LAN Switch Security What Hackers Know about Your Switches.pdf

LAN Switch Security

What Hackers Know About Your Switches

Eric Vyncke and Christopher Paggen, CCIE No. 2659

Cisco Press

800 East 96th Street

Indianapolis, IN 46240 USA

LAN Switch Security

What Hackers Know About Your Switches

Eric Vyncke

Christopher Paggen

Published by:

Cisco Press

800 East 96th Street

Indianapolis, IN 46240 USA

or mechanical, including photocopying, recording, or by any information storage and retrieval system, without writ-

ten permission from the publisher, except for the inclusion of brief quotations in a review.

Printed in the United States of America

First Printing August 2007

Library of Congress Cataloging-in-Publication Data:

Vyncke, Eric.

LAN switch security : what hackers know about your switches / Eric Vyncke, Christopher Paggen.

p. cm.

ISBN 978-1-58705-256-9 (pbk.)

1. Local area networks (Computer networks)--Security measures. 2. Telecommunication--Switching systems--

Security measures. I. Paggen, Chris. II. Title. III. Title: What hackers know about your switches.

TK5105.7.V96 2008

005.8--dc22

2007030673

ISBN-13: 978-1-58705-256-9

ISBN-10: 1-58705-256-3

Warning and Disclaimer

This book provides information about vulnerabilities linked to Ethernet switches and how to prevent or mitigate

attacks against a switch-based network. Every effort has been made to make this book as complete and as accurate

as possible, but no warranty or ﬁtness is implied.

The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc., shall have nei-

ther liability nor responsibility to any person or entity with respect to any loss or damages arising from the informa-

tion contained in this book or from the use of the discs or programs that may accompany it.

The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc.

iii

Trademark Acknowledgments

All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capital-

ized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book

should not be regarded as affecting the validity of any trademark or service mark.

Corporate and Government Sales

The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales,

which may include electronic versions and/or custom covers and content particular to your business, training goals,

marketing focus, and branding interests. For more information, please contact

U.S. Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com.

For sales outside the United States, please contact

International Sales international@pearsoned.com.

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted

with care and precision, undergoing rigorous development that involves the unique expertise of members from the

professional technical community.

Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could

improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at

feedback@ciscopress.com. Please make sure to include the book title and ISBN in your message.

We greatly appreciate your assistance.

Publisher

Paul Boger

Associate Publisher

Dave Dusthimer

Cisco Representative

Anthony Wolfenden

Cisco Press Program Manager

Jeff Brady

Executive Editor

Brett Bartow

Managing Editor

Patrick Kanouse

Development Editor

Dan Young

Senior Project Editor

San Dee Phillips

Copy Editor

Sheri Cain

Technical Editors

Earl Carter and Hank Mauldin

Editorial Assistant

Vanessa Evans

Designer

Louisa Adair

Composition

Mark Shirar

Indexer

Tim Wright

Proofreader

Paula Lowell

About the Authors

Eric Vyncke has a master’s degree in computer science engineering from the University of Liège in Belgium. He

worked as a research assistant in the same university before joining Network Research Belgium. At Network

Research Belgium, he was the head of R&D. He then joined Siemens as a project manager for security projects,

including a proxy ﬁrewall. Since 1997, he has worked as a distinguished consulting engineer for Cisco as a techni-

cal consultant for security covering Europe. For 20 years, Eric’s area of expertise has been security from Layer 2 to

the application layer. He is also a guest professor at some Belgian universities for security seminars. Eric is also a

frequent speaker at security events (such as Networkers at Cisco Live and RSA Conference).

Christopher Paggen joined Cisco in 1996 where he has held various positions gravitating around LAN switching

and security technologies. Lately, he has been in charge of deﬁning product requirements for the company’s current

and future high-end ﬁrewalls. Christopher holds several U.S. patents, one of which pertains to Dynamic ARP

Inspection (DAI). As CCIE No. 2659, Christopher also owns a B.S. in computer science from HEMES (Belgium)

and went on to study economics at UMH (Belgium) for two more years.

About the Contributing Authors

Rajesh Bhandari is a network security solutions architect with Cisco. He is responsible for deﬁning a security

architecture that incorporates standards-based techniques for building a secure network as part of Cisco’s Self

Defending Network initiative. At Cisco, Rajesh has also served as a technical leader in storage networking and as a

software engineer on the Catalyst 6000 platform. Prior to joining Cisco in 1999, Rajesh was a software engineer in

optical networking at Nortel Networks. He has a B.S. (mathematics honors) from University of Victoria, Canada.

Rajesh cowrote Chapter 18, “IEEE 802.1AE.”

Steinthor Bjarnason has a degree in computer science from the University of Iceland. Prior to joining Cisco in

2000, he designed and implemented online transaction systems for ﬁnancial companies worldwide. He is currently

a consulting engineer for Cisco, focusing on integrated security solutions and attack prevention. Steinthor is a fre-

quent speaker at events, such as Networkers at Cisco Live. Steinthor wrote Chapter 12, “Introduction to Denial of

Service Attacks,” and Chapter 13, “Control Plane Policing.”

Ken Hook , CCNA, CCNP, CISSP, cofounder and original solution manager of Cisco Identity Based Networking

Services (IBNS), as well as former Cisco Content Delivery Networking and Catalyst 6500 product manager. Prior

to joining Cisco, Ken had more than 15 years in the industry ranging from application development, network inte-

gration consulting, and enterprise scale project and program management. Today Ken works as a Cisco solution

manager for the Cisco integrated switch security services initiatives. Ken cowrote Chapter 18, “IEEE 802.1AE.”

Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco. He is a systems archi-

tect and one of the founders of the Cisco Identity Based Networking Services (IBNS) initiative. Jason has authored

many Cisco solution guides and often participates in industry forums such as Cisco Networkers. He has been

involved with network design and security for 8 years. Jason wrote Chapter 17, “Identity-Based Networking Ser-

vices with 802.1X.”

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: