LAN Switch Security: What Hackers Know About Your Switches

I picked up this book a few days after it hit the proverbial shelves. I’ve read it twice since then. The book actually taught me many things that I simply didn’t know. I always knew that Cisco access ports had numerous services enabled on them by default. I disable many of them myself with the interface templates that I’ve built. I didn’t realize that there were this many enabled services.

The book has 2 good chapters on securing both the control-plane and the data-plane including the use of CoPP. One thing that I absolutely love about the control-plane chapter is how they point out the specifics of configuring CoPP on particular hardware platforms, in this case the 6500 and the ME3400. This hits home with me since I admin a number of 7600s. Prior to this I could not find a reference that would help me with my specific platform.

As always my standard gripes about these smaller Cisco Press books apply. The book is only available as a softback which is crap. Cisco Press: we’ll pay the extra $$$ for a book that won’t be dog-eared from day one. Stop skimping out on us! Next, while this book does go into a good amount of detail on almost all sections I personally want more detail. I want Cisco Press to give me 200 pages on securing the control-plane, not 40. I want detailed examples, sample configs, detailed discussion about why you’d implement CoPP in a particular way on one platform or another (7200s vs 7600s vs ISRs) etc. I want all that detail in a one stop shop. I want appendixes with sample interface templates for certain applications (customer-facing, infrastructure, internal user-facing, printers, servers, etc). I’m all about the details. Don’t wet my pallet and cut me short; stop teasing me. And as always, give me a access to a PDF version of the book. You do it for some Cisco Press books for free. I’m tired of carrying this book to work everyday and no I am not going to buy a second copy.

Overall a very good title that all Cisco network people should own. I guarantee you that there are things in her that you do not know.
Rating: 5 / 5

I really looked forward to reading LAN Switch Security (LSS), simply because it covered layer 2 issues. These days application security, rootkits, and similar topics get all the press, but the foundation of the network is still critical. Unfortunately, LSS disappointed me enough to warrant this three star review. I’m afraid those before me who wrote five star reviews 1) don’t read enough other books or 2) don’t set their expectations high enough.

Let me first say I am not anti-Cisco, nor anti-Cisco-book. For an earlier Cisco Press book I wrote “I really enjoyed reading Cisco Router Firewall Security (CRFS) by Richard Deal. This book delivers just what a technical Cisco book should: discussion of concepts, explanation of command syntax, and practical examples.” LSS, however, is not what I like to see in a Cisco book. It suffers the major flaw found in almost all technical books featuring large numbers of writers (LSS has 2 authors, 4 contributors, 2 tech editors): incoherence and overlapping discussions. Furthermore, many of these contributors do not write clearly. I found large sections to be disjointed and inconsistent. It is clear that no one stepped up to the plate to see if the finished product made any sense from the reader’s perspective.

The second major problem with this book is that older books easily overpower LSS. For example, in March 2006 I gave Hacking Exposed: Cisco Networks (HECN) four stars. HECN covers many of the same topics as LSS, more clearly, with more syntax, and better explanations. Anyone who wants to buy a book about layer 2 security should start with HECN. If you don’t want to buy a book, just download the free 86-page Cisco IOS Switch Security Configuration Guide published by NSA.

If you read HECN or the NSA guide, you’ll be struck by the amount of configuration syntax in those resources. If you glance through LSS you’ll see syntax, but (and this bothered me greatly) not for all the features discussed. For example, LSS ch 16 (Wire Speed Access Control Lists) features sections titled “Working with RACL”, “Working with VACL”, and “Working with PACL”. That’s great — six pages (pp 263-268), with no command syntax! Sure, you can read about using VACLs for traffic capture, but where are the examples? If you tell me they are the same as other examples, I want to see the proof. This is the sort of glaring omission that really frustrated me.

I did like some of LSS. I thought attacks against link aggregation protocols, discussions of control plane policy, and spanning tree protocol were interesting. Adding discussions of ARP spoofing a remote gateway using Yersinia would have been helpful. There’s a decent number of typos (POP != “point of presence”, replace “Ethernet” with “IP” on p 235), but technically the book seemed sound. (One of the authors was kind enough to confirm the p 235 typo; I wanted to be sure I hadn’t missed something important.)

I notice Cisco is publishing a book titled Router Security Strategies: Securing IP Network Traffic Planes in December. Presumably that will be a counterpart to this title, except at layer 3. I hope that new book avoids the mistakes made by LSS.
Rating: 3 / 5

I have been promoting the need to protect access to local network infrastructures (against the insider threat) for so many years that I’m even tired of sending the same message again and again these days, but I do not give up. I never understood why if we require authentication to each and every technology resource, such as your computer operating system, servers, databases, applications, and even physical facilities, why this has not been the case to access the network. Still today, lots of local networks from big companies and organizations are “free”, that is, if the attacker gets physical access to an Ethernet port (RJ-45 connector) he is in! (the network). This is one of the attacker’s dreams, and we can simply mitigate this threat through the 802.1X protocol. The expansion of wireless networks has helped a lot to promote it, but still it must be applied to most wired networks out there.

802.1X is just one of the multiple additions you can make to your layer 2 security stance in order to protect the local (layer 2) network infrastructure from several attacks. Definitely, you need to stop thinking about IP (layer 3) attacks only, and move one level down. Honestly, one of the layer 2 attacks that works 99% of the times I’m running an internal penetration test is ARP spoofing or poisoning. I tried to emphasize the impact of this attack and the associated defenses on my first GIAC paper for the Incident Handler (GCIH) certification in 2003, “Real World ARP Spoofing”.

The book covers most of the vulnerabilities, design flaws, and security holes associated to the layer 2 protocols we currently and extensively use on our networks, such as MAC flooding and spoofing attacks, and STP, VLAN, DHCP, ARP, PoE, HSRP, VRRP, CDP, VTP, LAP and even layer-2 IPv6 related attacks. However, and starting with the minimum privilege principle (if you don’t need it, why it is enabled?), the main focus of this book (and specially Part I) is to provide the reader with the knowledge and specific details to detect these attacks and protect the network and network devices (mainly switches) against all these threats. For each protocol and attack it describes the proper settings for a secure implementation.

Parts II of the book focuses on Denial of Service (DoS and DDoS) attacks on layer 2 devices and provide an excellent overview of switches architectures, internal implementation details (mainly Cisco focused), the relationships between the Control Plane and the Data Plane, the protocols each layer deals with, and the security implications on the internal operation of switches. If you want to know how your switches really work and the security implications of enabling/disabling certain capabilities, this is the section of the book you must read.

Part III then provides an introduction to more advanced access control options, through multiple ACL types, and layer-2 authentication (802.1X). It’s a good introduction to go deeper into serious layer-2 access control and authentication projects and deployments.

Simplifying the threat, the attackers have a single tool (in fact they have multiple but this is THE tool) to do real damage at layer 2, Yersinia, co-develop by a Spanish security colleague, David. We, as defenders, need to properly design and deploy all the layer 2 technologies and protocols considering the security implications of its presence on the network. Fortunately enough, the countermeasures available to mitigate layer 2 risks are available in some current network devices, mainly switches. BTW, I encourage you to use the attack tools, like Yersinia, to audit your network. Some of the book countermeasures are trivial to apply, while some others require a very carefully thought-out planning. The book provides the guidance you need to start accomplishing the goal of getting a definitive layer 2 protected network by exposing the complexity, advantages and disadvantages of each solution.

The book is structured in small, easy to read, chapters that describe each of the technologies analyzed and its operation, the security issues and attack examples, and the detection and protection mechanisms you need to apply, straight to the most relevant implementation details. It also includes practical examples and describes multiple scenarios where each countermeasure can be applied, as well as the main decision factors to apply it in a given way. If you are busy (and who is not these days?), I recommend you to select a layer 2 protocol or technology you are using, select the appropriate chapter (a 30-45 minutes read at most), and start planning and applying the related security best practices. You can repeat this chapter selection process every couple of weeks, and in 2-3 months your network will be what I would like to see on all my customers. The book allows network administrators and infosec professionals to independently digest any of the chapters and start protecting the associated technology. Obviously, the main goal should be to apply all the book recommendations to your infrastructure in the short-mid term. Unfortunately, not all the countermeasures mentioned are available in all switches; there is still lot of work to be done by the vendors to implement all them.

The book opens the doors to a whole set of layer-2 threats, but it is not a complete guide to implement all the related protections, neither a command documentation book. It is up to the reader to check his switch documentation (Cisco or others) to get the full syntax details and multiple options for each of the countermeasures detailed. If you have managed Cisco devices, you know syntax also changes between IOS/CatOS versions, so I prefer this approach rather than a detailed syntax compendium that may be unusable on my specific IOS/CatOS version.

Even this is a Cisco Press book, and obviously it is focused on the current solutions available from Cisco, it is fair to admit that Cisco is leading the networking market and includes some of the most advanced layer 2 protection mechanisms in its switches, such as port security, UUFP, root and BPDU guard, BPDU filtering and rate-limiting, VLAN and layer-2 protocols best practices, DHCP snooping, DHCP rate-limiting and validation, IP source guard, DAI (Dynamic ARP Inspection), PoE defenses, HSRP and VRRP strong authentication, 802.1X, and lots of ACLs types: . RACL, VACL, PACLs, etc. Therefore, as this is the way to go, other vendors (if they do not already have these) should provide similar protection capabilities on their layer 2 network devices.

I specially liked how the book ends up (Part IV) covering LinkSec, 802.1AE and 802.1af, future standards that will finally provide confidentiality and integrity at layer 2 at wire-speeds, similarly to what be have today in wireless networks with 802.11i (WPA and WPA2). Why don’t you start checking if these standards are supported by your endpoint (client, servers, printers, VoIP phones, etc) and network devices? The sooner we use it, the better.

The only portion missing on the book IMHO is the inclusion of layer 2 QoS protocols, such as 802.1p. Apart from that, chapter 1 is a light intro to security. If you have been in the field for a while, you can directly jump over it. I think it could have been omitted.

Before reading this book, I had an extensive previous experience on layer 2 security, switches, layer 2 penetration testing, and layer 2 network security architectures and design, and I really enjoyed the book, specially its practical focus, broad scope on layer 2 issues, the format and examples. If you are a penetration tester, I’m sure you will get a few ideas too for your next challenge, and you can easily apply them as most attack tools are publicly available and included on the latest Backtrack 3 version. Definitely, if you are a network security professional or network administrator in any way, shape or form, this book must be in your shelves.

Full-review: http://radajo.blogspot.com/2008/07/security-book-review-lan-switch.html
Rating: 5 / 5

Some Quotes to give you a taste of why I find this book really great:

“LAN and Ethernet Switches are usually considered as plumbing. They are easy to install and configure, but it is easy to forget about security when things appear to be simple.”

“…can turn a $50,000 Ethernet switch into a $12 off-the-shelf supermarket hub”

This book is written in a way that most levels of knowledge can understand the content. It starts out by explaining the underlying technology in detail to give the reader the background knowledge to understand how attacks can be devastating to switches. Then the authors show, with real life examples, how an attacker can take advantage of your infrastructure. Finally, the best part is the explanation of how to mitigate the attacks. Overall, I found this book to be a great read and it actually has a ROI. The threats that this book explains could be costly to an organization that is blind to them.

You will find many online documents that explain some of the material contained in this book, but I have never seen such a great reference that not only explains the attacks, but shows you the tools available to prove they are indeed threats and shows how to mitigate them with sample configurations.

One of the highlights that caught my eye and I thought everyone would like was that almost all of the Layer 2 attacks are demonstrated – MAC Flooding, VLAN Hopping, DHCP attacks, VTP attacks, CDP attacks, STP attacks, the list keeps on going…

I know that I will be using this book for any switch deployments that I perform; I recommend that any network or security operator/consultant/engineer does the same. Also, anyone out there performing LAN penetration testing must have a copy of this book!

Rating: 5 / 5

Awesome. Horrorifing. Fantastic. Scary. Phenomenal. Terrorifing. The best book I have read all year. If you thought you didn’t need to worry about layer 2 security, think again!

This is probably the best practical hacking book to come out in several years. It clearly illustrates that the majority of LANs and CANs implemented today are full of configuration issues that can lead to serious exploits. A MANDATORY read for all network administrators.

The book does not cover any new ground, but it does an excellent job of bringing together a lot of information — both theory and practice — into one well written text. It shows the strengths (few) and weaknesses (many) of all the most common L2 protocols and how they can be exploited by anyone with access to any system on your network. It also shows how to lock down Cisco devices to minimize or prevent many of the exploits discussed.

The only complaint I have about the book is the poor editing job that was done, with glaring typos in several places in the book. Many of the typos are laughable (Catalyst Supervisor Engineer), but some leave you scratching your head and having to compare text to graphics to figure out which is correct. While annoying, and something I am sure that will be fixed in a later printing, it does not diminish the tremendous amount of information presented, and the well developed examples and demonstration exploits.

Now, if someone would only publish a generic version of this book that addressed the specific issues and fixes in L2 implementations by other vendors!

Again, a MANDATORY read for all network administrators. Pen testers and security admins should also read this book.

Rating: 5 / 5