- Shopping Bag ( 0 items )
LAN Switch Security: What Hackers Know About Your Switches
A practical guide to hardening Layer 2 devices and stopping campus network attacks
Christopher Paggen, CCIE® No. 2659
Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [STP], Cisco® Discovery Protocol [CDP], and so on) and data plane protocols, such as Address Routing Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP). LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches. Further, this book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. This book also includes a section on how to use an Ethernet switch to increase the security of a network and prevent future attacks.
Divided into four parts, LAN Switch Security provides you with steps you can take to ensure the integrity of both voice and data traffic traveling over Layer 2 devices. Part I covers vulnerabilities in Layer 2 protocols and how to configure switches to prevent attacks against those vulnerabilities. Part II addresses denial-of-service (DoS) attacks on an Ethernet switch and shows how those attacks can be mitigated. Part III shows how a switch can actually augment the security of a network through the utilization of wirespeed access control list (ACL) processing and IEEE 802.1x for user authentication and authorization. Part IV examines future developments from the LinkSec working group at the IEEE. For all parts, most of the content is vendor independent and is useful for all network architects deploying Ethernet switches.
After reading this book, you will have an in-depth understanding of LAN security and be prepared to plug the security holes that exist in a great number of campus networks.
Eric Vyncke has a master’s degree in computer science engineering from the University of Liège in Belgium. Since 1997, Eric has worked as a Distinguished Consulting Engineer for Cisco, where he is a technical consultant for security covering Europe. His area of expertise for 20 years has been mainly security from Layer 2 to applications. He is also guest professor at Belgian universities for security seminars.
Christopher Paggen, CCIE® No. 2659, obtained a degree in computer science from IESSL in Liège (Belgium) and a master’s degree in economics from University of Mons-Hainaut (UMH) in Belgium. He has been with Cisco since 1996 where he has held various positions in the fields of LAN switching and security, either as pre-sales support, post-sales support, network design engineer, or technical advisor to various engineering teams. Christopher is a frequent speaker at events, such as Networkers, and has filed several U.S. patents in the security area.
Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco.
Steinthor Bjarnason is a consulting engineer for Cisco.
Ken Hook is a switch security solution manager for Cisco.
Rajesh Bhandari is a technical leader and a network security solutions architect for Cisco.
This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.
Category: Cisco Press–Security
Covers: Ethernet Switch Security
Vulnerabilities and Mitigation Techniques 3
Introduction to Security 5
Security Triad 5
Reverse Security Triad 8
Risk Management 8
Risk Analysis 9
Risk Control 10
Access Control and Identity Management 10
Symmetric Cryptosystems 13
Symmetric Encryption 13
Hashing Functions 13
Hash Message Authentication Code 14
Asymmetric Cryptosystems 15
Confidentiality with Asymmetric Cryptosystems 16
Integrity and Authentication with Asymmetric Cryptosystems 17
Key Distribution and Certificates 18
Attacks Against Cryptosystems 19
Defeating a Learning Bridge’s Forwarding Process 23
Back to Basics: Ethernet Switching 101 23
Ethernet Frame Formats 23
Learning Bridge 24
Consequences of Excessive Flooding 26
Exploiting the Bridging Table: MAC Flooding Attacks 27
Forcing an Excessive Flooding Condition 28
Introducing the macof Tool 30
MAC Flooding Alternative: MAC Spoofing Attacks 34
Not Just Theory 35
Preventing MAC Flooding and Spoofing Attacks 36
Detecting MAC Activity 36
Port Security 37
Unknown Unicast Flooding Protection 39
Attacking the Spanning Tree Protocol 43
Introducing Spanning Tree Protocol 43
Types of STP 46
Understanding 802.1D and 802.1Q Common STP 46
Understanding 802.1w Rapid STP 46
Understanding 802.1s Multiple STP 47
STP Operation: More Details 47
Let the Games Begin! 53
Attack 1: Taking Over the Root Bridge 55
Root Guard 58
Attack 2: DoS Using a Flood of Config BPDUs 60
BPDU Filtering 62
Layer 2 PDU Rate Limiter 63
Attack 3: DoS Using a Flood of Config BPDUs 63
Attack 4: Simulating a Dual-Homed Switch 63
Are VLANS Safe? 67
IEEE 802.1Q Overview 67
Frame Classification 68
Go Native 69
Attack of the 802.1Q Tag Stack 71
Understanding Cisco Dynamic Trunking Protocol 76
Crafting a DTP Attack 76
Countermeasures to DTP Attacks 80
Understanding Cisco VTP 80
VTP Vulnerabilities 81
Leveraging DHCP Weaknesses 85
DHCP Overview 85
Attacks Against DHCP 89
DHCP Scope Exhaustion: DoS Attack Against DHCP 89
Hijacking Traffic Using DHCP Rogue Servers 92
Countermeasures to DHCP Exhaustion Attacks 93
Port Security 94
Introducing DHCP Snooping 96
Rate-Limiting DHCP Messages per Port 97
DHCP Message Validation 97
DHCP Snooping with Option 82 99
Tips for Deploying DHCP Snooping 99
Tips for Switches That Do Not Support DHCP Snooping 100
DHCP Snooping Against IP/MAC Spoofing Attacks 100
Exploiting IPv4 ARP 105
Back to ARP Basics 105
Normal ARP Behavior 105
Gratuitous ARP 107
Risk Analysis for ARP 108
ARP Spoofing Attack 108
Elements of an ARP Spoofing Attack 109
Mounting an ARP Spoofing Attack 111
Mitigating an ARP Spoofing Attack 112
Dynamic ARP Inspection 112
DAI in Cisco IOS 112
DAI in CatOS 115
Protecting the Hosts 115
Intrusion Detection 116
Mitigating Other ARP Vulnerabilities 117
Exploiting IPv6 Neighbor Discovery and Router Advertisement 121
Introduction to IPv6 121
Motivation for IPv6 121
What Does IPv6 Change? 122
Neighbor Discovery 126
Stateless Configuration with Router Advertisement 127
Analyzing Risk for ND and Stateless Configuration 129
Mitigating ND and RA Attacks 130
In Hosts 130
In Switches 130
Here Comes Secure ND 131
What Is SEND? 131
What About Power over Ethernet? 135
Introduction to PoE 135
How PoE Works 136
Detection Mechanism 136
Powering Mechanism 138
Risk Analysis for PoE 139
Types of Attacks 139
Mitigating Attacks 140
Defending Against Power Gobbling 140
Defending Against Power-Changing Attacks 141
Defending Against Shutdown Attacks 141
Defending Against Burning Attacks 142
Is HSRP Resilient? 145
HSRP Mechanics 145
Digging into HSRP 147
Attacking HSRP 148
DoS Attack 149
Man-in-the-Middle Attack 150
Information Leakage 151
Mitigating HSRP Attacks 151
Using Strong Authentication 151
Relying on Network Infrastructure 153
Can We Bring VRRP Down? 157
Discovering VRRP 157
Diving Deep into VRRP 159
Risk Analysis for VRRP 161
Mitigating VRRP Attacks 161
Using Strong Authentication 162
Relying on the Network Infrastructure 162
Information Leaks with Cisco Ancillary Protocols 165
Cisco Discovery Protocol 165
Diving Deep into CDP 165
CDP Risk Analysis 167
CDP Risk Mitigation 169
IEEE Link Layer Discovery Protocol 169
VLAN Trunking Protocol 170
VTP Risk Analysis 172
VTP Risk Mitigation 173
Link Aggregation Protocols 174
Risk Analysis 176
Risk Mitigation 177
How Can a Switch Sustain a Denial of Service Attack? 181
Introduction to Denial of Service Attacks 183
How Does a DoS Attack Differ from a DDoS Attack? 183
Initiating a DDoS Attack 184
DoS and DDoS Attacks 186
Attacking the Infrastructure 186
Common Flooding Attacks 187
Mitigating Attacks on Services 187
Attacking LAN Switches Using DoS and DDoS Attacks 188
Anatomy of a Switch 188
Three Planes 189
Data Plane 189
Control Plane 190
Management Plane 190
Attacking the Switch 190
Data Plane Attacks 192
Control Plane Attacks 192
Management Plane Attacks 193
Switch Architecture Attacks 193
Control Plane Policing 197
Which Services Reside on the Control Plane? 198
Securing the Control Plane on a Switch 198
Implementing Hardware-Based CoPP 200
Configuring Hardware-Based CoPP on the Catalyst 6500 200
Hardware Rate Limiters 201
Hardware-Based CoPP 203
Configuring Control Plane Security on the Cisco ME3400 203
Implementing Software-Based CoPP 206
Configuring Software-Based CoPP 207
Mitigating Attacks Using CoPP 211
Mitigating Attacks on the Catalyst 6500 Switch 211
Telnet Flooding Without CoPP 211
Telnet Flooding with CoPP 212
TTL Expiry Attack 215
Mitigating Attacks on Cisco ME3400 Series Switches 218
CDP Flooding 218
CDP Flooding with L2TP Tunneling 219
Disabling Control Plane Protocols 225
Configuring Switches Without Control Plane Protocols 225
Safely Disabling Control Plane Activities 227
Disabling STP 227
Disabling Link Aggregation Protocols 228
Disabling VTP 228
Disabling DTP 228
Disabling Hot Standby Routing Protocol and Virtual Routing Redundancy
Disabling Management Protocols and Routing Protocols 229
Using an ACL 230
Disabling Other Control Plane Activities 232
Generating ICMP Messages 232
Controlling CDP, IPv6, and IEEE 802.1X 233
Using Smartports Macros 234
Control Plane Activities That Cannot Be Disabled 235
Best Practices for Control Plane 236
Using Switches to Detect a Data Plane DoS 239
Detecting DoS with NetFlow 239
Enabling NetFlow on a Catalyst 6500 244
NetFlow as a Security Tool 246
Increasing Security with NetFlow Applications 247
Securing Networks with RMON 249
Other Techniques That Detect Active Worms 252
Using Switches to Augment the Network Security 257
Wire Speed Access Control Lists 259
ACLs or Firewalls? 260
State or No State? 261
Protecting the Infrastructure Using ACLs 261
RACL, VACL, and PACL: Many Types of ACLs 263
Working with RACL 264
Working with VACL 265
Working with PACL 267
Technology Behind Fast ACL Lookups 267
Exploring TCAM 268
Identity-Based Networking Services with 802.1X 273
Basic Identity Concepts 274
Discovering Extensible Authentication Protocol 275
Exploring IEEE 802.1X 277
802.1X Security 279
Integration Value-Add of 802.1X 281
Spanning-Tree Considerations 281
Trunking Considerations 283
Information Leaks 283
Keeping Insiders Honest 285
Port-Security Integration 285
DHCP-Snooping Integration 286
Address Resolution Protocol Inspection Integration 286
Putting It Together 287
Working with Multiple Devices 288
Single-Auth Mode 288
Multihost Mode 289
LAN and Ethernet switches are usually considered as plumbing. They are easy to install and configure, but it is easy to forget about security when things appear to be simple.
Multiple vulnerabilities exist in Ethernet switches. Attack tools to exploit them started to appear a couple of years ago (for example, the well-known dsniff package). By using those attack tools, a hacker can defeat the security myth of a switch, which incorrectly states that sniffing and packet interception are impossible with a switch. Indeed, with dsniff, cain, and other user-friendly tools on a Microsoft Windows or Linux system, a hacker can easily divert any traffic to his own PC to break the confidentiality or the integrity of this traffic.
Most vulnerabilities are inherent to the Layer 2 protocols, ranging from Spanning Tree Protocol to IPv6 neighbor discovery. If Layer 2 is compromised, it is easier to build attacks on upper-layers protocols by using techniques such as man-in-the-middle (MITM) attacks. Because a hacker can intercept any traffic, he can insert himself in clear-text communication (such as HTTP or Telnet) and in encrypted channels (such as Secure Socket Layer SSL or secure shell SSH).
To exploit Layer 2 vulnerabilities, an attacker must usually be Layer 2 adjacent to the target. Although it seems impossible for an external hacker to connect to a company LAN, it is not. Indeed, a hacker can use social engineering to gain access to the premises, or he can pretend to be an engineer called on site to fix a mechanical problem.
Also, many attacks are run by an insider, such as an onsite employee. Traditionally, there has beenan unwritten and, in some cases, written rule that employees are trusted entities. However, over the past decade, numerous cases and statistics prove that this assumption is false. The CSI/FBI 2006 Computer Crime and Security Survey1 reported that 68 percent of the surveyed organizations' losses were partially or fully a result of insiders' misbehavior.
Once inside the physical premises of most organizations, it is relatively easy to find either an open Ethernet jack on the wall or a networked device (for example, a network printer) that can be disconnected to gain unauthorized network access. With DHCP as widely deployed as it is and the low percentage of LAN-based ports requiring authentication (for example, IEEE 802.1X), a user's PC obtains an IP address and, in most cases, has the same level of network access as all other valid authorized users. Having gained a network IP address, the miscreant user can now attempt various attacks.
With this new view on trust assumed to a network user, exposure to sensitive and confidential information that traverses networks is a reality that cannot be overlooked. Most, if not all, organizations do have access security designed into their applications and in many of the document repositories. However, these are not bulletproof; they help only to ensure appropriate authorized users access the information held within these applications or repositories. These access-control techniques do not prevent malicious users from snooping the wire to gain access to the information after it's in motion. Most of the information traversing networks today is not encrypted. Savvy and, in many cases, curious network users with script kiddy tools can easily snoop on the wire to view anything in clear text. This can be as benign as meeting notifications or sensitive information, such as user names, passwords, human-resources or health records, confidential customer information, credit-card information, contracts, intellectual property, or even classified government information. It goes without saying that a company's information assets are important and, in some cases, the backbone of the company. Information leaks or exposure can be extremely detrimental and, in some cases, cause significant financial repercussions. Companies can lose their reputations and, in turn, lose a loyal customer base overnight.
The knowledge base required to snoop the wire has dramatically changed over the last decade with the rise of tools designed to expose or take advantage of weaknesses of networking protocols such as Yersinia and Cain. These tools are in many cases context sensitive and embody help menus making eavesdropping, tampering, and replay of information traversing our networks more widely prevalent. Equally, once a user has access; they can exploit vulnerabilities in the operating systems and applications to either gain access or tamper with information to cause a denial of services.
On the other hand, Ethernet switches and specific protocols and features can augment the security posture of a LAN environment with user identification, wire speed security policy enforcement, Layer 2 encryption, and so on.Goals and Methods
When talking about vulnerabilities in a switch-based network, the approach is first to describe the protocol, to list the vulnerabilities, and to explain how to prevent or mitigate those vulnerabilities. Because this book also covers techniques to increase a network's security by using extra features, those features are described and case scenarios are given. When necessary, configuration examples or screen shots are provided.Who Should Read This Book?
This book's primary audience is network architects with knowledge of Ethernet switching techniques and the basics of security.
This book's secondary audience is security officers. You need to have a bare-minimum understanding of networking but, because this book explains all vulnerabilities and prevention techniques in detail, readers do not have to be an expert in Ethernet switches.
Both enterprises and service providers will find useful information in this book.How This Book Is Organized
This book is organized into four distinct parts:
Part I, "Vulnerabilities and Mitigation Techniques." Detailed explanation of several vulnerabilities in Layer 2 protocols and how to prevent all attacks against those vulnerabilities.
Within Part I, each chapter's structure is similar. It always starts with a description of the protocol and then gives a detailed explanation of this protocol's vulnerabilities. It concludes with prevention or mitigation techniques.
Chapter 1, "Introduction to Security," introduces security to networking people. Concepts such as confidentiality, integrity, and availability are defined. Encryption mechanisms and other cryptosystems are explained.
Chapter 2, "Defeating a Learning Bridge's Forwarding Process," focuses on the IEEE 802.1d bridge's learning process and on content-addressable memory (CAM), which forwards Ethernet frames to their intended destination. This process is vulnerable and a mitigation technique, called port security, is presented.
Chapter 3, "Attacking the Spanning Tree Protocol," shows that IEEE 802.1D spanning tree can be attacked, but you can prevent those attacks with features such as bridge protocol data unit (BPDU) guard and root guard.
Chapter 4, "Are VLANs Safe?," covers the IEEE 802.1Q VLAN tags. It destroys the myth that VLANs are isolated with the default configuration. The attack is presented, and a secure configuration is explained so that the myth becomes a reality (for example, no one can jump from one VLAN to another one).
Chapter 5, "Leveraging DHCP Weaknesses," explains some vulnerabilities in DHCP and how to prevent a rogue DHCP server in a network with a feature called DHCP snooping.
Chapter 6, "Exploiting IPv4 ARP," starts with an explanation of an Address Resolution Protocol (ARP) vulnerability called ARP spoofing. It shows how DHCP snooping can be leveraged with DAI to block this attack.
Chapter 7, "Exploiting IPv6 Neighbor Discovery and Router Advertisement," is more forward thinking because it discusses IPv6's new auxiliary protocols: neighbor discovery and router advertisement. These protocols have inherent weaknesses that are addressed by a new protocol: secure neighbor discovery.
Chapter 8, "What About Power over Ethernet?," describes what Power over Ethernet is and whether vulnerabilities exist in this feature.
Chapter 9, "Is HSRP Resilient?," talks about the high-availability protocol Hot Standby Routing Protocol (HSRP). HSRP's vulnerabilities are explained and mitigation techniques are presented.
Chapter 10, "Can We Bring VRRP Down?," does the same analysis for the standard-based Virtual Router Redundancy Protocol (VRRP): description, vulnerabilities, and mitigation techniques.
Chapter 11, "Information Leaks with Cisco Ancillary Protocols," provides information about all ancillary protocols, such as Cisco Discovery Protocol (CDP).
Part II, "How Can a Switch Sustain a Denial of Service Attack?" In-depth presentation of DoS attacks: how to detect and mitigate them.
Chapter 12, "Introduction to Denial of Service Attacks," introduces DoS attacks, where they come from, and their net effect on a network.
Chapter 13, "Control Plane Policing," focuses on the control plane (which is the plane where routing and management protocols are running). Because it can be attacked, it must be protected. Control plane policing is shown to be the best technique to achieve protection.
Chapter 14, "Disabling Control Plane Protocols," explains what techniques can be used when control plane policing is not available, such as on old switches.
Chapter 15, "Using Switches to Detect a Data Plane DoS," leverages NetFlow and Network Analysis Module (NAM) to detect a DoS attack or an aggressively propagating worm in the network. The goal of early detection is to better fight the DoS attack even before the users or customers become aware of it.
Part III, "Using Switches to Augment Network Security." How to leverage Ethernet switches to actually augment your LAN's security level.
Chapter 16, "Wire Speed Access Control Lists," describes where an access control list (ACL) can be used in a switch: at the port level, within a VLAN, or (as usual) on a Layer 3 port. These ACLs enforce a simple security policy at wire speed. The technology behind those ACLs is also explained.
Chapter 17, "Identity-Based Networking Services with 802.1X," explains how IEEE 802.1X can be effectively used in a switch to implement user authentication on a port base. Some caveats of this protocol are presented as well as features to circumvent those limitations.
Part IV, "What Is Next in LAN Security?" How a new IEEE protocol will allow encryption at Layer 2.
Chapter 18, "IEEE 802.1AE," describes new protocols from IEEE that can encrypt all Ethernet frames at wire speed.
The Appendix, "Combining IPsec with L2TPv3 for Secure Pseudowire," illustrates how the combination of two older protocols, Layer 2 tunnel protocol (L2TP) and IP security (IPsec), can be combined to encrypt all Layer 2's traffic between two switches.Reference
1 Gordon, Lawrence A., Martin P. Loeb, William Lucyshyn, and Robert Richardson. 2006 CSI/FBI Computer Crime and Security Survey. Computer Security Institute. 2006.
© Copyright Pearson Education. All rights reserved.