View Larger Image	Eric Vyncke, Christopher Paggen Cisco Press, Paperback, Published September 2007, 325 pages, ISBN 1587052563
	List Price: $60.00 Our Price: $41.95 You Save: $18.05 (30% Off)
	Availability: Out-Of-Stock

Read an excerpt: Chapter 3: Attacking the Spanning Tree Protocol       Excerpt provided courtesy of by Cisco Press. Copyright © Pearson Education, Cisco Press. Written permission from the publisher is required for any use of this material.

Write a Review and tell the world about this title!

People who purchase this book frequently purchase:

• End-to-End Network Security: Defense-in-Depth; Omar Santos, $38.50, 30% Off!
• Cisco ASA, PIX, and FWSM Firewall Handbook; David Hucaby, $45.50, 30% Off!
• CCNA Official Exam Certification Library, 3rd Edition (Stock Expected September 8th); Wendell Odom, $32.95, 45% Off!
• Network Management: Accounting and Performance Strategies; Benoit Claise, et al, $48.95, 30% Off!

• Networking/Communications : LANs & WANs
• Networking/Communications : Routing and Switching
• Enterprise Computing : Security
• Networking/Communications : Networking

• Cisco Press

A practical guide to hardening Layer 2 devices and stopping campus network attacks

* Learn the truth about how easily hackers can exploit Ethernet switches
* Explore the various vulnerabilities that exist is most modern LAN switch environments
* Analyzes potential attacks that can occur targeting Layer 2 devices
* Learn how to protect Ethernet switches against attack

Popular belief is that Ethernet switches are secure. But the security you see may not be the security you get, with issues ranging from switch implementation, to control plane protocols, to data plane protocols like ARP or DHCP.

LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches and helps you secure them. The book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. It also includes a section on how to use an Ethernet switch in order to increase the security of a network and prevent future attacks.

Divided into four parts, LAN Switch Security provides you with a practical guide to steps you can take to ensure the integrity of both voice and data traffic that travels over Layer 2 devices. The first part covers multiple protocols, including Spanning Tree Protocol (STP), DHCP, IPv.6, HSRP, and others. The second part addresses denial of services (DoS) attacks on an Ethernet switch and shows how those attacks can be mitigated. The third part presents how a switch can actually augment the security of a network through the utilization of wirespeed ACL processing and IEEE 802.1x for user authentication and authorization. The fourth part of the book examines future developments from the LinkSec working group at the IEEE.

This book is the first to delve into LAN security, and it is essential to any comprehensive security plan.

Table of Contents

Introduction xix

Introduction to Security 5

Security Triad 5

Confidentiality 6

Integrity 7

Availability 8

Reverse Security Triad 8

Risk Management 8

Risk Analysis 9

Risk Control 10

Access Control and Identity Management 10

Cryptography 11

Symmetric Cryptosystems 13

Symmetric Encryption 13

Hashing Functions 13

Hash Message Authentication Code 14

Asymmetric Cryptosystems 15

Confidentiality with Asymmetric Cryptosystems 16

Integrity and Authentication with Asymmetric Cryptosystems 17

Key Distribution and Certificates 18

Attacks Against Cryptosystems 19

Summary 21

References 21

Defeating a Learning Bridge’s Forwarding Process 23

Back to Basics: Ethernet Switching 101 23

Ethernet Frame Formats 23

Learning Bridge 24

Consequences of Excessive Flooding 26

Exploiting the Bridging Table: MAC Flooding Attacks 27

Forcing an Excessive Flooding Condition 28

Introducing the macof Tool 30

MAC Flooding Alternative: MAC Spoofing Attacks 34

Not Just Theory 35

Preventing MAC Flooding and Spoofing Attacks 36

Detecting MAC Activity 36

Port Security 37

Unknown Unicast Flooding Protection 39

Summary 40

References 41

Attacking the Spanning Tree Protocol 43

Introducing Spanning Tree Protocol 43

Types of STP 46

Understanding 802.1D and 802.1Q Common STP 46

Understanding 802.1w Rapid STP 46

Understanding 802.1s Multiple STP 47

STP Operation: More Details 47

Let the Games Begin! 53

Attack 1: Taking Over the Root Bridge 55

Root Guard 58

BPDU-Guard 58

Attack 2: DoS Using a Flood of Config BPDUs 60

BPDU-Guard 62

BPDU Filtering 62

Layer 2 PDU Rate Limiter 63

Attack 3: DoS Using a Flood of Config BPDUs 63

Attack 4: Simulating a Dual-Homed Switch 63

Summary 64

References 65

Are VLANS Safe? 67

IEEE 802.1Q Overview 67

Frame Classification 68

Go Native 69

Attack of the 802.1Q Tag Stack 71

Understanding Cisco Dynamic Trunking Protocol 76

Crafting a DTP Attack 76

Countermeasures to DTP Attacks 80

Understanding Cisco VTP 80

VTP Vulnerabilities 81

Summary 82

References 82

Leveraging DHCP Weaknesses 85

DHCP Overview 85

Attacks Against DHCP 89

DHCP Scope Exhaustion: DoS Attack Against DHCP 89

Yensinia 89

Gobbler 90

Hijacking Traffic Using DHCP Rogue Servers 92

Countermeasures to DHCP Exhaustion Attacks 93

Port Security 94

Introducing DHCP Snooping 96

Rate-Limiting DHCP Messages per Port 97

DHCP Message Validation 97

DHCP Snooping with Option 82 99

Tips for Deploying DHCP Snooping 99

Tips for Switches That Do Not Support DHCP Snooping 100

DHCP Snooping Against IP/MAC Spoofing Attacks 100

Summary 103

References 103

Exploiting IPv4 ARP 105

Back to ARP Basics 105

Normal ARP Behavior 105

Gratuitous ARP 107

Risk Analysis for ARP 108

ARP Spoofing Attack 108

Elements of an ARP Spoofing Attack 109

Mounting an ARP Spoofing Attack 111

Mitigating an ARP Spoofing Attack 112

Dynamic ARP Inspection 112

DAI in Cisco IOS 112

DAI in CatOS 115

Protecting the Hosts 115

Intrusion Detection 116

Mitigating Other ARP Vulnerabilities 117

Summary 118

References 118

Exploiting IPv6 Neighbor Discovery and Router Advertisement 121

Introduction to IPv6 121

Motivation for IPv6 121

What Does IPv6 Change? 122

Neighbor Discovery 126

Stateless Configuration with Router Advertisement 127

Analyzing Risk for ND and Stateless Configuration 129

Mitigating ND and RA Attacks 130

In Hosts 130

In Switches 130

Here Comes Secure ND 131

What Is SEND? 131

Implementation 133

Challenges 133

Summary 133

References 133

What About Power over Ethernet? 135

Introduction to PoE 135

How PoE Works 136

Detection Mechanism 136

Powering Mechanism 138

Risk Analysis for PoE 139

Types of Attacks 139

Mitigating Attacks 140

Defending Against Power Gobbling 140

Defending Against Power-Changing Attacks 141

Defending Against Shutdown Attacks 141

Defending Against Burning Attacks 142

Summary 143

References 143

Is HSRP Resilient? 145

HSRP Mechanics 145

Digging into HSRP 147

Attacking HSRP 148

DoS Attack 149

Man-in-the-Middle Attack 150

Information Leakage 151

Mitigating HSRP Attacks 151

Using Strong Authentication 151

Relying on Network Infrastructure 153

Summary 155

References 155

Can We Bring VRRP Down? 157

Discovering VRRP 157

Diving Deep into VRRP 159

Risk Analysis for VRRP 161

Mitigating VRRP Attacks 161

Using Strong Authentication 162

Relying on the Network Infrastructure 162

Summary 163

References 163

Information Leaks with Cisco Ancillary Protocols 165

Cisco Discovery Protocol 165

Diving Deep into CDP 165

CDP Risk Analysis 167

CDP Risk Mitigation 169

IEEE Link Layer Discovery Protocol 169

VLAN Trunking Protocol 170

VTP Risk Analysis 172

VTP Risk Mitigation 173

Link Aggregation Protocols 174

Risk Analysis 176

Risk Mitigation 177

Summary 178

References 178

Introduction to Denial of Service Attacks 183

How Does a DoS Attack Differ from a DDoS Attack? 183

Initiating a DDoS Attack 184

Zombie 184

Botnet 185

DoS and DDoS Attacks 186

Attacking the Infrastructure 186

Common Flooding Attacks 187

Mitigating Attacks on Services 187

Attacking LAN Switches Using DoS and DDoS Attacks 188

Anatomy of a Switch 188

Three Planes 189

Data Plane 189

Control Plane 190

Management Plane 190

Attacking the Switch 190

Data Plane Attacks 192

Control Plane Attacks 192

Management Plane Attacks 193

Switch Architecture Attacks 193

Summary 194

Reference 194

Control Plane Policing 197

Which Services Reside on the Control Plane? 198

Securing the Control Plane on a Switch 198

Implementing Hardware-Based CoPP 200

Configuring Hardware-Based CoPP on the Catalyst 6500 200

Hardware Rate Limiters 201

Hardware-Based CoPP 203

Configuring Control Plane Security on the Cisco ME3400 203

Implementing Software-Based CoPP 206

Configuring Software-Based CoPP 207

Mitigating Attacks Using CoPP 211

Mitigating Attacks on the Catalyst 6500 Switch 211

Telnet Flooding Without CoPP 211

Telnet Flooding with CoPP 212

TTL Expiry Attack 215

Mitigating Attacks on Cisco ME3400 Series Switches 218

CDP Flooding 218

CDP Flooding with L2TP Tunneling 219

Summary 222

References 222

Disabling Control Plane Protocols 225

Configuring Switches Without Control Plane Protocols 225

Safely Disabling Control Plane Activities 227

Disabling STP 227

Disabling Link Aggregation Protocols 228

Disabling VTP 228

Disabling DTP 228

Disabling Hot Standby Routing Protocol and Virtual Routing Redundancy

Protocol 228

Disabling Management Protocols and Routing Protocols 229

Using an ACL 230

Disabling Other Control Plane Activities 232

Generating ICMP Messages 232

Controlling CDP, IPv6, and IEEE 802.1X 233

Using Smartports Macros 234

Control Plane Activities That Cannot Be Disabled 235

Best Practices for Control Plane 236

Summary 236

Using Switches to Detect a Data Plane DoS 239

Detecting DoS with NetFlow 239

Enabling NetFlow on a Catalyst 6500 244

NetFlow as a Security Tool 246

Increasing Security with NetFlow Applications 247

Securing Networks with RMON 249

Other Techniques That Detect Active Worms 252

Summary 255

References 255

Wire Speed Access Control Lists 259

ACLs or Firewalls? 260

State or No State? 261

Protecting the Infrastructure Using ACLs 261

RACL, VACL, and PACL: Many Types of ACLs 263

Working with RACL 264

Working with VACL 265

Working with PACL 267

Technology Behind Fast ACL Lookups 267

Exploring TCAM 268

Summary 270

Identity-Based Networking Services with 802.1X 273

Foundation 273

Basic Identity Concepts 274

Identification 274

Authentication 274

Authorization 275

Discovering Extensible Authentication Protocol 275

Exploring IEEE 802.1X 277

802.1X Security 279

Integration Value-Add of 802.1X 281

Spanning-Tree Considerations 281

Trunking Considerations 283

Information Leaks 283

Keeping Insiders Honest 285

Port-Security Integration 285

DHCP-Snooping Integration 286

Address Resolution Protocol Inspection Integration 286

Putting It Together 287

Working with Multiple Devices 288

Single-Auth Mode 288

Multihost Mode 289

About the Authors

Eric Vyncke works as a Distinguished Consulting Engineer for Cisco. Eric wrote the security section of Networks: Internet, Telephony, Multimedia: Convergences and Complementarities (Springler Verlag, 2003), and has a Master Degree in Computer Science Engineering from the University of Liège.

Christophe Paggen is a technical marketing engineer at Cisco focusing on high-end firewalls. He has a degree in computer science from IESSL in Liege and a masters in economics from University of Mons-Hainaut.

Jul 9, 2008     Raul Siles
The layer 2 attack and defense master piece
The book covers most of the vulnerabilities, design flaws, and security holes associated to the layer 2 protocols we currently and extensively use on our networks, such as MAC flooding and spoofing attacks, and STP, VLAN, DHCP, ARP, PoE, HSRP, VRRP, CDP, VTP, LAP and even layer-2 IPv6 related attacks. However, and starting with the minimum privilege principle (if you don't need it, why it is enabled?), the main focus of this book (and specially Part I) is to provide the reader with the knowledge and specific details to detect these attacks and protect the network and network devices (mainly switches) against all these threats. For each protocol and attack it describes the proper settings for a secure implementation.

Parts II of the book focuses on Denial of Service (DoS and DDoS) attacks on layer 2 devices and provide an excellent overview of switches architectures, internal implementation details (mainly Cisco focused), the relationships between the Control Plane and the Data Plane, the protocols each layer deals with, and the security implications on the internal operation of switches. If you want to know how your switches really work and the security implications of enabling/disabling certain capabilities, this is the section of the book you must read.

Part III then provides an introduction to more advanced access control options, through multiple ACL types, and layer-2 authentication (802.1X). It's a good introduction to go deeper into serious layer-2 access control and authentication projects and deployments.

Simplifying the threat, the attackers have a single tool (in fact they have multiple but this is THE tool) to do real damage at layer 2, Yersinia, co-develop by a Spanish security colleague, David. We, as defenders, need to properly design and deploy all the layer 2 technologies and protocols considering the security implications of its presence on the network. Fortunately enough, the countermeasures available to mitigate layer 2 risks are available in some current network devices, mainly switches. BTW, I encourage you to use the attack tools, like Yersinia, to audit your network. Some of the book countermeasures are trivial to apply, while some others require a very carefully thought-out planning. The book provides the guidance you need to start accomplishing the goal of getting a definitive layer 2 protected network by exposing the complexity, advantages and disadvantages of each solution.

The book is structured in small, easy to read, chapters that describe each of the technologies analyzed and its operation, the security issues and attack examples, and the detection and protection mechanisms you need to apply, straight to the most relevant implementation details. It also includes practical examples and describes multiple scenarios where each countermeasure can be applied, as well as the main decision factors to apply it in a given way. If you are busy (and who is not these days?), I recommend you to select a layer 2 protocol or technology you are using, select the appropriate chapter (a 30-45 minutes read at most), and start planning and applying the related security best practices. You can repeat this chapter selection process every couple of weeks, and in 2-3 months your network will be what I would like to see on all my customers. The book allows network administrators and infosec professionals to independently digest any of the chapters and start protecting the associated technology. Obviously, the main goal should be to apply all the book recommendations to your infrastructure in the short-mid term. Unfortunately, not all the countermeasures mentioned are available in all switches; there is still lot of work to be done by the vendors to implement all them.

The book opens the doors to a whole set of layer-2 threats, but it is not a complete guide to implement all the related protections, neither a command documentation book. It is up to the reader to check his switch documentation (Cisco or others) to get the full syntax details and multiple options for each of the countermeasures detailed. If you have managed Cisco devices, you know syntax also changes between IOS/CatOS versions, so I prefer this approach rather than a detailed syntax compendium that may be unusable on my specific IOS/CatOS version.

Even this is a Cisco Press book, and obviously it is focused on the current solutions available from Cisco, it is fair to admit that Cisco is leading the networking market and includes some of the most advanced layer 2 protection mechanisms in its switches, such as port security, UUFP, root and BPDU guard, BPDU filtering and rate-limiting, VLAN and layer-2 protocols best practices, DHCP snooping, DHCP rate-limiting and validation, IP source guard, DAI (Dynamic ARP Inspection), PoE defenses, HSRP and VRRP strong authentication, 802.1X, and lots of ACLs types: . RACL, VACL, PACLs, etc. Therefore, as this is the way to go, other vendors (if they do not already have these) should provide similar protection capabilities on their layer 2 network devices.

I specially liked how the book ends up (Part IV) covering LinkSec, 802.1AE and 802.1af, future standards that will finally provide confidentiality and integrity at layer 2 at wire-speeds, similarly to what be have today in wireless networks with 802.11i (WPA and WPA2). Why don't you start checking if these standards are supported by your endpoint (client, servers, printers, VoIP phones, etc) and network devices? The sooner we use it, the better.

The only portion missing on the book IMHO is the inclusion of layer 2 QoS protocols, such as 802.1p. Apart from that, chapter 1 is a light intro to security. If you have been in the field for a while, you can directly jump over it. I think it could have been omitted.

Definitely, if you are a penetration tester, network security professional or network administrator in any way, shape or form, this book must be in your shelves.

Full-review: http://radajo.blogspot.com/2008/07/security-book-review-lan-switch.html

Forgot your password? FAQs Shipping Options Returns Your Orders Your Account