作者:Eric Vyncke, Christopher Paggen
出版日期:September 16, 2007
出版社:Cisco Press
页数:360
ISBN:ISBN-10: 1587052563 ISBN-13: 978-1587052569
文件格式:PDF
Product Description
LAN Switch Security: What Hackers Know About Your Switches
A practical guide to hardening Layer 2 devices and stopping campus network attacks
Eric Vyncke
Christopher Paggen, CCIE® No. 2659
Contrary to popular belief, Ethernetswitches are not inherently secure. Security vulnerabilities inEthernet switches are multiple: from the switch implementation, tocontrol plane protocols (Spanning Tree Protocol , Cisco® DiscoveryProtocol , and so on) and data plane protocols, such as AddressRouting Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP).LAN Switch Security explains all the vulnerabilities in a networkinfrastructure related to Ethernet switches. Further, this book showsyou how to configure a switch to prevent or to mitigate attacks basedon those vulnerabilities. This book also includes a section on how touse an Ethernet switch to increase the security of a network andprevent future attacks.
Divided into four parts, LAN SwitchSecurity provides you with steps you can take to ensure the integrityof both voice and data traffic traveling over Layer 2 devices. Part Icovers vulnerabilities in Layer 2 protocols and how to configureswitches to prevent attacks against those vulnerabilities. Part IIaddresses denial-of-service (DoS) attacks on an Ethernet switch andshows how those attacks can be mitigated. Part III shows how a switchcan actually augment the security of a network through the utilizationof wirespeed access control list (ACL) processing and IEEE 802.1x foruser authentication and authorization. Part IV examines futuredevelopments from the LinkSec working group at the IEEE. For all parts,most of the content is vendor independent and is useful for all networkarchitects deploying Ethernet switches.
After reading this book, you will have anin-depth understanding of LAN security and be prepared to plug thesecurity holes that exist in a great number of campus networks.
Eric Vyncke has a master’s degree incomputer science engineering from the University of Liège in Belgium.Since 1997, Eric has worked as a Distinguished Consulting Engineer forCisco, where he is a technical consultant for security covering Europe.His area of expertise for 20 years has been mainly security from Layer2 to applications. He is also guest professor at Belgian universitiesfor security seminars.
Christopher Paggen, CCIE® No. 2659,obtained a degree in computer science from IESSL in Liège (Belgium) anda master’s degree in economics from University of Mons-Hainaut (UMH) inBelgium. He has been with Cisco since 1996 where he has held variouspositions in the fields of LAN switching and security, either aspre-sales support, post-sales support, network design engineer, ortechnical advisor to various engineering teams. Christopher is afrequent speaker at events, such as Networkers, and has filed severalU.S. patents in the security area.
Contributing Authors:
Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco.
Steinthor Bjarnason is a consulting engineer for Cisco.
Ken Hook is a switch security solution manager for Cisco.
Rajesh Bhandari is a technical leader and a network security solutions architect for Cisco.
Use port security to protect against CAM attacks
Prevent spanning-tree attacks
Isolate VLANs with proper configuration techniques
Protect against rogue DHCP servers
Block ARP snooping
Prevent IPv6 neighbor discovery and router solicitation exploitation
Identify Power over Ethernet vulnerabilities
Mitigate risks from HSRP and VRPP
Stop information leaks with CDP, PaGP, VTP, CGMP and other Cisco ancillary protocols
Understand and prevent DoS attacks against switches
Enforce simple wirespeed security policies with ACLs
Implement user authentication on a port base with IEEE 802.1x
Use new IEEE protocols to encrypt all Ethernet frames at wirespeed.