Super detailed! Introduction to Ethernet switch security features

Today I will talk to you about the security functions of Ethernet switches.

As the most common device in the LAN, switches face major security threats. Some of these threats target the management loopholes of switches, and attackers try to control the switches. Some of these threats target the functions of switches, and attackers try to disrupt the normal operation of switches, thereby destroying or even stealing data.

Attacks against switches mainly fall into the following categories:

• Switch configuration/management attacks
• MAC flood attack
• DHCP spoofing attack
• MAC and IP spoofing attacks
• ARP spoofing
• VLAN Hopping Attack
• STP Attack
• VTP Attack

[[315063]]

Switch access security

To prevent the switch from being detected or controlled by attackers, basic security must be configured on the switch:

• Use a qualified password
• Use ACLs to restrict administrative access
• Configure system warning words
• Disable Unnecessary Services
• Closing CDP
• Enable System Log
• Using SSH instead of Telnet
• Disable SNMP or use SNMP V3

Switch port security

The switch relies on the MAC address table to forward data frames. If the MAC address does not exist, the switch forwards the frame to every port on the switch (flooding). However, the size of the MAC address table is limited.

MAC flooding attacks exploit this limitation by bombarding the switch with false source MAC addresses until the switch MAC address table becomes full. The switch then enters a mode called "fail-open" and begins to act like a hub, broadcasting packets to all machines on the network.

Therefore, the attacker can see all frames sent to another host that does not have an entry in the MAC address table. To prevent MAC flooding attacks, you can configure the port security feature to limit the number of valid MAC addresses allowed on the port and define the port's action when an attack occurs: close, protect, or limit.

DHCP Snooping

When DHCP-Snooping is turned on on the switch, it will snoop on DHCP messages and extract and record the IP address and MAC address information from the received DHCP Request or DHCP Ack messages.

In addition, DHCP-Snooping allows a physical port to be set as a trusted port or an untrusted port. A trusted port can normally receive and forward DHCP Offer messages, while an untrusted port will discard the received DHCP Offer messages.

In this way, the switch can shield the fake DHCP server and ensure that the client obtains the IP address from the legitimate DHCP server.

• The main function of dhcp-snooping is to isolate illegal dhcp servers by configuring untrusted ports.
• Cooperate with switch DAI to prevent the spread of ARP viruses.
• Establish and maintain a DHCP-snooping binding table. This table is generated by the IP and MAC addresses in the DHCP ACK packet, or it can be manually specified. This table is the basis for subsequent DAI (dynamic arp inspect) and IP Source Guard. These two similar technologies use this table to determine whether the IP or MAC address is legal, and restrict users from connecting to the network.
• By establishing trusted ports and untrusted ports, illegal DHCP servers are isolated. Trusted ports forward DHCP packets normally, and untrusted ports discard packets instead of forwarding the DHCP offer and DHCPACK responses received from the server.

DAI

Dynamic ARP Inspection (DAI) can prevent ARP spoofing by helping to ensure that access switches only pass "legitimate" ARP request and reply information.

DAI works based on DHCP Snooping. DHCP Snooping monitors the binding table, including the binding information of IP address and MAC address, and associates it with a specific switch port. Dynamic ARP Inspection (DAI-Dynamic ARP Inspection) can be used to check the ARP requests and responses (active ARP and passive ARP) of all untrusted ports to ensure that the response comes from the real MAC owner.

The switch determines whether it is the real MAC owner by checking the DHCP binding information recorded in the port and the IP address of the ARP reply. Illegal ARP packets will be rejected and forwarded.

DAI is configured for VLAN. For interfaces in the same VLAN, DAI can be enabled or disabled. If the ARP packet is received from a trusted interface, no check is required.

If the ARP packet is received from an untrusted interface, the packet can only be forwarded if the binding information is proven to be legitimate. In this way, DHCP Snooping becomes essential for DAI.

DAI is used dynamically, and the connected client hosts do not need to make any configuration changes. For servers that do not use DHCP, individual machines can be implemented by statically adding DHCP binding tables or ARP access-lists.

In addition, DAI can be used to control the ARP request message frequency of a certain port. Once the ARP request frequency exceeds the preset threshold, the port will be closed immediately. This function can prevent the use of network scanning tools and can also block viruses or attacks with a large number of ARP message characteristics.