LAN Switch Security: What Hackers Know About Your Switches

This book leaps into layer 2 action with a MAC flooding attack. In the next chapter we take aim at Spanning Tree Protocol (STP). Surely this is an intentional decision by the authors to get the reader saying where is the defense?

Chapter 4, is one of my favorites, a security discussion on VLANS including an introductory use of the attack tool, Yersinia ( the swiss army knife of layer 2 attacks). The material is challenging, very technical, but the authors take pains to be as clear as possible.

As the book moves on, with the solid foundation we build, we then consider DHCP, ARP, IPv6 discovery, Power over Ethernet, HSRP, more esoteric protocols. A real jewel is found in part II of the book, I learned so much about how a switch works ( or can be made not to work ). We finish off with Denial of Service, netflow, RMON, and worms. Well, not exactly, great book, you will never think about layer 2 the same way again. You will never think of a switch as a mindless toaster or an appliance that is not significant from a security perspective.

The beginning and the ending of the book is the reason I did not score it five stars, but let me be clear, the middle of the book is more than worth the cost of buying LAN Switch Security and the time it takes to read it. Just start at Chapter 2.

I wish the authors could have skipped chapter 1, the introduction to security. It is such a high level overview that it really does not help. Cisco book do this a lot, may I suggest that the title series manager create a really good introduction to security and just have all the Cisco books link to it. Anyone who has a prayer of understanding the stuff after Chapter 1, already knows all the content in Chapter 1. They also try to cover 802.1X in a chapter, wheeee! Other than those two nits, you have to give this book two thumbs up!
Rating: 4 / 5

LAN Switch Security provides enough information to leverage the most common layer 2 attacks a pentester would be interested in; MAC Flooding, VLAN Hopping, DTP attacks, and CDP Snarfing along with plenty of switching protocol details for the Cisco ninja wannabe.

With the exception of the white paper for the tool Yersinia there isn’t much in the way of resources out there for conducting Layer 2 attacks and certainly nothing written to the technical level of LSS.

The discussion of Layer 2 attacks in the first few chapters of this book are excellent and easily worth the price of the book especially if you are responsible for securing switches or just breaking into and abusing them. Chapter 4’s (“Are VLANS Safe?”) discussion on Dynamic Trunking Protocol is probably the most valuable for pentesters. The chapter covers using Yersinia to (hopefully) turn the port the attacker is connected to into a trunk port. This enables the attacker to see all traffic on all VLANS (pretty handy). In addition to exceptional background material on switching protocols and information on breaking the different switching protocols the book gives us quality information on securing those same protocols to include a good chunk of the IOS commands to implement the recommended changes.

Pros:

-All the chapters using Yersinia for attacks and the overview of Yersinia

-The structure (Technology Overview, Discussion of the Vulnerability, Remediation) of each chapter works well

-Plenty of Cisco IOS command line specifics to get the job done

-Really good overviews of the switching protocols, how to break them, and how to secure them

-Discussion of data planes and control planes

Cons:

-Check out the cons of Richard Bejtlich & Stephen Northcutt…all valid

-No discussion of minimum lab requirements to set up a lab to reproduce the attacks

-I lost interest from part II onward, probably because most of the attacks don’t give you much (if any) in the way of privileges and it got fairly deep into switching protocols I don’t usually deal with and the book seems to drift. I’m not sure what happened but the book doesn’t end as strong as it begins.

-Some repeating of material in different chapters

I gave the book 4 stars mostly due to editing issues, lack of lab guidance to reproduce the attacks,and the fact that I lost interest in the book toward the end. Even though I lost interest toward the end I still recommend this book for anyone interested in breaking Layer 2 or securing it.
Rating: 4 / 5

Vyncke and Paggen delve deep into Layer 2 in “LAN Switch Security”, and with a twist: where the run-of-the-mill switching work mainly discusses how Layer 2 works, this book is exclusively focussed on how it breaks.

They start with straightfoward stuff, e.g. how a bridge learns MAC addresses, and how this process can be frustrated by means of flooding a switch with large numbers of spoofed MAC addresses, or how ARP poisoning can be used to play man-in-the-middle. Quickly, however, they move into more avdanced topics, like manipulating the spanning tree protocol process, VLAN hopping by means of stacking .1q tags, and a variety of indecent tricks to play on a HRSP or VRRP redundant router

setup. And that is but a tiny subset of the range they treat. Other technolgies extensively discussed are DTP, DHCP, IPv6, PoE, CDP, VTP, CoPP, NetFlow, ACLs, .1x, and .1ae. In each case the intriguing angle is “OK, we know how it works, can we learn how it breaks?”.

The text is well enriched with examples, down to IOS CLI examples, and examples of attack tooling like yersinia. These examples are rather Cisco centric, but it is easy to see how the same ideas would apply generically, so that is not a big issue. What I also like it that the authors sometimes take a step back from the bits and bytes, and try to see a bigger picture, e.g. discussing the fundamental differences between data plane attacks and control plane attacks.

For each topic, the authors discuss various alternatives of mitigation, sometimes to the point where it seems rather obvious (“Disable this functionality when you do not need it”, “Do not expose trunk protocols towards end stations”). I feel especialy the later chapters could have benefitted from the scruntity of a professional editor, as the text sometimes drifts away into vagueness. That is a pity, as on the whole, the book is well written.

What got me most excited about “LAN Switch Security” is that, as far as I know, no previous book was ever dedicatedly devoted to breaking Layer 2. Also, for many of the protocols discussed (CDP, VTP, DTP) it is almost impossible to find usefull detailed information in a high-level book, as these protocols are mostly only discussed in the context of certification course material, which the generally interested reader would not so easily read, and with good reason.

In my opinion this book is mandatory reading for two categories of readers. First, the network designer / administrator who is busy on a day-to-day basis designing / administrating a corporate network should read this, so he becomes actutely aware of the tremendous amount of rope they he has in his hands, and how he probably has been hanging himself with it.

Secondly, the IT security architect who has a deep knowledge of how complex systems invariably become insure systems, should read this so he gains a better knowledge of relevant aspects of Layer 2 networking.

As my colleague recently put it: “Layer 2 is big fun”. I could not agree more, and heartily thank Vyncke and Paggen for finally writing the book that fills a void that had existed far too long in this area.

Dr. Jan Joris Vereijken, CISSP
Rating: 5 / 5

LAN Switch Security by Eric Vyncke and Christopher Paggen is a strong introduction to an overview of the types of Layer 2 vulnerabilities and attacks that are possible today. I am impressed that Mr. Paggen assisted on this book, as he is a respected leader within Cisco concerning layer 2, and has had valuable contributions in other works (aka Christophe Paggen).

Chapter 5 shows a detailed DHCP snoop. I enjoyed chapter 6, which discusses different ARP attacks. Chapter 13, concerning control plane policing, gives a good introduction to an area of study that is lacking in documentation.

As other reviewers have mentioned, there are some glaring typos within this book. The intro to MACOF on page 28 I must have read 10 times to understand what their were expressing. Page 173 is weak on discussing VTP attacks and mitigations.

One concern I have with this book is the heavy reliance on a layer 2 attack tool called Yersinia. My issue is more simply because I am such a newbie to UNIX, that I have been unable to install Yersinia properly. While this is admittedly my fault, because I cannot use Yersinia, I am unable to mimic large portions of this book. While the screen shots of the effects of using Yersinia leaves me wanting to mimic the attacks, I am forced to sit on the sidelines.

I must admit that I am rather shocked by Richard Betjlich’s 3 star review of this book and his comment concerning Hacking Exposed Cisco Networks Exposed (HECN). I am of the opposite consideration, and would rather look at LAN Switch Security, first, rather than turn to HECN. This is more because I am so unimpressed with HECN than because of the value of this book (see my Amazon review of HECN). I greatly respect Mr. Betjlich’s view, and his lowly review of this book makes me question my own judgment.

I am still attempting to load Yersinia, and if so, I hope to better be able to utilize the examples in this book. I believe this book gives the best evidence available in a book as to what to look out for in terms of layer 2 vulnerabilities and how to mitigate these risks.

I give this book 4 pings out of 5:

!!!.!
Rating: 4 / 5

Awesome. Horrorifing. Fantastic. Scary. Phenomenal. Terrorifing. The best book I have read all year. If you thought you didn’t need to worry about layer 2 security, think again!

This is probably the best practical hacking book to come out in several years. It clearly illustrates that the majority of LANs and CANs implemented today are full of configuration issues that can lead to serious exploits. A MANDATORY read for all network administrators.

The book does not cover any new ground, but it does an excellent job of bringing together a lot of information — both theory and practice — into one well written text. It shows the strengths (few) and weaknesses (many) of all the most common L2 protocols and how they can be exploited by anyone with access to any system on your network. It also shows how to lock down Cisco devices to minimize or prevent many of the exploits discussed.

The only complaint I have about the book is the poor editing job that was done, with glaring typos in several places in the book. Many of the typos are laughable (Catalyst Supervisor Engineer), but some leave you scratching your head and having to compare text to graphics to figure out which is correct. While annoying, and something I am sure that will be fixed in a later printing, it does not diminish the tremendous amount of information presented, and the well developed examples and demonstration exploits.

Now, if someone would only publish a generic version of this book that addressed the specific issues and fixes in L2 implementations by other vendors!

Again, a MANDATORY read for all network administrators. Pen testers and security admins should also read this book.

Rating: 5 / 5