LAN Switch Security : What hackers know about your switches

Wed, 03/26/2008 - 21:48 by Olivier Bonaventure • Categories:

Ethernet is now the default fixed Local Area Network technology. Ethernet LANs are found in all entreprise environments and in more and more home networks. Ethernet was designed in the 1970s when security was not a concern. Since then, Ethernet has evolved with the introduction of hubs and switches. Many network administrators are aware that hubs are a security concern since they broadcast Ethernet frames and some of them assume that switches or more secure. Unfortunately, hackers have learned the limitations of Ethernet switches and they have developped several tools that can be used to exploit Ethernet switches.

In their new book, Eric Vyncke and Christopher Pagen describe the current state of the art in securing Ethernet switches. They take a pratical approach by using different types of Cisco switches of freely available tools to demonstrate the security problems and their solutions. Despite its focus on a single vendor, this book is an interesting reference for system administrators who are willing to better understand how to secure their Ethernet networks. This is particularly important in environments such as schools were uncontrolled laptops are often connected.

The first part discusses the basic security problems that affect Ethernet switches, namely the learning bridge process and the implications of the limited size of the MAC table on Ethernet switches. It also discusses configurations to mitigate these problems. Then, the book analyses several protocols and their security implications, namely the spanning tree protocol, the 802.1q VLANs, DHCP, IPv4 ARP, IPv6 Neighbor Discovery, but also surprising electrical security issues with power over Ethernet. The second part focusses on techniques can that be used on switches to sustain denial of service attacks, both from a forwarding and a control plane viewpoint. The last part analyses recent techniques that can be used to improve the security of Ethernet switches, such as 802.1x or 802.1AE and access control lists.