalyst 6500 Switch 211Telnet Flooding Without CoPP 211Telnet Flooding with CoPP 212TTL Expiry Attack 215Mitigating Attacks on Cisco ME3400 Series Switches 218CDP Flooding 218CDP Flooding with L2TP Tunneling 219Summary 222References 222Chapter 14Disabling Control Plane Protocols 225Configuring Switches Without Control Plane Protocols 225Safely Disabling Control Plane Activities 227Disabling STP 227Disabling Link Aggregation Protocols 228Disabling VTP 228Disabling DTP 228Disabling Hot Standby Routing Protocol and Virtual Routing RedundancyProtocol 228Disabling Management Protocols and Routing Protocols 229Using an ACL 230Disabling Other Control Plane Activities 232Generating ICMP Messages 232Controlling CDP, IPv6, and IEEE 802.1X 233Using Smartports Macros 234Control Plane Activities That Cannot Be Disabled 235Best Practices for Control Plane 236Summary 236Chapter 15Using Switches to Detect a Data Plane DoS 239Detecting DoS with NetFlow 239Enabling NetFlow on a Catalyst 6500 244NetFlow as a Security Tool 246Increasing Security with NetFlow Applications 247Securing Networks with RMON 249Other Techniques That Detect Active Worms 252Summary 255References 255Part IIIUsing Switches to Augment the Network Security 257Chapter 16Wire Speed Access Control Lists 259ACLs or Firewalls? 260State or No State? 261Protecting the Infrastructure Using ACLs 261RACL, VACL, and PACL: Many Types of ACLs 263Working with RACL 264Working with VACL 265Working with PACL 267Technology Behind Fast ACL Lookups 267Exploring TCAM 268Summary 270Chapter 17Identity-Based Networking Services with 802.1X 273Foundation 273Basic Identity Concepts 274Identification 274Authentication 274Authorization 275Discovering Extensible Authentication Protocol 275Exploring IEEE 802.1X 277802.1X Security 279Integration Value-Add of 802.1X 281Spanning-Tree Considerations 281Trunking Considerations 283Information Leaks 283Keeping Insiders Honest 285Port-Security Integration 285DHCP-Snooping Integration 286Address Resolution Protocol Inspection Integration 286Putting It Together 287Working with Multiple Devices 288Single-Auth Mode 288Multihost Mode 289show more

Rating details

6 ratings
4.66 out of 5 stars
5 67% (4)
4 33% (2)
3 0% (0)
2 0% (0)
1 0% (0)
Book ratings by Goodreads
Goodreads is the world's largest site for readers with over 50 million reviews. We're featuring millions of their reader ratings on our book pages to help you find your new favourite book. Close X