An Introduction of the Security Functions of Ethernet Switches

Jackson Anderson

Switches

As the most common device in LAN, switches face great threats to security. Some of these threats are aimed at loopholes in switch management, and attackers try to control the switch; Some are aimed at the function of the switch, and attackers try to disrupt the normal work of the switch, so as to destroy or even steal data.

Attacks against switches fall into the following categories:

1. Attacks on switch configuration/management;

2. MAC flooding attacks;

3. DHCP spoofing attacks;

4. MAC and IP spoofing attacks;

5. ARP spoofing attacks;

6. VLAN hop attacks;

7. STP attacks;

8. VTP attacks.

1 Access Security of Switches

In order to prevent the switch from being detected or controlled by an attacker, the basic security configuration must be configured on the switch, which includes:

1. Using a qualified password;

2. Using ACLs to restrict administrative access;

3. Configuring system warning phrases;

4. Disabling unnecessary services;

5. Closing CDP;

6. Enabling system logging;

7. Using SSH instead of Telnet;

8. Turning off SNMP or using SNMP V3.

2 Port Security of Switches

The switch relies on the MAC address table to forward data frames. If the MAC address does not exist, the switch forwards the frames to each port on the switch (flooding). However, the size of the MAC address table is limited. MAC flooding attacks use this limitation to bomb the switch with a false source MAC address until the switch MAC address table becomes full. The switch then enters a mode called Fail-open and starts to work like a hub, broadcasting packets to all machines on the network.

Therefore, the attacker can see all the frames sent to another host without MAC address table entries. To prevent MAC flooding attacks, you can configure port security features, limit the number of valid MAC addresses allowed on the port, and define the actions of the port when the attack occurs: closing, protecting, and limiting.

3 DHCP Snooping — Anti DHCP Spoofing

When DHCP Snooping is enabled, the switch will listen to DHCP messages, and can extract and record IP address and MAC address information from received DHCP Request or DHCP Ack messages. In addition, DHCP Snooping allows you to set a physical port as a trusted or untrusted port.

The trusted port can normally receive and forward the DHCP Offer message, while the untrusted port will discard the received DHCP Offer message. In this way, the switch can shield the fake DHCP server and ensure that the client can obtain the IP address from the legitimate DHCP server.

  1. The main function of DHCP Snooping is to isolate illegal DHCP servers by configuring untrusted ports.
  • It cooperates with the switch DAI to prevent the spread of ARP virus.
  • It creates and maintains a DHCP Snooping binding table. This table is generated by the IP and MAC addresses in the DHCP ack packet, and can be manually specified. This table is the basis for subsequent DAI (Dynamic ARP Inspect) and IP Source Guard. These two similar technologies use this table to determine whether the IP or MAC address is legal and restrict users from connecting to the network.
  • The illegal DHCP server is isolated by establishing a trust port and an untrusted port. The trust port normally forwards DHCP packets. After the untrusted port receives DHCP offers and DHCPACKs from the server, it does not forward packets.

spoto.net

For more information click here.