Atjaunināt sīkdatņu piekrišanu

E-grāmata: LAN Switch Security: What Hackers Know About Your Switches

4.75/5 (13 ratings by Goodreads)
,
  • Formāts: 360 pages
  • Izdošanas datums: 06-Sep-2007
  • Izdevniecība: Cisco Press
  • Valoda: eng
  • ISBN-13: 9781587054679
Citas grāmatas par šo tēmu:
  • Formāts - PDF+DRM
  • Cena: 38,98 €*
  • * ši ir gala cena, t.i., netiek piemērotas nekādas papildus atlaides
  • Ielikt grozā
  • Pievienot vēlmju sarakstam
  • Šī e-grāmata paredzēta tikai personīgai lietošanai. E-grāmatas nav iespējams atgriezt un nauda par iegādātajām e-grāmatām netiek atmaksāta.
LAN Switch Security: What Hackers Know About Your SwitchesPalielināt
  • Formāts: 360 pages
  • Izdošanas datums: 06-Sep-2007
  • Izdevniecība: Cisco Press
  • Valoda: eng
  • ISBN-13: 9781587054679
Citas grāmatas par šo tēmu:

DRM restrictions

  • Kopēšana (kopēt/ievietot):

    nav atļauts

  • Drukāšana:

    nav atļauts

  • Lietošana:

    Digitālo tiesību pārvaldība (Digital Rights Management (DRM))
    Izdevējs ir piegādājis šo grāmatu šifrētā veidā, kas nozīmē, ka jums ir jāinstalē bezmaksas programmatūra, lai to atbloķētu un lasītu. Lai lasītu šo e-grāmatu, jums ir jāizveido Adobe ID. Vairāk informācijas šeit. E-grāmatu var lasīt un lejupielādēt līdz 6 ierīcēm (vienam lietotājam ar vienu un to pašu Adobe ID).

    Nepieciešamā programmatūra
    Lai lasītu šo e-grāmatu mobilajā ierīcē (tālrunī vai planšetdatorā), jums būs jāinstalē šī bezmaksas lietotne: PocketBook Reader (iOS / Android)

    Lai lejupielādētu un lasītu šo e-grāmatu datorā vai Mac datorā, jums ir nepieciešamid Adobe Digital Editions (šī ir bezmaksas lietotne, kas īpaši izstrādāta e-grāmatām. Tā nav tas pats, kas Adobe Reader, kas, iespējams, jau ir jūsu datorā.)

    Jūs nevarat lasīt šo e-grāmatu, izmantojot Amazon Kindle.

LAN Switch Security: What Hackers Know About Your Switches







A practical guide to hardening Layer 2 devices and stopping campus network attacks







Eric Vyncke

Christopher Paggen, CCIE® No. 2659







Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [ STP], Cisco® Discovery Protocol [ CDP], and so on) and data plane protocols, such as Address Routing Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP). LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches. Further, this book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. This book also includes a section on how to use an Ethernet switch to increase the security of a network and prevent future attacks.







Divided into four parts, LAN Switch Security provides you with steps you can take to ensure the integrity of both voice and data traffic traveling over Layer 2 devices. Part I covers vulnerabilities in Layer 2 protocols and how to configure switches to prevent attacks against those vulnerabilities. Part II addresses denial-of-service (DoS) attacks on an Ethernet switch and shows how those attacks can be mitigated. Part III shows how a switch can actually augment the security of a network through the utilization of wirespeed access control list (ACL) processing and IEEE 802.1x for user authentication and authorization. Part IV examines future developments from the LinkSec working group at the IEEE. For all parts, most of the content is vendor independent and is useful for all network architects deploying Ethernet switches.







After reading this book, you will have an in-depth understanding of LAN security and be prepared to plug the security holes that exist in a great number of campus networks.







Eric Vyncke has a masters degree in computer science engineering from the University of Ličge in Belgium. Since 1997, Eric has worked as a Distinguished Consulting Engineer for Cisco, where he is a technical consultant for security covering Europe. His area of expertise for 20 years has been mainly security from Layer 2 to applications. He is also guest professor at Belgian universities for security seminars.







Christopher Paggen, CCIE® No. 2659, obtained a degree in computer science from IESSL in Ličge (Belgium) and a masters degree in economics from University of Mons-Hainaut (UMH) in Belgium. He has been with Cisco since 1996 where he has held various positions in the fields of LAN switching and security, either as pre-sales support, post-sales support, network design engineer, or technical advisor to various engineering teams. Christopher is a frequent speaker at events, such as Networkers, and has filed several U.S. patents in the security area.







Contributing Authors:

Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco.

Steinthor Bjarnason is a consulting engineer for Cisco.

Ken Hook is a switch security solution manager for Cisco.

Rajesh Bhandari is a technical leader and a network security solutions architect for Cisco.











Use port security to protect against CAM attacks



Prevent spanning-tree attacks



Isolate VLANs with proper configuration techniques



Protect against rogue DHCP servers



Block ARP snooping



Prevent IPv6 neighbor discovery and router solicitation exploitation



Identify Power over Ethernet vulnerabilities



Mitigate risks from HSRP and VRPP



Stop information leaks with CDP, PaGP, VTP, CGMP and other Cisco ancillary protocols



Understand and prevent DoS attacks against switches



Enforce simple wirespeed security policies with ACLs



Implement user authentication on a port base with IEEE 802.1x



Use new IEEE protocols to encrypt all Ethernet frames at wirespeed.











This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.







Category: Cisco PressSecurity

Covers: Ethernet Switch Security







 

Papildus informācija

A practical guide to hardening Layer 2 devices and stopping campus network attacks





Learn the truth about how easily hackers can exploit Ethernet switches Explore the various vulnerabilities that exist is most modern LAN switch environments Analyzes potential attacks that can occur targeting Layer 2 devices Learn how to protect Ethernet switches against attack

Popular belief is that Ethernet switches are secure. But the security you see may not be the security you get, with issues ranging from switch implementation, to control plane protocols, to data plane protocols like ARP or DHCP.



 

LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches and helps you secure them. The book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. It also includes a section on how to use an Ethernet switch in order to increase the security of a network and prevent future attacks.

 

Divided into four parts, LAN Switch Security provides you with a practical guide to steps you can take to ensure the integrity of both voice and data traffic that travels over Layer 2 devices. The first part covers multiple protocols, including Spanning Tree Protocol (STP), DHCP, IPv.6, HSRP, and others. The second part addresses denial of services (DoS) attacks on an Ethernet switch and shows how those attacks can be mitigated. The third part presents how a switch can actually augment the security of a network through the utilization of wirespeed ACL processing and IEEE 802.1x for user authentication and authorization. The fourth part of the book examines future developments from the LinkSec working group at the IEEE.

 

This book is the first to delve into LAN security, and it is essential to any comprehensive security plan.

 
Introduction xix
Part I Vulnerabilities and Mitigation Techniques
3(178)
Introduction to Security
5(18)
Security Triad
5(3)
Confidentiality
6(1)
Integrity
7(1)
Availability
8(1)
Reverse Security Triad
8(1)
Risk Management
8(2)
Risk Analysis
9(1)
Risk Control
10(1)
Access Control and Identity Management
10(1)
Cryptography
11(10)
Symmetric Cryptosystems
13(1)
Symmetric Encryption
13(1)
Hashing Functions
13(1)
Hash Message Authentication Code
14(1)
Asymmetric Cryptosystems
15(1)
Confidentiality with Asymmetric Cryptosystems
16(1)
Integrity and Authentication with Asymmetric Cryptosystems
17(1)
Key Distribution and Certificates
18(1)
Attacks Against Cryptosystems
19(2)
Summary
21(1)
References
21(2)
Defeating a Learning Bridge's Forwarding Process
23(20)
Back to Basics: Ethernet Switching 101
23(4)
Ethernet Frame Formats
23(1)
Learning Bridge
24(2)
Consequences of Excessive Flooding
26(1)
Exploiting the Bridging Table: MAC Flooding Attacks
27(7)
Forcing an Excessive Flooding Condition
28(2)
Introducing the macof Tool
30(4)
MAC Flooding Alternative: MAC Spoofing Attacks
34(2)
Not Just Theory
35(1)
Preventing MAC Flooding and Spoofing Attacks
36(4)
Detecting MAC Activity
36(1)
Port Security
37(2)
Unknown Unicast Flooding Protection
39(1)
Summary
40(1)
References
41(2)
Attacking the Spanning Tree Protocol
43(24)
Introducing Spanning Tree Protocol
43(10)
Types of STP
46(1)
Understanding 802.1D and 802.1Q Common STP
46(1)
Understanding 802.1w Rapid STP
46(1)
Understanding 802.1s Multiple STP
47(1)
STP Operation: More Details
47(6)
Let the Games Begin!
53(11)
Attack 1: Taking Over the Root Bridge
55(3)
Root Guard
58(1)
BPDU-Guard
58(2)
Attack 2: DoS Using a Flood of Config BPDUs
60(2)
BPDU-Guard
62(1)
BPDU Filtering
62(1)
Layer 2 PDU Rate Limiter
63(1)
Attack 3: DoS Using a Flood of Config BPDUs
63(1)
Attack 4: Simulating a Dual-Homed Switch
63(1)
Summary
64(1)
References
65(2)
Are VLANS Safe?
67(18)
IEEE 802.1Q Overview
67(9)
Frame Classification
68(1)
Go Native
69(2)
Attack of the 802.1Q Tag Stack
71(5)
Understanding Cisco Dynamic Trunking Protocol
76(4)
Crafting a DTP Attack
76(4)
Countermeasures to DTP Attacks
80(1)
Understanding Cisco VTP
80(2)
VTP Vulnerabilities
81(1)
Summary
82(1)
References
82(3)
Leveraging DHCP Weaknesses
85(20)
DHCP Overview
85(4)
Attacks Against DHCP
89(4)
DHCP Scope Exhaustion: DoS Attack Against DHCP
89(1)
Yensinia
89(1)
Gobbler
90(2)
Hijacking Traffic Using DHCP Rogue Servers
92(1)
Countermeasures to DHCP Exhaustion Attacks
93(7)
Port Security
94(2)
Introducing DHCP Snooping
96(1)
Rate-Limiting DHCP Messages per Port
97(1)
DHCP Message Validation
97(2)
DHCP Snooping with Option 82
99(1)
Tips for Deploying DHCP Snooping
99(1)
Tips for Switches That Do Not Support DHCP Snooping
100(1)
DHCP Snooping Against IP/MAC Spoofing Attacks
100(3)
Summary
103(1)
References
103(2)
Exploiting IPv4 ARP
105(16)
Back to ARP Basics
105(3)
Normal ARP Behavior
105(2)
Gratuitous ARP
107(1)
Risk Analysis for ARP
108(1)
ARP Spoofing Attack
108(4)
Elements of an ARP Spoofing Attack
109(2)
Mounting an ARP Spoofing Attack
111(1)
Mitigating an ARP Spoofing Attack
112(5)
Dynamic ARP Inspection
112(1)
DAI in Cisco IOS
112(3)
DAI in CatOS
115(1)
Protecting the Hosts
115(1)
Intrusion Detection
116(1)
Mitigating Other ARP Vulnerabilities
117(1)
Summary
118(1)
References
118(3)
Exploiting IPv6 Neighbor Discovery and Router Advertisement
121(14)
Introduction to IPv6
121(8)
Motivation for IPv6
121(1)
What Does IPv6 Change?
122(4)
Neighbor Discovery
126(1)
Stateless Configuration with Router Advertisement
127(2)
Analyzing Risk for ND and Stateless Configuration
129(1)
Mitigating ND and RA Attacks
130(1)
In Hosts
130(1)
In Switches
130(1)
Here Comes Secure ND
131(2)
What Is SEND?
131(2)
Implementation
133(1)
Challenges
133(1)
Summary
133(1)
References
133(2)
What About Power over Ethernet?
135(10)
Introduction to PoE
135(4)
How PoE Works
136(1)
Detection Mechanism
136(2)
Powering Mechanism
138(1)
Risk Analysis for PoE
139(1)
Types of Attacks
139(1)
Mitigating Attacks
140(3)
Defending Against Power Gobbling
140(1)
Defending Against Power-Changing Attacks
141(1)
Defending Against Shutdown Attacks
141(1)
Defending Against Burning Attacks
142(1)
Summary
143(1)
References
143(2)
Is HSRP Resilient?
145(12)
HSRP Mechanics
145(3)
Digging into HSRP
147(1)
Attacking HSRP
148(3)
DoS Attack
149(1)
Man-in-the-Middle Attack
150(1)
Information Leakage
151(1)
Mitigating HSRP Attacks
151(4)
Using Strong Authentication
151(2)
Relying on Network Infrastructure
153(2)
Summary
155(1)
References
155(2)
Can We Bring VRRP Down?
157(8)
Discovering VRRP
157(4)
Diving Deep into VRRP
159(2)
Risk Analysis for VRRP
161(1)
Mitigating VRRP Attacks
161(2)
Using Strong Authentication
162(1)
Relying on the Network Infrastructure
162(1)
Summary
163(1)
References
163(2)
Information Leaks with Cisco Ancillary Protocols
165(16)
Cisco Discovery Protocol
165(4)
Diving Deep into CDP
165(2)
CDP Risk Analysis
167(2)
CDP Risk Mitigation
169(1)
IEEE Link Layer Discovery Protocol
169(1)
VLAN Trunking Protocol
170(4)
VTP Risk Analysis
172(1)
VTP Risk Mitigation
173(1)
Link Aggregation Protocols
174(4)
Risk Analysis
176(1)
Risk Mitigation
177(1)
Summary
178(1)
References
178(3)
Part II How Can a Switch Sustain a Denial of Service Attack?
181(76)
Introduction to Denial of Service Attacks
183(14)
How Does a DoS Attack Differ from a DDoS Attack?
183(1)
Initiating a DDoS Attack
184(2)
Zombie
184(1)
Botnet
185(1)
DoS and DDoS Attacks
186(2)
Attacking the Infrastructure
186(1)
Common Flooding Attacks
187(1)
Mitigating Attacks on Services
187(1)
Attacking LAN Switches Using DoS and DDoS Attacks
188(6)
Anatomy of a Switch
188(1)
Three Planes
189(1)
Data Plane
189(1)
Control Plane
190(1)
Management Plane
190(1)
Attacking the Switch
190(2)
Data Plane Attacks
192(1)
Control Plane Attacks
192(1)
Management Plane Attacks
193(1)
Switch Architecture Attacks
193(1)
Summary
194(1)
Reference
194(3)
Control Plane Policing
197(28)
Which Services Reside on the Control Plane?
198(1)
Securing the Control Plane on a Switch
198(2)
Implementing Hardware-Based CoPP
200(6)
Configuring Hardware-Based CoPP on the Catalyst 6500
200(1)
Hardware Rate Limiters
201(2)
Hardware-Based CoPP
203(1)
Configuring Control Plane Security on the Cisco ME3400
203(3)
Implementing Software-Based CoPP
206(5)
Configuring Software-Based CoPP
207(4)
Mitigating Attacks Using CoPP
211(11)
Mitigating Attacks on the Catalyst 6500 Switch
211(1)
Telnet Flooding Without CoPP
211(1)
Telnet Flooding with CoPP
212(3)
TTL Expiry Attack
215(3)
Mitigating Attacks on Cisco ME3400 Series Switches
218(1)
CDP Flooding
218(1)
CDP Flooding with L2TP Tunneling
219(3)
Summary
222(1)
References
222(3)
Disabling Control Plane Protocols
225(14)
Configuring Switches Without Control Plane Protocols
225(11)
Safely Disabling Control Plane Activities
227(1)
Disabling STP
227(1)
Disabling Link Aggregation Protocols
228(1)
Disabling VTP
228(1)
Disabling DTP
228(1)
Disabling Hot Standby Routing Protocol and Virtual Routing Redundancy Protocol
228(1)
Disabling Management Protocols and Routing Protocols
229(1)
Using an ACL
230(2)
Disabling Other Control Plane Activities
232(1)
Generating ICMP Messages
232(1)
Controlling CDP, IPv6, and IEEE
802. 1X
233(1)
Using Smartports Macros
234(1)
Control Plane Activities That Cannot Be Disabled
235(1)
Best Practices for Control Plane
236(1)
Summary
236(3)
Using Switches to Detect a Data Plane DoS
239(18)
Detecting DoS with NetFlow
239(10)
Enabling NetFlow on a Catalyst 6500
244(2)
NetFlow as a Security Tool
246(1)
Increasing Security with NetFlow Applications
247(2)
Securing Networks with RMON
249(3)
Other Techniques That Detect Active Worms
252(3)
Summary
255(1)
References
255(2)
Part III Using Switches to Augment the Network Security
257(46)
Wire Speed Access Control Lists
259(14)
ACLs or Firewalls?
260(1)
State or No State?
261(1)
Protecting the Infrastructure Using ACLs
261(2)
RACL, VACL, and PACL: Many Types of ACLs
263(4)
Working with RACL
264(1)
Working with VACL
265(2)
Working with PACL
267(1)
Technology Behind Fast ACL Lookups
267(3)
Exploring TCAM
268(2)
Summary
270(3)
Identity-Based Networking Services with 802.1X
273(30)
Foundation
273(1)
Basic Identity Concepts
274(1)
Identification
274(1)
Authentication
274(1)
Authorization
275(1)
Discovering Extensible Authentication Protocol
275(2)
Exploring IEEE 802.1X
277(2)
802.1X Security
279(9)
Integration Value-Add of 802.1X
281(1)
Spanning-Tree Considerations
281(2)
Trunking Considerations
283(1)
Information Leaks
283(2)
Keeping Insiders Honest
285(1)
Port-Security Integration
285(1)
DHCP-Snooping Integration
286(1)
Address Resolution Protocol Inspection Integration
286(1)
Putting It Together
287(1)
Working with Multiple Devices
288(1)
Single-Auth Mode
288(1)
Multihost Mode
289(1)
Working with Devices Incapable of 802.1X
289(9)
802.1X Guest-VLAN
290(1)
802.1X Guest-VLAN Timing
291(2)
MAC Authentication Primer
293(1)
MAB Operation
293(5)
Policy Enforcement
298(1)
VLAN Assignment
298(1)
Summary
299(1)
References
300(3)
Part IV What Is Next in LAN Security?
303(20)
IEEE 802.1AE
305(18)
Enterprise Trends and Challenges
305(1)
Matters of Trust
306(1)
Data Plane Traffic
306(1)
Control Plane Traffic
307(1)
Management Traffic
307(1)
Road to Encryption: Brief History of WANs and WLANs
307(2)
Why Not Layer 2?
309(1)
Link Layer Security: IEEE 802.1AE/af
309(8)
Current State: Authentication with 802.1X
310(2)
LinkSec: Extends 802.1X
312(1)
Authentication and Key Distribution
313(1)
Data Confidentiality and Integrity
314(1)
Data Confidentiality (Encryption)
314(1)
Data Integrity
314(1)
Frame Format
314(2)
Encryption Modes
316(1)
Security Landscape: LinkSec's Coexistence with Other Security Technologies
317(1)
Performance and Scalability
318(1)
End-to-End Versus Hop-by-Hop LAN-Based Cryptographic Protection
318(2)
Summary
320(1)
References
321(2)
Appendix Combining IPsec with L2TPv3 for Secure Pseudowire 323(7)
Index 330


 

Eric Vyncke has a masters degree in computer science engineering from the University of Ličge in Belgium. He

worked as a research assistant in the same university before joining Network Research Belgium. At Network

Research Belgium, he was the head of R&D. He then joined Siemens as a project manager for security projects,

including a proxy firewall. Since 1997, he has worked as a distinguished consulting engineer for Cisco as a technical

consultant for security covering Europe. For 20 years, Erics area of expertise has been security from Layer 2 to

the application layer. He is also a guest professor at some Belgian universities for security seminars. Eric is also a

frequent speaker at security events (such as Networkers at Cisco Live and RSA Conference).

Christopher Paggen joined Cisco in 1996 where he has held various positions gravitating around LAN switching

and security technologies. Lately, he has been in charge of defining product requirements for the companys current

and future high-end firewalls. Christopher holds several U.S. patents, one of which pertains to Dynamic ARP

Inspection (DAI). As CCIE No. 2659, Christopher also owns a B.S. in computer science from HEMES (Belgium)

and went on to study economics at UMH (Belgium) for two more years.
Biežāk uzdotie jautājumi par e-grāmatām Biežāk uzdotie jautājumi par e-grāmatām
Permanent link: https://www.kriso.lv/db/97815870546792e.html
Keywords: