Switch Security

The easiest device for an attacker to compromise is an endpoint devices. While the server/router/switch is usually given its own space, endpoint devices are left everywhere. Every computer is a potential route into the network. Being inside a network makes it more dangerous than being outside a network, as if a device is compromised but not a part of the network, it is very hard for it to do harm to devices on the network. If its compromised and inside the network, it is very easy for it to do harm. Within a swtiched LAN, with a normal device, it can see its neighbors and where they are, aswell as important details advertised from them. It can identify where they are from their ARP packets, and if they trace the route of their packet, they can get a rough sense of physically where the other device is in relation to it (E.G. the other device is connected to network switch 3 port 4).

For a small activity, some different scenarios were analyzed

Within this screenshot, the devices IP address, gateways IP address, and other information about the gateway and subnet are shown.

Within this screenshot, the ARP packets for around a minute are shown. This allows other devices to be identified, for example laptops or iphones or other devices

Using the information from the screenshot above, an attacker has a lot of possibilities. One of the most glaring, from the tcpdump command, is impersonating another device. Their names and IP addresses are clearly visible. Using the ip addr command is kind of a perquisite to other commands, as this is what identifies where the default gateway is.

Of the scenarios, the one that felt most realistic was Scenario D, as thats something that can really easily happen. Some device, when plugged in, could go into "hunt" mode for the network, and then send a network map out when done. A normal device can also see alot within a LAN, definatly enough to create a map of all major connections, and if given time, figure out what devices are trusted/important for network runtime.

Switch Security Controls

By default, a flat, unsecured network allows any device to connect to anyother, and has no security controls against attacks. This setup can be best described as "fast and cheap", as its the default and really easy to setup, doesn't take any special physical devices, but also has no security and therefore has to trust all connected devices. This is basically the most unsecure network possible, and there are so many attack surfaces that being connected to a network like this puts your device at risk (which is why free wifi hotspots can't be trusted)

for port security, it is an addon to physical blocks, when you fail to stop something from being plugged in, port security is the backup that makes sure that device cannot do anything dangerous. It helps mitigate a bunch of attacks, by preventing devices from talking to things they shouldnt. They can't fake ARP or DHCP, and cannot directly talk to important servers to do lateral movement. It can't protect anything thats on the same security level as the other port, but can raise alarms if the device starts doing anything

This is the global settings for all devices. It's primary purpose is to limit things similar to MAC flooding, but probably more so that packet tracer doesn't crash. It still suggests that these switches have a threshold which after they will start discarding packets to ignore overdue traffic. This is systemwide, and so all devices loose the ability to send more packets then this allows. This rule would be enforced pretty early on on the switch, as if the packets are actually somewhat processed it would waste resources vs discarding them early.

Task C Mini-Threat Simulation

Based off Scenario A -- The Curious Student Device

A student plugs a personal laptop into an unused Ethernet port in a classroom after school hours.

1. What must the attacker already know or discover?

The attack could either come from a different device on the network attacking the laptop, or something on the students laptop attacking other devices on the network. For both cases, the attack needs know or discover other devices on the network

2. Which device is most directly targeted?

Choose one and explain why:

• Another end device

Another device on the network would be most directly targeted as it would likely have the lowest security of all devices.

3. What would legitimate users likely notice (if anything)?

The student might notice increased resource usage on their laptop (heating it up), but besides for that it would be undetected.

4. Which of your virtual machines best resembles the attacker’s perspective?

from the attackers perspective, the regular desktop would be most similar. all of this stems from a students laptop

Communication Channels

Allowed Communication
Students -> Students: Students will need to be able to communicate with eachother
Students -> Teachers: Students will also need to be able to communicate with teachers
Teachers -> Administration: Teachers should be able to easily talk with admin

Restricted Communication:
Administration -> Servers: Admin should be able to access servers once verified
Students -> Administration: Students should only be able to talk to admin through verified channels

Denied Communication
Students -> Servers: Students should not be able to directly address the servers
Teachers -> Servers: Teachers should only be able to update the gradebook through administration

Where does the switch enforce trust

The VLANs should be least trusted in order of least to greatest. The smallest numbered (10 for students) should barely have any trust, and teachers should only have a little bit more. the higher numbers, 30-40, should have the most protection, as they secure the most important data. The switch should be most strict where the servers are involved, as they store the important information.

Control Layering

Why VLANs alone do not fully secure your design:
VLAN's alone do not fully secure the design, as a attacking device can simply find their way into the high protection vlan through physical or finding other routes into the network.

Why DHCP Snooping is necessary in addition to VLANs:
without DHCP snooping, any device can be routed to a different VLAN. A device could join on VLAN 10, advertise itself as a DHCP server, and route a VLAN 40 device down to VLAN 10.

Why Dynamic ARP Inspection (DAI) depends on DHCP Snooping:
DAI also depends on DHCP snooping, as without it a device can get around the ARP inspection by presenting itself as an high trust device.

Why ACLs are still needed after segmentation:
ACLs build ontop of VLAN segmentation to allow for certain important things to get through or block things that VLAN can't. For example, they can allow students to talk to admin, but only through a specific port open only for emails.

Control Interaction and Dependency

Protecting a switch requires more than just one security measure. It requires multiple security measures, most of which rely on other devices. For example, VLAN segmentation cannot work without DHCP snooping, as without verifying each packet, any device could just send it over the VLAN. DHCP snooping also serves as a risk mitigater in conjunction with DAI, which again requires the packet to be verified to being correct to actually work. Even after segmentation and these security protocols, for maxium mitigation, ACLs should be put in place between devices. These allow devices to communiciate, but also can set strict rules

Page updated

Report abuse