LAN Switch Security: What Hackers Know About Your Switches...

• Cover Type: Paperback with 360 pages
• Published by: Cisco Press
• Edition: 1st Edition September 16, 2007
• Written in: English
• ISBN 10 Number: 1587052563
• ISBN 13 Number: 978-1587052569
• Book Dimensions: 9.2 x 7.6 x 0.7 inches
• Weighs: 1.2 pounds

LAN Switch Security: What Hackers Know About Your Switches

A practical guide to hardening Layer 2 devices and stopping campus network attacks

Eric Vyncke

Christopher Paggen, CCIE® No. 2659

Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [STP], Cisco® Discovery Protocol [CDP], and so on) and data plane protocols, such as Address Routing Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP). LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches. Further, this book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. This book also includes a section on how to use an Ethernet switch to increase the security of a network and prevent future attacks.

Divided into four parts, LAN Switch Security provides you with steps you can take to ensure the integrity of both voice and data traffic traveling over Layer 2 devices. Part I covers vulnerabilities in Layer 2 protocols and how to configure switches to prevent attacks against those vulnerabilities. Part II addresses denial-of-service (DoS) attacks on an Ethernet switch and shows how those attacks can be mitigated. Part III shows how a switch can actually augment the security of a network through the utilization of wirespeed access control list (ACL) processing and IEEE 802.1x for user authentication and authorization. Part IV looks at future developments from the LinkSec working group at the IEEE. For all parts, most of the content is vendor independent and is useful for all network architects deploying Ethernet switches.

After reading this book, you will have an in-depth understanding of LAN security and be prepared to plug the security holes that exist in a great number of campus networks.

Eric Vyncke has a master’s degree in computer science engineering from the University of Liège in Belgium. Since 1997, Eric has worked as a Distinguished Consulting Engineer for Cisco, where he is a technical consultant for security covering Europe. His area of expertise for twenty years has been mainly security from Layer 2 to applications. He is also guest professor at Belgian universities for security seminars.

Christopher Paggen, CCIE® No. 2659, obtained a degree in computer science from IESSL in Liège (Belgium) and a master’s degree in economics from University of Mons-Hainaut (UMH) in Belgium. He has been with Cisco since 1996 where he has held various positions in the fields of LAN switching and security, either as pre-sales support, post-sales support, network design engineer, or technical advisor to various engineering teams. Christopher is a frequent speaker at events, such as Networkers, and has filed several U.S. patents in the security area.

Contributing Authors:

Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco.

Steinthor Bjarnason is a consulting engineer for Cisco.

Ken Hook is a switch security solution manager for Cisco.

Rajesh Bhandari is a technical leader and a network security solutions architect for Cisco.

• Use port security to protect against CAM attacks

• Prevent spanning-tree attacks

• Isolate VLANs with proper configuration techniques

• Protect against rogue DHCP servers

• Block ARP snooping

• Prevent IPv6 neighbor discovery and router solicitation exploitation

• Identify Power over Ethernet vulnerabilities

• Mitigate risks from HSRP and VRPP

• Stop information leaks with CDP, PaGP, VTP, CGMP and other Cisco ancillary protocols

• Understand and prevent DoS attacks against switches

• Enforce simple wirespeed security policies with ACLs

• Implement user authentication on a port base with IEEE 802.1x

• Use new IEEE protocols to encrypt all Ethernet frames at wirespeed.

This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Category: Cisco Press—Security

Covers: Ethernet Switch Security

$60.00 USA / $69.00 CAN

LAN Switch Security: What Hackers Know About Your Switches

A practical guide to hardening Layer 2 devices and stopping campus network attacks

Eric Vyncke

Christopher Paggen, CCIE® No. 2659

Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [STP], Cisco® Discovery Protocol [CDP], and so on) and data plane protocols, such as Address Routing Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP). LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches. Further, this book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. This book also includes a section on how to use an Ethernet switch to increase the security of a network and prevent future attacks.

Divided into four parts, LAN Switch Security provides you with steps you can take to ensure the integrity of both voice and data traffic traveling over Layer 2 devices. Part I covers vulnerabilities in Layer 2 protocols and how to configure switches to prevent attacks against those vulnerabilities. Part II addresses denial-of-service (DoS) attacks on an Ethernet switch and shows how those attacks can be mitigated. Part III shows how a switch can actually augment the security of a network through the utilization of wirespeed access control list (ACL) processing and IEEE 802.1x for user authentication and authorization. Part IV looks at future developments from the LinkSec working group at the IEEE. For all parts, most of the content is vendor independent and is useful for all network architects deploying Ethernet switches.

After reading this book, you will have an in-depth understanding of LAN security and be prepared to plug the security holes that exist in a great number of campus networks.

Eric Vyncke has a master’s degree in computer science engineering from the University of Liège in Belgium. Since 1997, Eric has worked as a Distinguished Consulting Engineer for Cisco, where he is a technical consultant for security covering Europe. His area of expertise for twenty years has been mainly security from Layer 2 to applications. He is also guest professor at Belgian universities for security seminars.

Christopher Paggen, CCIE® No. 2659, obtained a degree in computer science from IESSL in Liège (Belgium) and a master’s degree in economics from University of Mons-Hainaut (UMH) in Belgium. He has been with Cisco since 1996 where he has held various positions in the fields of LAN switching and security, either as pre-sales support, post-sales support, network design engineer, or technical advisor to various engineering teams. Christopher is a frequent speaker at events, such as Networkers, and has filed several U.S. patents in the security area.

Contributing Authors:

Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco.

Steinthor Bjarnason is a consulting engineer for Cisco.

Ken Hook is a switch security solution manager for Cisco.

Rajesh Bhandari is a technical leader and a network security solutions architect for Cisco.

• Use port security to protect against CAM attacks

• Prevent spanning-tree attacks

• Isolate VLANs with proper configuration techniques

• Protect against rogue DHCP servers

• Block ARP snooping

• Prevent IPv6 neighbor discovery and router solicitation exploitation

• Identify Power over Ethernet vulnerabilities

• Mitigate risks from HSRP and VRPP
  
  About The Author
  

   

  Eric Vyncke has a master’s degree in computer science engineering from the University of Liège in Belgium. He

  worked as a research assistant in the same university before joining Network Research Belgium. At Network

  Research Belgium, he was the head of R&D. He then joined Siemens as a project manager for security projects,

  including a proxy firewall. Since 1997, he has worked as a distinguished consulting engineer for Cisco as a technical

  consultant for security covering Europe. For twenty years, Eric’s area of expertise has been security from Layer 2 to

  the application layer. He is also a guest professor at some Belgian universities for security seminars. Eric is also a

  frequent speaker at security events (such as Networkers at Cisco Live and RSA Conference).

  Christopher Paggen joined Cisco in 1996 where he has held various positions gravitating around LAN switching

  and security technologies. Lately, he has been in charge of defining product requirements for the company’s current

  and future high-end firewalls. Christopher holds several U.S. patents, one of which pertains to Dynamic ARP

  Inspection (DAI). As CCIE No. 2659, Christopher also owns a B.S. in computer science from HEMES (Belgium)

  and went on to study economics at UMH (Belgium) for two more years.
  
  Reader Reviews
  LAN Switch Security by Eric Vyncke and Christopher Paggen is a strong introduction to an overview of the types of Layer 2 vulnerabilities and attacks that are possible today. I am impressed that Mr. Paggen assisted on this book, as he is a respected leader within Cisco concerning layer 2, and has had valuable contributions in other works (aka Christophe Paggen). Chapter 5 shows a detailed DHCP snoop. I enjoyed chapter 6, which discusses different ARP attacks. Chapter 13, concerning control plane policing, gives a good introduction to an area of study that is lacking in documentation. As other reviewers have mentioned, there are some glaring typos within this book. The intro to MACOF on page 28 I must have read ten times to understand what their were expressing. Page 173 is weak on discussing VTP attacks and mitigations. One concern I have with this book is the heavy reliance on a layer 2 attack tool called Yersinia. My issue is more simply because I am such a newbie to UNIX, that I have been unable to install Yersinia properly. While this is admittedly my fault, because I cannot use Yersinia, I am unable to mimic large portions of this book. While the screen shots of the effects of using Yersinia leaves me wanting to mimic the attacks, I am forced to sit on the sidelines. I must admit that I am rather shocked by Richard Betjlich's 3 star review of this book and hisconcerning Hacking Exposed Cisco Networks Exposed (HECN). I am of the opposite consideration, and would rather look at LAN Switch Security, first, rather than turn to HECN. This is more because I am so unimpressed with HECN than because of the value of this book (see my Amazon review of HECN). I greatly respect Mr. Betjlich's view, and his lowly review of this book makes me question my own judgment. I am still attempting to load Yersinia, and if so, I hope to better be able to utilize the examples in this book. I believe this book gives the best evidence available in a book as to what to look out for in terms of layer 2 vulnerabilities and how to mitigate these risks. I give this book 4 pings out of 5: !!!.!