If you don't even know how to attack and defend a switch, what's the point of being a network engineer?

Why should we care about switch security???

• Vertical axis: Network equipment (firewalls, routers, switches)
• Horizontal axis: Network model (border and DMZ, core and distribution layer, access layer)

This diagram mainly shows that firewalls, routers, and switches are generally placed at the border or DMZ, core and distribution layer, and access layer respectively;

Among these devices, why are switches the least secure?

• First of all, firewalls or routers are usually placed in the core computer room, and the physical security of the core computer room is maximized (non-management personnel generally cannot enter or exit the core computer room)
• Secondly, access switches are generally scattered and provide access to end users (non-management personnel can easily access access layer switches)

Possible attack forms and defense measures at the switch level:

For so many forms of attack, we can roughly divide them into four categories:

• MAC Layer Attacks
• VLAN Attacks
• Spoofing Attacks
• Switch Device Attacks

1. VLAN Hopping Attack

Use Trunk or Double Tag (native) to sniff or attack information from other VLANs

Countermeasures:

• Put the idle ports into access mode (trunk off) or even shutdown;
• Change the Native VLAN to avoid being the same as the current VLAN.

2. STP spoofing attack

Influencing the spanning tree topology by forging incorrect BPDU messages

Countermeasures:

(1) Configure BPDU guard on the interface (access) connected to the host or router. This type of interface should not receive BPDUs. If it does, the interface will be set to error disable state.

spanning-tree bpduguard enable on the interface

(2) Or configure Root Guard on the above interfaces. This type of interface can receive BPDUs, but if it is a better BPDU, the interface is set to error disable state to avoid the change of the root bridge.

spanning-tree guard root under interface

MAC spoofing attack

Stealing other people's MAC addresses to forge attacks, or illegally accessing the network to steal information

Countermeasures:

• Port security, set the legal MAC addresses that a physical port can allow, discard the traffic sent by illegal MAC addresses, and even err-disable the interface
• Static addition of CAM entries (binding relationship between MAC, port, and VLAN)

IV. CAM/MAC Flood Attack

By continuously forging MAC addresses and sending messages, the switch CAM table is flooded with junk MAC addresses in a short period of time, the real MAC is squeezed out, the known unicast becomes unknown unicast, and is forced to flood, causing the data to be sniffed.

Countermeasures:

Port security, limiting the maximum number of MAC addresses that a port can learn

5. DHCP Server Spoofing Attack

The illegal DHCP server preemptively allocates addresses to customers, issues fake gateway addresses, and directs customer traffic to the "middleman" to achieve information sniffing.

Countermeasures:

Configure DHCP Snooping on the Layer 3 switch to monitor DHCP messages and intercept address allocation messages from illegal DHCP servers.

6. DHCP starvation (address pool exhaustion)

Constantly changing MAC addresses and forging DHCP request messages will consume all the addresses in the DHCP server address pool in a short period of time, making it impossible for legitimate users to obtain IP addresses.

Countermeasures:

• Port security technology is also used to limit the maximum number of MAC addresses that a port can learn, preventing attackers from forging DHCP request messages by changing MAC addresses.
• In the case of changing CHADDR without changing MAC, configure DHCP rate limit on the switch with DHCP Snooping technology enabled, set a threshold that meets the frequency of regular address acquisition requirements, and block and isolate the port that attempts to obtain an address abnormally if the threshold exceeds the frequency.

7. ARP Spoofing

Publish fake ARP reply messages to direct customer messages to the "middleman", thereby achieving data sniffing.

Countermeasures:

• Combined with the legal address binding table recorded by DHCP Snooping technology (addresses normally obtained through DHCP are in the table), Dynamic ARP inspection (DAI) technology is used to determine whether the ARP reply content is legal, and to inspect and discard illegal ARP reply messages.
• Statically add ARP and IP association table entries (no ARP request required)

8. IP address spoofing

Stealing IP addresses, illegally accessing the network, or impersonating others to send attack traffic

Countermeasures:

• Combined with the legal address binding table recorded by DHCP Snooping, use IP Source Guard technology to determine whether the IP address is legal, and inspect and discard illegal IP traffic.
• Use interface-based ACL to allow only traffic from valid IP addresses on the relevant interface (deny illegal IP addresses)

9. Attacks on the switch itself

Intercept CDP (plain text) messages, obtain the switch management address, and then perform brute force password cracking; intercept Telnet messages (plain text) and sniff passwords. After obtaining switch management permissions, they can do whatever they want.

Countermeasures:

• Disable CDP messages on unnecessary interfaces
• Important devices should avoid using Telnet protocol as much as possible, and instead use the encrypted SSH protocol to log in to the management device. Since SSH v1 has well-known security vulnerabilities, v2 is recommended.