|
Free ebooks
 More computer ebooks Cisco Cisco Press LAN Switch Security:What Hackers Know About Your Switches
|
 Chapter 1, “Introduction to Security,” introduces security to networking people. Concepts such as confidentiality, integrity, and availability are defined. Encryption mechanisms and other cryptosystems are explained.Chapter 2, “Defeating a Learning Bridge’s Forwarding Process,” focuses on the IEEE 802.1d bridge’s learning process and on content-addressable memory (CAM), which forwards Ethernet frames to their intended destination. This process is vulnerable and a mitigation technique, called port security, is presented. Chapter 3, “Attacking the Spanning Tree Protocol,” shows that IEEE 802.1D spanning tree can be attacked, but you can prevent those attacks with features such as bridge protocol data unit (BPDU) guard and root guard. Chapter 4, “Are VLANs Safe?,” covers the IEEE 802.1Q VLAN tags. It destroys the myth that VLANs are isolated with the default configuration. The attack is presented, and a secure configuration is explained so that the myth becomes a reality. Chapter 5, “Leveraging DHCP Weaknesses,” explains some vulnerabilities in DHCP and how to prevent a rogue DHCP server in a network with a feature called DHCP snooping. Chapter 6, “Exploiting IPv4 ARP,” starts with an explanation of an Address Resolution Protocol (ARP) vulnerability called ARP spoofing. It shows how DHCP snooping can be leveraged with DAI to block this attack. Chapter 7, “Exploiting IPv6 Neighbor Discovery and Router Advertisement,” is more forward thinking because it discusses IPv6’s new auxiliary protocols: neighbor discovery and router advertisement. These protocols have inherent weaknesses that are addressed by a new protocol: secure neighbor discovery. Chapter 8, “What About Power over Ethernet?,” describes what Power over Ethernet is and whether vulnerabilities exist in this feature. Chapter 9, “Is HSRP Resilient?,” talks about the high-availability protocol Hot Standby Routing Protocol (HSRP). HSRP’s vulnerabilities are explained and mitigation techniques are presented. Chapter 10, “Can We Bring VRRP Down?,” does the same analysis for the standard-based Virtual Router Redundancy Protocol (VRRP): description, vulnerabilities, and mitigation techniques. Chapter 11, “Information Leaks with Cisco Ancillary Protocols,” provides information about all ancillary protocols, such as Cisco Discovery Protocol (CDP). Part II, “How Can a Switch Sustain a Denial of Service Attack?” In-depth presentation of DoS attacks: how to detect and mitigate them. Chapter 12, “Introduction to Denial of Service Attacks,” introduces DoS attacks, where they come from, and their net effect on a network. Chapter 13, “Control Plane Policing,” focuses on the control plane. Because it can be attacked, it must be protected. Control plane policing is shown to be the best technique to achieve protection. Chapter 14, “Disabling Control Plane Protocols,” explains what techniques can be used when control plane policing is not available, such as on old switches. Chapter 15, “Using Switches to Detect a Data Plane DoS,” leverages NetFlow and Network Analysis Module (NAM) to detect a DoS attack or an aggressively propagating worm in the network. The goal of early detection is to better fight the DoS attack even before the users or customers become aware of it. Part III, “Using Switches to Augment Network Security.” How to leverage Ethernet switches to actually augment your LAN’s security level. Chapter 16, “Wire Speed Access Control Lists,” describes where an access control list (ACL) can be used in a switch: at the port level, within a VLAN, or (as usual) on a Layer 3 port. These ACLs enforce a simple security policy at wire speed. The technology behind those ACLs is also explained. Chapter 17, “Identity-Based Networking Services with 802.1X,” explains how IEEE 802.1X can be effectively used in a switch to implement user authentication on a port base. Some caveats of this protocol are presented as well as features to circumvent those limitations. Part IV, “What Is Next in LAN Security?” How a new IEEE protocol will allow encryption at Layer 2. Chapter 18, “IEEE 802.1AE,” describes new protocols from IEEE that can encrypt all Ethernet frames at wire speed. Download free pdf ebooks for cisco:Cisco Press LAN Switch Security:What Hackers Know About Your Switches
|
