Customer comments on this selection.
 The layer 2 attack and defense master piece
I have been promoting the need to protect access to local network infrastructures (against the insider threat) for so many years that I'm even tired of sending the same message again and again these days, but I do not give up. I never understood why if we require authentication to each and every technology resource, such as your computer operating system, servers, databases, applications, and even physical facilities, why this has not been the case to access the network. Still today, lots of local networks from big companies and organizations are "free", that is, if the attacker gets physical access to an Ethernet port (RJ-45 connector) he is in! (the network). This is one of the attacker's dreams, and we can simply mitigate this threat through the 802.1X protocol. The expansion of wireless networks has helped a lot to promote it, but still it must be applied to most wired networks out there.
br /
br /802.1X is just one of the multiple additions you can make to your layer 2 security stance in order to protect the local (layer 2) network infrastructure from several attacks. Definitely, you need to stop thinking about IP (layer 3) attacks only, and move one level down. Honestly, one of the layer 2 attacks that works 99% of the times I'm running an internal penetration test is ARP spoofing or poisoning. I tried to emphasize the impact of this attack and the associated defenses on my first GIAC paper for the Incident Handler (GCIH) certification in 2003, "Real World ARP Spoofing".
br /
br /The book covers most of the vulnerabilities, design flaws, and security holes associated to the layer 2 protocols we currently and extensively use on our networks, such as MAC flooding and spoofing attacks, and STP, VLAN, DHCP, ARP, PoE, HSRP, VRRP, CDP, VTP, LAP and even layer-2 IPv6 related attacks. However, and starting with the minimum privilege principle (if you don't need it, why it is enabled?), the main focus of this book (and specially Part I) is to provide the reader with the knowledge and specific details to detect these attacks and protect the network and network devices (mainly switches) against all these threats. For each protocol and attack it describes the proper settings for a secure implementation.
br /
br /Parts II of the book focuses on Denial of Service (DoS and DDoS) attacks on layer 2 devices and provide an excellent overview of switches architectures, internal implementation details (mainly Cisco focused), the relationships between the Control Plane and the Data Plane, the protocols each layer deals with, and the security implications on the internal operation of switches. If you want to know how your switches really work and the security implications of enabling/disabling certain capabilities, this is the section of the book you must read.
br /
br /Part III then provides an introduction to more advanced access control options, through multiple ACL types, and layer-2 authentication (802.1X). It's a good introduction to go deeper into serious layer-2 access control and authentication projects and deployments.
br /
br /Simplifying the threat, the attackers have a single tool (in fact they have multiple but this is THE tool) to do real damage at layer 2, Yersinia, co-develop by a Spanish security colleague, David. We, as defenders, need to properly design and deploy all the layer 2 technologies and protocols considering the security implications of its presence on the network. Fortunately enough, the countermeasures available to mitigate layer 2 risks are available in some current network devices, mainly switches. BTW, I encourage you to use the attack tools, like Yersinia, to audit your network. Some of the book countermeasures are trivial to apply, while some others require a very carefully thought-out planning. The book provides the guidance you need to start accomplishing the goal of getting a definitive layer 2 protected network by exposing the complexity, advantages and disadvantages of each solution.
br /
br /The book is structured in small, easy to read, chapters that describe each of the technologies analyzed and its operation, the security issues and attack examples, and the detection and protection mechanisms you need to apply, straight to the most relevant implementation details. It also includes practical examples and describes multiple scenarios where each countermeasure can be applied, as well as the main decision factors to apply it in a given way. If you are busy (and who is not these days?), I recommend you to select a layer 2 protocol or technology you are using, select the appropriate chapter (a 30-45 minutes read at most), and start planning and applying the related security best practices. You can repeat this chapter selection process every couple of weeks, and in 2-3 months your network will be what I would like to see on all my customers. The book allows network administrators and infosec professionals to independently digest any of the chapters and start protecting the associated technology. Obviously, the main goal should be to apply all the book recommendations to your infrastructure in the short-mid term. Unfortunately, not all the countermeasures mentioned are available in all switches; there is still lot of work to be done by the vendors to implement all them.
br /
br /The book opens the doors to a whole set of layer-2 threats, but it is not a complete guide to implement all the related protections, neither a command documentation book. It is up to the reader to check his switch documentation (Cisco or others) to get the full syntax details and multiple options for each of the countermeasures detailed. If you have managed Cisco devices, you know syntax also changes between IOS/CatOS versions, so I prefer this approach rather than a detailed syntax compendium that may be unusable on my specific IOS/CatOS version.
br /
br /Even this is a Cisco Press book, and obviously it is focused on the current solutions available from Cisco, it is fair to admit that Cisco is leading the networking market and includes some of the most advanced layer 2 protection mechanisms in its switches, such as port security, UUFP, root and BPDU guard, BPDU filtering and rate-limiting, VLAN and layer-2 protocols best practices, DHCP snooping, DHCP rate-limiting and validation, IP source guard, DAI (Dynamic ARP Inspection), PoE defenses, HSRP and VRRP strong authentication, 802.1X, and lots of ACLs types: . RACL, VACL, PACLs, etc. Therefore, as this is the way to go, other vendors (if they do not already have these) should provide similar protection capabilities on their layer 2 network devices.
br /
br /I specially liked how the book ends up (Part IV) covering LinkSec, 802.1AE and 802.1af, future standards that will finally provide confidentiality and integrity at layer 2 at wire-speeds, similarly to what be have today in wireless networks with 802.11i (WPA and WPA2). Why don't you start checking if these standards are supported by your endpoint (client, servers, printers, VoIP phones, etc) and network devices? The sooner we use it, the better.
br /
br /The only portion missing on the book IMHO is the inclusion of layer 2 QoS protocols, such as 802.1p. Apart from that, chapter 1 is a light intro to security. If you have been in the field for a while, you can directly jump over it. I think it could have been omitted.
br /
br /Before reading this book, I had an extensive previous experience on layer 2 security, switches, layer 2 penetration testing, and layer 2 network security architectures and design, and I really enjoyed the book, specially its practical focus, broad scope on layer 2 issues, the format and examples. If you are a penetration tester, I'm sure you will get a few ideas too for your next challenge, and you can easily apply them as most attack tools are publicly available and included on the latest Backtrack 3 version. Definitely, if you are a network security professional or network administrator in any way, shape or form, this book must be in your shelves.
br /
br /Full-review: http://radajo.blogspot.com/2008/07/security-book-review-lan-switch.html
 Should Be Required Reading For Pentesters
LAN Switch Security provides enough information to leverage the most common layer 2 attacks a pentester would be interested in; MAC Flooding, VLAN Hopping, DTP attacks, and CDP Snarfing along with plenty of switching protocol details for the Cisco ninja wannabe.
br /
br /With the exception of the white paper for the tool Yersinia there isn't much in the way of resources out there for conducting Layer 2 attacks and certainly nothing written to the technical level of LSS.
br /
br /The discussion of Layer 2 attacks in the first few chapters of this book are excellent and easily worth the price of the book especially if you are responsible for securing switches or just breaking into and abusing them. Chapter 4's ("Are VLANS Safe?") discussion on Dynamic Trunking Protocol is probably the most valuable for pentesters. The chapter covers using Yersinia to (hopefully) turn the port the attacker is connected to into a trunk port. This enables the attacker to see all traffic on all VLANS (pretty handy). In addition to exceptional background material on switching protocols and information on breaking the different switching protocols the book gives us quality information on securing those same protocols to include a good chunk of the IOS commands to implement the recommended changes.
br /
br /Pros:
br /-All the chapters using Yersinia for attacks and the overview of Yersinia
br /-The structure (Technology Overview, Discussion of the Vulnerability, Remediation) of each chapter works well
br /-Plenty of Cisco IOS command line specifics to get the job done
br /-Really good overviews of the switching protocols, how to break them, and how to secure them
br /-Discussion of data planes and control planes
br /
br /Cons:
br /-Check out the cons of Richard Bejtlich Stephen Northcutt...all valid
br /-No discussion of minimum lab requirements to set up a lab to reproduce the attacks
br /-I lost interest from part II onward, probably because most of the attacks don't give you much (if any) in the way of privileges and it got fairly deep into switching protocols I don't usually deal with and the book seems to drift. I'm not sure what happened but the book doesn't end as strong as it begins.
br /-Some repeating of material in different chapters
br /
br /I gave the book 4 stars mostly due to editing issues, lack of lab guidance to reproduce the attacks,and the fact that I lost interest in the book toward the end. Even though I lost interest toward the end I still recommend this book for anyone interested in breaking Layer 2 or securing it.
Good switching book
This is a thin book, its about an inch thick. I like the way the book is layed out. First there is an overview of the technology, then the vulnerability is discussed, then a recommendation is made to correct the problem. I think the authors make excellent explanitions of the technologies without a lot of code and command line examples.
br /
br /I think the detailed explanitions of the technologies are insiteful for experts as well as understandable and helpful for thoughs new to the field. This book is not going to give exaustive commandline text output. It does help explain each subject using meaningful words.
A truly needed book
This book leaps into layer 2 action with a MAC flooding attack. In the next chapter we take aim at Spanning Tree Protocol (STP). Surely this is an intentional decision by the authors to get the reader saying where is the defense?
br /
br /Chapter 4, is one of my favorites, a security discussion on VLANS including an introductory use of the attack tool, Yersinia ( the swiss army knife of layer 2 attacks). The material is challenging, very technical, but the authors take pains to be as clear as possible.
br /
br /As the book moves on, with the solid foundation we build, we then consider DHCP, ARP, IPv6 discovery, Power over Ethernet, HSRP, more esoteric protocols. A real jewel is found in part II of the book, I learned so much about how a switch works ( or can be made not to work ). We finish off with Denial of Service, netflow, RMON, and worms. Well, not exactly, great book, you will never think about layer 2 the same way again. You will never think of a switch as a mindless toaster or an appliance that is not significant from a security perspective.
br /
br /The beginning and the ending of the book is the reason I did not score it five stars, but let me be clear, the middle of the book is more than worth the cost of buying LAN Switch Security and the time it takes to read it. Just start at Chapter 2.
br /
br /I wish the authors could have skipped chapter 1, the introduction to security. It is such a high level overview that it really does not help. Cisco book do this a lot, may I suggest that the title series manager create a really good introduction to security and just have all the Cisco books link to it. Anyone who has a prayer of understanding the stuff after Chapter 1, already knows all the content in Chapter 1. They also try to cover 802.1X in a chapter, wheeee! Other than those two nits, you have to give this book two thumbs up!
Fills a void that had existed far too long
Vyncke and Paggen delve deep into Layer 2 in "LAN Switch Security", and with a twist: where the run-of-the-mill switching work mainly discusses how Layer 2 works, this book is exclusively focussed on how it breaks.
br /
br /They start with straightfoward stuff, e.g. how a bridge learns MAC addresses, and how this process can be frustrated by means of flooding a switch with large numbers of spoofed MAC addresses, or how ARP poisoning can be used to play man-in-the-middle. Quickly, however, they move into more avdanced topics, like manipulating the spanning tree protocol process, VLAN hopping by means of stacking .1q tags, and a variety of indecent tricks to play on a HRSP or VRRP redundant router
br /setup. And that is but a tiny subset of the range they treat. Other technolgies extensively discussed are DTP, DHCP, IPv6, PoE, CDP, VTP, CoPP, NetFlow, ACLs, .1x, and .1ae. In each case the intriguing angle is "OK, we know how it works, can we learn how it breaks?".
br /
br /The text is well enriched with examples, down to IOS CLI examples, and examples of attack tooling like yersinia. These examples are rather Cisco centric, but it is easy to see how the same ideas would apply generically, so that is not a big issue. What I also like it that the authors sometimes take a step back from the bits and bytes, and try to see a bigger picture, e.g. discussing the fundamental differences between data plane attacks and control plane attacks.
br /
br /For each topic, the authors discuss various alternatives of mitigation, sometimes to the point where it seems rather obvious ("Disable this functionality when you do not need it", "Do not expose trunk protocols towards end stations"). I feel especialy the later chapters could have benefitted from the scruntity of a professional editor, as the text sometimes drifts away into vagueness. That is a pity, as on the whole, the book is well written.
br /
br /What got me most excited about "LAN Switch Security" is that, as far as I know, no previous book was ever dedicatedly devoted to breaking Layer 2. Also, for many of the protocols discussed (CDP, VTP, DTP) it is almost impossible to find usefull detailed information in a high-level book, as these protocols are mostly only discussed in the context of certification course material, which the generally interested reader would not so easily read, and with good reason.
br /
br /In my opinion this book is mandatory reading for two categories of readers. First, the network designer / administrator who is busy on a day-to-day basis designing / administrating a corporate network should read this, so he becomes actutely aware of the tremendous amount of rope they he has in his hands, and how he probably has been hanging himself with it.
br /
br /Secondly, the IT security architect who has a deep knowledge of how complex systems invariably become insure systems, should read this so he gains a better knowledge of relevant aspects of Layer 2 networking.
br /
br /As my colleague recently put it: "Layer 2 is big fun". I could not agree more, and heartily thank Vyncke and Paggen for finally writing the book that fills a void that had existed far too long in this area.
br /
br /Dr. Jan Joris Vereijken, CISSP
|
