Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [STP], Cisco® Discovery Protocol [CDP], and so on) and data plane protocols, such as Address Routing Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP). LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches. Further, this book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. This book also includes a section on how to use an Ethernet switch to increase the security of a network and prevent future attacks.   Divided into four parts, LAN Switch Security provides you with steps you can take to ensure the integrity of both voice and data traffic traveling over Layer 2 devices. Part I covers vulnerabilities in Layer 2 protocols and how to configure switches to prevent attacks against those vulnerabilities. Part II addresses denial-of-service (DoS) attacks on an Ethernet switch and shows how those attacks can be mitigated. Part III shows how a switch can actually augment the security of a network through the utilization of wirespeed access control list (ACL) processing and IEEE 802.1x for user authentication and authorization. Part IV examines future developments from the LinkSec working group at the IEEE. For all parts, most of the content is vendor independent and is useful for all network architects deploying Ethernet switches.   After reading this book, you will have an in-depth understanding of LAN security and be prepared to plug the security holes that exist in a great number of campus networks. Use port security to protect against CAM attacks Prevent spanning-tree attacks Isolate VLANs with proper configuration techniques Protect against rogue DHCP servers Block ARP snooping Prevent IPv6 neighbor discovery and router solicitation exploitation Identify Power over Ethernet vulnerabilities Mitigate risks from HSRP and VRPP Stop information leaks with CDP, PaGP, VTP, CGMP and other Cisco ancillary protocols Understand and prevent DoS attacks against switches Enforce simple wirespeed security policies with ACLs Implement user authentication on a port base with IEEE 802.1x Use new IEEE protocols to encrypt all Ethernet frames at wirespeed. This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Table of Contents:
Contents Introduction xix Part I Vulnerabilities and Mitigation Techniques 3 Chapter 1 Introduction to Security 5 Security Triad 5 Confidentiality 6 Integrity 7 Availability 8 Reverse Security Triad 8 Risk Management 8 Risk Analysis 9 Risk Control 10 Access Control and Identity Management 10 Cryptography 11 Symmetric Cryptosystems 13 Symmetric Encryption 13 Hashing Functions 13 Hash Message Authentication Code 14 Asymmetric Cryptosystems 15 Confidentiality with Asymmetric Cryptosystems 16 Integrity and Authentication with Asymmetric Cryptosystems 17 Key Distribution and Certificates 18 Attacks Against Cryptosystems 19 Summary 21 References 21 Chapter 2 Defeating a Learning Bridge’s Forwarding Process 23 Back to Basics: Ethernet Switching 101 23 Ethernet Frame Formats 23 Learning Bridge 24 Consequences of Excessive Flooding 26 Exploiting the Bridging Table: MAC Flooding Attacks 27 Forcing an Excessive Flooding Condition 28 Introducing the macof Tool 30 MAC Flooding Alternative: MAC Spoofing Attacks 34 Not Just Theory 35 Preventing MAC Flooding and Spoofing Attacks 36 Detecting MAC Activity 36 Port Security 37 Unknown Unicast Flooding Protection 39 Summary 40 References 41 Chapter 3 Attacking the Spanning Tree Protocol 43 Introducing Spanning Tree Protocol 43 Types of STP 46 Understanding 802.1D and 802.1Q Common STP 46 Understanding 802.1w Rapid STP 46 Understanding 802.1s Multiple STP 47 STP Operation: More Details 47 Let the Games Begin! 53 Attack 1: Taking Over the Root Bridge 55 Root Guard 58 BPDU-Guard 58 Attack 2: DoS Using a Flood of Config BPDUs 60 BPDU-Guard 62 BPDU Filtering 62 Layer 2 PDU Rate Limiter 63 Attack 3: DoS Using a Flood of Config BPDUs 63 Attack 4: Simulating a Dual-Homed Switch 63 Summary 64 References 65 Chapter 4 Are VLANS Safe? 67 IEEE 802.1Q Overview 67 Frame Classification 68 Go Native 69 Attack of the 802.1Q Tag Stack 71 Understanding Cisco Dynamic Trunking Protocol 76 Crafting a DTP Attack 76 Countermeasures to DTP Attacks 80 Understanding Cisco VTP 80 VTP Vulnerabilities 81 Summary 82 References 82 Chapter 5 Leveraging DHCP Weaknesses 85 DHCP Overview 85 Attacks Against DHCP 89 DHCP Scope Exhaustion: DoS Attack Against DHCP 89 Yensinia 89 Gobbler 90 Hijacking Traffic Using DHCP Rogue Servers 92 Countermeasures to DHCP Exhaustion Attacks 93 Port Security 94 Introducing DHCP Snooping 96 Rate-Limiting DHCP Messages per Port 97 DHCP Message Validation 97 DHCP Snooping with Option 82 99 Tips for Deploying DHCP Snooping 99 Tips for Switches That Do Not Support DHCP Snooping 100 DHCP Snooping Against IP/MAC Spoofing Attacks 100 Summary 103 References 103 Chapter 6 Exploiting IPv4 ARP 105 Back to ARP Basics 105 Normal ARP Behavior 105 Gratuitous ARP 107 Risk Analysis for ARP 108 ARP Spoofing Attack 108 Elements of an ARP Spoofing Attack 109 Mounting an ARP Spoofing Attack 111 Mitigating an ARP Spoofing Attack 112 Dynamic ARP Inspection 112 DAI in Cisco IOS 112 DAI in CatOS 115 Protecting the Hosts 115 Intrusion Detection 116 Mitigating Other ARP Vulnerabilities 117 Summary 118 References 118 Chapter 7 Exploiting IPv6 Neighbor Discovery and Router Advertisement 121 Introduction to IPv6 121 Motivation for IPv6 121 What Does IPv6 Change? 122 Neighbor Discovery 126 Stateless Configuration with Router Advertisement 127 Analyzing Risk for ND and Stateless Configuration 129 Mitigating ND and RA Attacks 130 In Hosts 130 In Switches 130 Here Comes Secure ND 131 What Is SEND? 131 Implementation 133 Challenges 133 Summary 133 References 133 Chapter 8 What About Power over Ethernet? 135 Introduction to PoE 135 How PoE Works 136 Detection Mechanism 136 Powering Mechanism 138 Risk Analysis for PoE 139 Types of Attacks 139 Mitigating Attacks 140 Defending Against Power Gobbling 140 Defending Against Power-Changing Attacks 141 Defending Against Shutdown Attacks 141 Defending Against Burning Attacks 142 Summary 143 References 143 Chapter 9 Is HSRP Resilient? 145 HSRP Mechanics 145 Digging into HSRP 147 Attacking HSRP 148 DoS Attack 149 Man-in-the-Middle Attack 150 Information Leakage 151 Mitigating HSRP Attacks 151 Using Strong Authentication 151 Relying on Network Infrastructure 153 Summary 155 References 155 Chapter 10 Can We Bring VRRP Down? 157 Discovering VRRP 157 Diving Deep into VRRP 159 Risk Analysis for VRRP 161 Mitigating VRRP Attacks 161 Using Strong Authentication 162 Relying on the Network Infrastructure 162 Summary 163 References 163 Chapter 11 Information Leaks with Cisco Ancillary Protocols 165 Cisco Discovery Protocol 165 Diving Deep into CDP 165 CDP Risk Analysis 167 CDP Risk Mitigation 169 IEEE Link Layer Discovery Protocol 169 VLAN Trunking Protocol 170 VTP Risk Analysis 172 VTP Risk Mitigation 173 Link Aggregation Protocols 174 Risk Analysis 176 Risk Mitigation 177 Summary 178 References 178 Part II How Can a Switch Sustain a Denial of Service Attack? 181 Chapter 12 Introduction to Denial of Service Attacks 183 How Does a DoS Attack Differ from a DDoS Attack? 183 Initiating a DDoS Attack 184 Zombie 184 Botnet 185 DoS and DDoS Attacks 186 Attacking the Infrastructure 186 Common Flooding Attacks 187 Mitigating Attacks on Services 187 Attacking LAN Switches Using DoS and DDoS Attacks 188 Anatomy of a Switch 188 Three Planes 189 Data Plane 189 Control Plane 190 Management Plane 190 Attacking the Switch 190 Data Plane Attacks 192 Control Plane Attacks 192 Management Plane Attacks 193 Switch Architecture Attacks 193 Summary 194 Reference 194 Chapter 13 Control Plane Policing 197 Which Services Reside on the Control Plane? 198 Securing the Control Plane on a Switch 198 Implementing Hardware-Based CoPP 200 Configuring Hardware-Based CoPP on the Catalyst 6500 200 Hardware Rate Limiters 201 Hardware-Based CoPP 203 Configuring Control Plane Security on the Cisco ME3400 203 Implementing Software-Based CoPP 206 Configuring Software-Based CoPP 207 Mitigating Attacks Using CoPP 211 Mitigating Attacks on the Catalyst 6500 Switch 211 Telnet Flooding Without CoPP 211 Telnet Flooding with CoPP 212 TTL Expiry Attack 215 Mitigating Attacks on Cisco ME3400 Series Switches 218 CDP Flooding 218 CDP Flooding with L2TP Tunneling 219 Summary 222 References 222 Chapter 14 Disabling Control Plane Protocols 225 Configuring Switches Without Control Plane Protocols 225 Safely Disabling Control Plane Activities 227 Disabling STP 227 Disabling Link Aggregation Protocols 228 Disabling VTP 228 Disabling DTP 228 Disabling Hot Standby Routing Protocol and Virtual Routing Redundancy Protocol 228 Disabling Management Protocols and Routing Protocols 229 Using an ACL 230 Disabling Other Control Plane Activities 232 Generating ICMP Messages 232 Controlling CDP, IPv6, and IEEE 802.1X 233 Using Smartports Macros 234 Control Plane Activities That Cannot Be Disabled 235 Best Practices for Control Plane 236 Summary 236 Chapter 15 Using Switches to Detect a Data Plane DoS 239 Detecting DoS with NetFlow 239 Enabling NetFlow on a Catalyst 6500 244 NetFlow as a Security Tool 246 Increasing Security with NetFlow Applications 247 Securing Networks with RMON 249 Other Techniques That Detect Active Worms 252 Summary 255 References 255 Part III Using Switches to Augment the Network Security 257 Chapter 16 Wire Speed Access Control Lists 259 ACLs or Firewalls? 260 State or No State? 261 Protecting the Infrastructure Using ACLs 261 RACL, VACL, and PACL: Many Types of ACLs 263 Working with RACL 264 Working with VACL 265 Working with PACL 267 Technology Behind Fast ACL Lookups 267 Exploring TCAM 268 Summary 270 Chapter 17 Identity-Based Networking Services with 802.1X 273 Foundation 273 Basic Identity Concepts 274 Identification 274 Authentication 274 Authorization 275 Discovering Extensible Authentication Protocol 275 Exploring IEEE 802.1X 277 802.1X Security 279 Integration Value-Add of 802.1X 281 Spanning-Tree Considerations 281 Trunking Considerations 283 Information Leaks 283 Keeping Insiders Honest 285 Port-Security Integration 285 DHCP-Snooping Integration 286 Address Resolution Protocol Inspection Integration 286 Putting It Together 287 Working with Multiple Devices 288 Single-Auth Mode 288 Multihost Mode 289