[...]... Attacking LAN Switches Using DoS and DDoS Attacks Anatomy of a Switch 188 Three Planes 189 Data Plane 189 Control Plane 190 Management Plane 190 Attacking the Switch 190 Data Plane Attacks 192 Control Plane Attacks 192 Management Plane Attacks 193 Switch Architecture Attacks 193 Summary 194 188 xiv Reference Chapter 13 194 Control Plane Policing 197 Which Services Reside on the Control Plane? Securing... control plane (which is the plane where routing and management protocols are running) Because it can be attacked, it must be protected Control plane policing is shown to be the best technique to achieve protection xxi • Chapter 14, “Disabling Control Plane Protocols,” explains what techniques can be used when control plane policing is not available, such as on old switches • Chapter 15, “Using Switches. .. Introduction LAN and Ethernet switches are usually considered as plumbing They are easy to install and configure, but it is easy to forget about security when things appear to be simple Multiple vulnerabilities exist in Ethernet switches Attack tools to exploit them started to appear a couple of years ago (for example, the well-known dsniff package) By using those attack tools, a hacker can defeat the security. .. Detect a Data Plane DoS,” leverages NetFlow and Network Analysis Module (NAM) to detect a DoS attack or an aggressively propagating worm in the network The goal of early detection is to better fight the DoS attack even before the users or customers become aware of it Part III, “Using Switches to Augment Network Security. ” How to leverage Ethernet switches to actually augment your LAN s security level... Devices Incapable of 802.1X 802.1X Guest-VLAN 290 802.1X Guest-VLAN Timing 291 MAC Authentication Primer 293 MAB Operation 293 289 Policy Enforcement 298 VLAN Assignment 298 Summary References 299 300 Part IV What Is Next in LAN Security? 303 Chapter 18 IEEE 802.1AE 305 Enterprise Trends and Challenges 305 Matters of Trust 306 Data Plane Traffic 306 Control Plane Traffic 307 Management Traffic 307 Road... Control Plane Activities 232 Generating ICMP Messages 232 Controlling CDP, IPv6, and IEEE 802.1X 233 Using Smartports Macros 234 Control Plane Activities That Cannot Be Disabled 235 Best Practices for Control Plane 236 Summary Chapter 15 236 Using Switches to Detect a Data Plane DoS 239 Detecting DoS with NetFlow 239 Enabling NetFlow on a Catalyst 6500 244 xv NetFlow as a Security Tool 246 Increasing Security. .. Flooding with CoPP 212 TTL Expiry Attack 215 Mitigating Attacks on Cisco ME3400 Series Switches CDP Flooding 218 CDP Flooding with L2TP Tunneling 219 Summary References Chapter 14 218 222 222 Disabling Control Plane Protocols 225 Configuring Switches Without Control Plane Protocols 225 Safely Disabling Control Plane Activities 227 Disabling STP 227 Disabling Link Aggregation Protocols 228 Disabling... with information to cause a denial of services On the other hand, Ethernet switches and specific protocols and features can augment the security posture of a LAN environment with user identification, wire speed security policy enforcement, Layer 2 encryption, and so on Goals and Methods When talking about vulnerabilities in a switch- based network, the approach is first to describe the protocol, to list... 121 Motivation for IPv6 121 What Does IPv6 Change? 122 Neighbor Discovery 126 Stateless Configuration with Router Advertisement Analyzing Risk for ND and Stateless Configuration Mitigating ND and RA Attacks In Hosts 130 In Switches 130 130 127 129 100 xii Here Comes Secure ND 131 What Is SEND? 131 Implementation 133 Challenges 133 Summary References Chapter 8 133 133 What About Power over Ethernet?... Hop-by-Hop LAN- Based Cryptographic Protection Summary References Appendix Index 330 320 321 Combining IPsec with L2TPv3 for Secure Pseudowire 323 318 317 xvii Icons Used in This Book Si PC Terminal File Server Laptop Router Multilayer Switch Network Cloud Authentication Service (AS) Line: Ethernet Firewall Web Server Catalyst Switch Line: Serial Pipe Route /Switch Processor w/ Si ATM Switch Line: Switched . Press LAN Switch Security What Hackers Know About Your Switches Eric Vyncke and Christopher Paggen, CCIE No. 2659 ii LAN Switch Security What Hackers Know About. Congress Cataloging-in-Publication Data: Vyncke, Eric. LAN switch security : what hackers know about your switches / Eric Vyncke, Christopher Paggen. p. cm.