网管程序员论坛

 找回密码
 注册

QQ登录

只需一步,快速开始

查看: 12591|回复: 7

8月安全CCIE新书:LAN Switch Security: What Hackers Know About Your Switches

[复制链接]
发表于 2007-8-28 09:43:24 | 显示全部楼层 |阅读模式
8月安全新书AN Switch Security: What Hackers Know About Your Switches
英文版本 :下载见附件,感谢您的支持

新书推介简介:
Product DescriptionThis is the eBook version of the printed book.

LAN Switch Security: What Hackers Know About Your Switches

A practical guide to hardening Layer 2 devices and stopping campus network attacks

Eric Vyncke
Christopher Paggen, CCIE® No. 2659
8月安全新书LAN Switch Security.jpg


书籍如下见附件:

Cisco.Press.LAN.Switch.Security.Sep.2007.eBook-BBL.rar

2.67 MB, 下载次数: 36514

发表于 2007-8-28 10:02:06 | 显示全部楼层
内容介绍:
Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [STP], Cisco® Discovery Protocol [CDP], and so on) and data plane protocols, such as Address Routing Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP). LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches. Further, this book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. This book also includes a section on how to use an Ethernet switch to increase the security of a network and prevent future attacks.

Divided into four parts, LAN Switch Security provides you with steps you can take to ensure the integrity of both voice and data traffic traveling over Layer 2 devices. Part I covers vulnerabilities in Layer 2 protocols and how to configure switches to prevent attacks against those vulnerabilities. Part II addresses denial-of-service (DoS) attacks on an Ethernet switch and shows how those attacks can be mitigated. Part III shows how a switch can actually augment the security of a network through the utilization of wirespeed access control list (ACL) processing and IEEE 802.1x for user authentication and authorization. Part IV examines future developments from the LinkSec working group at the IEEE. For all parts, most of the content is vendor independent and is useful for all network architects deploying Ethernet switches.

After reading this book, you will have an in-depth understanding of LAN security and be prepared to plug the security holes that exist in a great number of campus networks.

Eric Vyncke has a master’s degree in computer science engineering from the University of Liège in Belgium. Since 1997, Eric has worked as a Distinguished Consulting Engineer for Cisco, where he is a technical consultant for security covering Europe. His area of expertise for 20 years has been mainly security from Layer 2 to applications. He is also guest professor at Belgian universities for security seminars.

Christopher Paggen, CCIE® No. 2659, obtained a degree in computer science from IESSL in Liège (Belgium) and a master’s degree in economics from University of Mons-Hainaut (UMH) in Belgium. He has been with Cisco since 1996 where he has held various positions in the fields of LAN switching and security, either as pre-sales support, post-sales support, network design engineer, or technical advisor to various engineering teams. Christopher is a frequent speaker at events, such as Networkers, and has filed several U.S. patents in the security area.

Contributing Authors:
Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco.
Steinthor Bjarnason is a consulting engineer for Cisco.
Ken Hook is a switch security solution manager for Cisco.
Rajesh Bhandari is a technical leader and a network security solutions architect for Cisco.



  • Use port security to protect against CAM attacks
  • Prevent spanning-tree attacks
  • Isolate VLANs with proper configuration techniques
  • Protect against rogue DHCP servers
  • Block ARP snooping
  • Prevent IPv6 neighbor discovery and router solicitation exploitation
  • Identify Power over Ethernet vulnerabilities
  • Mitigate risks from HSRP and VRPP
  • Stop information leaks with CDP, PaGP, VTP, CGMP and other Cisco ancillary protocols
  • Understand and prevent DoS attacks against switches
  • Enforce simple wirespeed security policies with ACLs
  • Implement user authentication on a port base with IEEE 802.1x
  • Use new IEEE protocols to encrypt all Ethernet frames at wirespeed.

This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Category: Cisco Press—Security
Covers: Ethernet Switch Security

$60.00 USA / $69.00 CAN
LAN Switch Security: What Hackers Know About Your Switches

A practical guide to hardening Layer 2 devices and stopping campus network attacks

Eric Vyncke
Christopher Paggen, CCIE® No. 2659

Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [STP], Cisco® Discovery Protocol [CDP], and so on) and data plane protocols, such as Address Routing Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP). LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches. Further, this book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. This book also includes a section on how to use an Ethernet switch to increase the security of a network and prevent future attacks.

Divided into four parts, LAN Switch Security provides you with steps you can take to ensure the integrity of both voice and data traffic traveling over Layer 2 devices. Part I covers vulnerabilities in Layer 2 protocols and how to configure switches to prevent attacks against those vulnerabilities. Part II addresses denial-of-service (DoS) attacks on an Ethernet switch and shows how those attacks can be mitigated. Part III shows how a switch can actually augment the security of a network through the utilization of wirespeed access control list (ACL) processing and IEEE 802.1x for user authentication and authorization. Part IV examines future developments from the LinkSec working group at the IEEE. For all parts, most of the content is vendor independent and is useful for all network architects deploying Ethernet switches.

After reading this book, you will have an in-depth understanding of LAN security and be prepared to plug the security holes that exist in a great number of campus networks.

Eric Vyncke has a master’s degree in computer science engineering from the University of Liège in Belgium. Since 1997, Eric has worked as a Distinguished Consulting Engineer for Cisco, where he is a technical consultant for security covering Europe. His area of expertise for 20 years has been mainly security from Layer 2 to applications. He is also guest professor at Belgian universities for security seminars.

Christopher Paggen, CCIE® No. 2659, obtained a degree in computer science from IESSL in Liège (Belgium) and a master’s degree in economics from University of Mons-Hainaut (UMH) in Belgium. He has been with Cisco since 1996 where he has held various positions in the fields of LAN switching and security, either as pre-sales support, post-sales support, network design engineer, or technical advisor to various engineering teams. Christopher is a frequent speaker at events, such as Networkers, and has filed several U.S. patents in the security area.

Contributing Authors:
Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco.
Steinthor Bjarnason is a consulting engineer for Cisco.
Ken Hook is a switch security solution manager for Cisco.
Rajesh Bhandari is a technical leader and a network security solutions architect for Cisco.


  • Use port security to protect against CAM attacks
  • Prevent spanning-tree attacks
  • Isolate VLANs with proper configuration techniques
  • Protect against rogue DHCP servers
  • Block ARP snooping
  • Prevent IPv6 neighbor discovery and router solicitation exploitation
  • Identify Power over Ethernet vulnerabilities
  • Mitigate risks from HSRP and VRPP
  • Stop information leaks with CDP, PaGP, VTP, CGMP and other Cisco ancillary protocols
  • Understand and prevent DoS attacks against switches
  • Enforce simple wirespeed security policies with ACLs
  • Implement user authentication on a port base with IEEE 802.1x
  • Use new IEEE protocols to encrypt all Ethernet frames at wirespeed.

This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Category: Cisco Press–Security
Covers: Ethernet Switch Security

$60.00 USA / $69.00 CAN
Contents at a Glance
Introductionxix
Part I Vulnerabilities and Mitigation Techniques3
Chapter 1 Introduction to Security5
Chapter 2 Defeating a Learning Bridges Forwarding Process2
Chapter 3 Attacking the Spanning Tree Protocol43
Chapter 4 Are VLANS Safe?67
Chapter 5 Leveraging DHCP Weaknesses85
Chapter 6 Exploiting IPv4 ARP105
Chapter 7 Exploiting IPv6 Neighbor Discovery and Router Advertisement121
Chapter 8 What About Power over Ethernet?135
Chapter 9 Is HSRP Resilient?145
Chapter 10 Can We Bring VRRP Down?157
Chapter 11 Information Leaks with Cisco Ancillary Protocols165
Part II How Can a Switch Sustain a Denial of Service Attack?181
Chapter 12 Introduction to Denial of Service Attacks183
Chapter 13 Control Plane Policing197
Chapter 14 Disabling Control Plane Protocols225
Chapter 15 Using Switches to Detect a Data Plane DoS239
Part III Using Switches to Augment the Network Security257
Chapter 16 Wire Speed Access Control Lists259
Chapter 17 Identity-Based Networking Services with 802.1X273
Part IV What Is Next in LAN Security?303
Chapter 18 IEEE 802.1AE305
Appendix Combining IPsec with L2TPv3 for Secure Pseudowire323
Index 330Contents
Introductionxix
Part I Vulnerabilities and Mitigation Techniques3
Chapter 1 Introduction to Security5
Security Triad5
Confidentiality6
Integrity7
Availability8
Reverse Security Triad8
Risk Management8
Risk Analysis9
Risk Control10
Access Control and Identity Management10
Cryptography11
Symmetric Cryptosystems13
Symmetric Encryption13
Hashing Functions13
Hash Message Authentication Code14
Asymmetric Cryptosystems15
Confidentiality with Asymmetric Cryptosystems16
Integrity and Authentication with Asymmetric Cryptos
Key Distribution and Certificates18
Attacks Against Cryptosystems19
Summary21
References21
Chapter 2 Defeating a Learning Bridges Forwarding Process2
Back to Basics: Ethernet Switching 10123
Ethernet Frame Formats23
Learning Bridge24
Consequences of Excessive Flooding26
Exploiting the Bridging Table: MAC Flooding Attacks27
Forcing an Excessive Flooding Condition28
Introducing the macof Tool30
MAC Flooding Alternative: MAC Spoofing Attacks34
Not Just Theory35
Preventing MAC Flooding and Spoofing Attacks36
Detecting MAC Activity36
Port Security37
Unknown Unicast Flooding Protection39
Summary40
References41
Chapter 3 Attacking the Spanning Tree Protocol43
Introducing Spanning Tree Protocol43
Types of STP46
Understanding 802.1D and 802.1Q Common STP46
Understanding 802.1w Rapid STP46
Understanding 802.1s Multiple STP47
STP Operation: More Details47
Let the Games Begin!53
Attack 1: Taking Over the Root Bridge55
Root Guard58
BPDU-Guard58
Attack 2: DoS Using a Flood of Config BPDUs60
BPDU-Guard62
BPDU Filtering62
Layer 2 PDU Rate Limiter63
Attack 3: DoS Using a Flood of Config BPDUs63
Attack 4: Simulating a Dual-Homed Switch63
Summary64
References65
Chapter 4 Are VLANS Safe?67
IEEE 802.1Q Overview67
Frame Classification68
Go Native69
Attack of the 802.1Q Tag Stack71
Understanding Cisco Dynamic Trunking Protocol76
Crafting a DTP Attack76
Countermeasures to DTP Attacks80
Understanding Cisco VTP80
VTP Vulnerabilities81
Summary82
References82
Chapter 5 Leveraging DHCP Weaknesses85
DHCP Overview85
Attacks Against DHCP89
DHCP Scope Exhaustion: DoS Attack Against DHCP89
Yensinia89
Gobbler90
Hijacking Traffic Using DHCP Rogue Servers92
Countermeasures to DHCP Exhaustion Attacks93
Port Security94
Introducing DHCP Snooping96
Rate-Limiting DHCP Messages per Port97
DHCP Message Validation97
DHCP Snooping with Option 8299
Tips for Deploying DHCP Snooping99
Tips for Switches That Do Not Support DHCP
DHCP Snooping Against IP/MAC Spoofing Attacks
Summary103
References103
Chapter 6 Exploiting IPv4 ARP105
Back to ARP Basics105
Normal ARP Behavior105
Gratuitous ARP107
Risk Analysis for ARP108
ARP Spoofing Attack108
Elements of an ARP Spoofing Attack109
Mounting an ARP Spoofing Attack111
Mitigating an ARP Spoofing Attack112
Dynamic ARP Inspection112
DAI in Cisco IOS112
DAI in CatOS115
Protecting the Hosts115
Intrusion Detection116
Mitigating Other ARP Vulnerabilities117
Summary118
References118
Chapter 7 Exploiting IPv6 Neighbor Discovery and Router Advertise
Introduction to IPv6121
Motivation for IPv6121
What Does IPv6 Change?122
Neighbor Discovery126
Stateless Configuration with Router Advertisement
Analyzing Risk for ND and Stateless Configuration1
Mitigating ND and RA Attacks130
In Hosts130
In Switches130Countermeasures to DHCP Exhaustion Attacks93
Port Security94
Introducing DHCP Snooping96
Rate-Limiting DHCP Messages per Port97
DHCP Message Validation97
DHCP Snooping with Option 8299
Tips for Deploying DHCP Snooping99
Tips for Switches That Do Not Support DHCP
DHCP Snooping Against IP/MAC Spoofing Attacks
Summary103
References103
Chapter 6 Exploiting IPv4 ARP105
Back to ARP Basics105
Normal ARP Behavior105
Gratuitous ARP107
Risk Analysis for ARP108
ARP Spoofing Attack108
Elements of an ARP Spoofing Attack109
Mounting an ARP Spoofing Attack111
Mitigating an ARP Spoofing Attack112
Dynamic ARP Inspection112
DAI in Cisco IOS112
DAI in CatOS115
Protecting the Hosts115
Intrusion Detection116
Mitigating Other ARP Vulnerabilities117
Summary118
References118
Chapter 7 Exploiting IPv6 Neighbor Discovery and Router Advertise
Introduction to IPv6121
Motivation for IPv6121
What Does IPv6 Change?122
Neighbor Discovery126
Stateless Configuration with Router Advertisement
Analyzing Risk for ND and Stateless Configuration1
Mitigating ND and RA Attacks130
In Hosts130
In Switches130Here Comes Secure ND131
What Is SEND?131
Implementation133
Challenges133
Summary133
References133
Chapter 8 What About Power over Ethernet?135
Introduction to PoE135
How PoE Works136
Detection Mechanism136
Powering Mechanism138
Risk Analysis for PoE139
Types of Attacks139
Mitigating Attacks140
Defending Against Power Gobbling140
Defending Against Power-Changing Attacks141
Defending Against Shutdown Attacks141
Defending Against Burning Attacks142
Summary143
References143
Chapter 9 Is HSRP Resilient?145
HSRP Mechanics145
Digging into HSRP147
Attacking HSRP148
DoS Attack149
Man-in-the-Middle Attack150
Information Leakage151
Mitigating HSRP Attacks151
Using Strong Authentication151Here Comes Secure ND131
What Is SEND?131
Implementation133
Challenges133
Summary133
References133
Chapter 8 What About Power over Ethernet?135
Introduction to PoE135
How PoE Works136
Detection Mechanism136
Powering Mechanism138
Risk Analysis for PoE139
Types of Attacks139
Mitigating Attacks140
Defending Against Power Gobbling140
Defending Against Power-Changing Attacks141
Defending Against Shutdown Attacks141
Defending Against Burning Attacks142
Summary143
References143
Chapter 9 Is HSRP Resilient?145
HSRP Mechanics145
Digging into HSRP147
Attacking HSRP148
DoS Attack149
Man-in-the-Middle Attack150
Information Leakage151
Mitigating HSRP Attacks151
Using Strong Authentication151Here Comes Secure ND131
What Is SEND?131
Implementation133
Challenges133
Summary133
References133
Chapter 8 What About Power over Ethernet?135
Introduction to PoE135
How PoE Works136
Detection Mechanism136
Powering Mechanism138
Risk Analysis for PoE139
Types of Attacks139
Mitigating Attacks140
Defending Against Power Gobbling140
Defending Against Power-Changing Attacks141
Defending Against Shutdown Attacks141
Defending Against Burning Attacks142
Summary143
References143
Chapter 9 Is HSRP Resilient?145
HSRP Mechanics145
Digging into HSRP147
Attacking HSRP148
DoS Attack149
Man-in-the-Middle Attack150
Information Leakage151
Mitigating HSRP Attacks151
Using Strong Authentication151Summary163
References163
Chapter 11 Information Leaks with Cisco Ancillary Protocols165
Cisco Discovery Protocol165
Diving Deep into CDP165
CDP Risk Analysis167
CDP Risk Mitigation169
IEEE Link Layer Discovery Protocol169
VLAN Trunking Protocol170
VTP Risk Analysis172
VTP Risk Mitigation173
Link Aggregation Protocols174
Risk Analysis176
Risk Mitigation177
Summary178
References178
Part II How Can a Switch Sustain a Denial of Service Attack?181
Chapter 12 Introduction to Denial of Service Attacks183
How Does a DoS Attack Differ from a DDoS Attack?183
Initiating a DDoS Attack184
Zombie184
Botnet185
DoS and DDoS Attacks186
Attacking the Infrastructure186
Common Flooding Attacks187
Mitigating Attacks on Services187
Attacking LAN Switches Using DoS and DDoS Attacks188
Anatomy of a Switch188
Three Planes189
Data Plane189
Control Plane190
Management Plane190
Attacking the Switch190
Data Plane Attacks192
Control Plane Attacks192
Management Plane Attacks193Reference194
Chapter 13 Control Plane Policing197
Which Services Reside on the Control Plane?198
Securing the Control Plane on a Switch198
Implementing Hardware-Based CoPP200
Configuring Hardware-Based CoPP on the Catal
Hardware Rate Limiters201
Hardware-Based CoPP203
Configuring Control Plane Security on the Cisco
Implementing Software-Based CoPP206
Configuring Software-Based CoPP207
Mitigating Attacks Using CoPP211
Mitigating Attacks on the Catalyst 6500 Switch
Telnet Flooding Without CoPP211
Telnet Flooding with CoPP212
TTL Expiry Attack215
Mitigating Attacks on Cisco ME3400 Series Swi
CDP Flooding218
CDP Flooding with L2TP Tunneling219
Summary222
References222
Chapter 14 Disabling Control Plane Protocols225
Configuring Switches Without Control Plane Protoc
Safely Disabling Control Plane Activities227
Disabling STP227
Disabling Link Aggregation Protocols228
Disabling VTP228
Disabling DTP228
Disabling Hot Standby Routing Protocol and
Protocol228
Disabling Management Protocols and Routin
Using an ACL230
Disabling Other Control Plane Activities232
Generating ICMP Messages232
Controlling CDP, IPv6, and IEEE 802.1X2
Using Smartports Macros234
Control Plane Activities That Cannot Be Disable
Best Practices for Control Plane236
Summary236
Chapter 15 Using Switches to Detect a Data Plane DoS239
Detecting DoS with NetFlow239
Enabling NetFlow on a Catalyst 6500244NetFlow as a Security Tool246
Increasing Security with NetFlow Applications247
Securing Networks with RMON249
Other Techniques That Detect Active Worms252
Summary255
References255
Part III Using Switches to Augment the Network Security257
Chapter 16 Wire Speed Access Control Lists259
ACLs or Firewalls?260
State or No State?261
Protecting the Infrastructure Using ACLs261
RACL, VACL, and PACL: Many Types of ACLs263
Working with RACL264
Working with VACL265
Working with PACL267
Technology Behind Fast ACL Lookups267
Exploring TCAM268
Summary270
Chapter 17 Identity-Based Networking Services with 802.1X273
Foundation273
Basic Identity Concepts274
Identification274
Authentication274
Authorization275
Discovering Extensible Authentication Protocol275
Exploring IEEE 802.1X277
802.1X Security279
Integration Value-Add of 802.1X281
Spanning-Tree Considerations281
Trunking Considerations283
Information Leaks283
Keeping Insiders Honest285
Port-Security Integration285
Working with Devices Incapable of 802.1X289
802.1X Guest-VLAN290
802.1X Guest-VLAN Timing291
MAC Authentication Primer293
MAB Operation293
Policy Enforcement298
VLAN Assignment298
Summary299
References300
Part IV What Is Next in LAN Security?303
Chapter 18 IEEE 802.1AE305
Enterprise Trends and Challenges305
Matters of Trust306
Data Plane Traffic306
Control Plane Traffic307
Management Traffic307
Road to Encryption: Brief History of WANs and WLANs307
Why Not Layer 2?309
Link Layer Security: IEEE 802.1AE/af309
Current State: Authentication with 802.1X310
LinkSec: Extends 802.1X312
Authentication and Key Distribution313
Data Confidentiality and Integrity314
Data Confidentiality (Encryption)314
Data Integrity314
Frame Format314
Encryption Modes316
Security Landscape: LinkSecs Coexistence with Other Security Technologi
Performance and Scalability318
End-to-End Versus Hop-by-Hop LAN-Based Cryptographic Protection318
Summary320
References321
Appendix Combining IPsec with L2TPv3 for Secure Pseudowire323
发表于 2007-9-19 14:24:42 | 显示全部楼层
来的有点晚了,先要一份先,谢谢!
发表于 2007-10-8 05:28:33 | 显示全部楼层
定了定了阿拉开机动力发觉得了非撒娇地方
发表于 2007-11-1 21:32:37 | 显示全部楼层

hehe

谢谢啊 这要看呢
发表于 2008-3-3 16:37:28 | 显示全部楼层
好书一定要下载啊~~~
发表于 2008-6-18 09:41:35 | 显示全部楼层
来得第一次!
第一次收获如此大的礼物,tks for sharing...
发表于 2008-7-30 20:49:03 | 显示全部楼层
斤斤计较离开看看;
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|小黑屋|手机版|Archiver|最新更新|网管程序员社区 鄂ICP备11008024号-3

GMT+8, 2019-11-20 03:58 , Processed in 0.109200 second(s), 23 queries .

Powered by 网管论坛

© 2001-2018 www.027safe.com Inc.

快速回复 返回顶部 返回列表