Mastering Cybersecurity Day 03: Network Device Security (Switches)

Welcome to Vigilantes Cyber Aquilae! Today, we’re diving deep into the world of network switches—those unassuming yet vital devices that form the backbone of every network infrastructure. While routers often get more attention due to their role in connecting different networks, switches are just as critical because they manage the flow of data within a Local Area Network (LAN), ensuring efficient communication between devices like computers, servers, printers, and more.

In this newsletter, we’ll explore how switches work, delve into types of switches, discuss security configurations, examine common vulnerabilities, and present best practices for hardening switch security.

What Is a Switch, and How Is It Used?

A switch is a network device that operates primarily at Layer 2 (Data Link Layer) of the OSI model. Its job is to forward data frames between devices within the same network using MAC addresses. Unlike routers, which send data across different networks based on IP addresses, switches focus on interconnecting devices within a single LAN and only direct data to the intended recipient. This targeted approach enhances both efficiency and security, reducing the risk of unauthorized access or eavesdropping, unlike legacy hubs that broadcast data to all devices on a network.

Switches are essential in both home networks (though less frequently used) and especially in larger enterprise settings where dozens, or even hundreds, of devices need to communicate efficiently. Managed switches, which offer advanced features like Quality of Service (QoS) and VLAN support, are particularly important in business environments, allowing network administrators to segment traffic and ensure performance optimization for critical services like voice or video applications.

How Switches Work

Switches are equipped with multiple Ethernet ports, allowing devices to connect via cables. Once a device is connected, the switch learns its MAC address and stores it in its CAM table. This way, when data is sent to a specific device, the switch knows which port to forward the traffic through. This is called unicast forwarding, making switches much more efficient than hubs, which indiscriminately send traffic to all ports.

However, if the switch doesn’t know the destination address, or if the traffic is broadcast or multicast, it will temporarily flood the packet across all ports until it learns where to send it. Spanning Tree Protocol (STP) is often implemented to prevent network loops, which could otherwise create network-wide disruptions.

Key Functions of a Switch:

1. Packet Forwarding: Switches use MAC addresses to determine which port to forward incoming data packets to. They maintain a Content Addressable Memory (CAM) table that maps MAC addresses to specific switch ports.
2. Traffic Segmentation: Unlike hubs that broadcast all data to all devices, switches intelligently direct data only to the intended port, improving efficiency and security.
3. Broadcast Control: Switches prevent unnecessary data from flooding the network by limiting broadcasts to specific segments, which prevents broadcast storms that can disrupt operations(
4. VLAN Support: With Virtual LANs, switches can create segmented networks within a single physical LAN, isolating sensitive data from general traffic.

Types of Network Switches

Network switches come in various configurations and offer different levels of functionality depending on the network requirements:

1. Unmanaged Switches: Simple, plug-and-play devices. Lack advanced configuration options. Typically used in small office or home networks for basic connectivity.
2. Managed Switches: Provide features like VLAN segmentation, Quality of Service (QoS), and port security. Ideal for medium to large networks where granular control and security are essential. Managed switches are further divided into Fully Managed (with complex configurations) and Smart Managed (offering a balance between features and simplicity.
3. Layer 2 vs. Layer 3 Switches: Layer 2 switches operate at the data link layer and rely on MAC addresses for forwarding decisions. Layer 3 switches combine switching and routing capabilities, making them suitable for larger networks that require inter-VLAN routing.
4. PoE Switches (Power over Ethernet): Deliver power along with data over a single Ethernet cable. Often used for IP cameras, VoIP phones, and wireless access points where separate power sources are unavailable.

How Network Switches Operate: The CAM Table

When a switch is powered on, it enters learning mode, during which it builds a CAM (Content Addressable Memory) table. This table maps MAC addresses to the specific ports that devices are connected to. For example, if a laptop is connected to port 3 and a printer to port 5, the CAM table will look like this:

If a packet arrives for the printer, the switch checks its CAM table, sees that the printer is connected to port 5, and forwards the packet accordingly. This targeted forwarding mechanism minimizes unnecessary traffic, ensuring that only the intended recipient receives the data.

Key Security Features of Managed Switches

Managed switches provide a range of security features that enable fine-tuned control over network traffic. These include:

Port Security:

·        Limits the number of MAC addresses on a port.

·        Prevents MAC flooding attacks, where an attacker overwhelms the switch’s CAM table to force it into "fail-open mode," causing it to behave like a hub.

Dynamic ARP Inspection (DAI):

·        Protects against ARP spoofing, where attackers send falsified ARP messages to intercept traffic.

·        Ensures that only valid ARP packets are relayed based on trusted MAC-to-IP mappings.

DHCP Snooping:

·        Monitors and controls DHCP messages to prevent rogue DHCP servers from assigning unauthorized IP addresses.

·        Filters DHCP packets based on predefined security policies

Access Control Lists (ACLs):

·        Implement rules to permit or deny specific traffic based on IP, MAC addresses, or port numbers.

·        Can be used to restrict access to critical systems or segment traffic based on security policies.

Best Practices for Securing and Configuring Switches

• Enable Port Security Port security restricts which devices can connect to a switch port by limiting access based on MAC addresses. For instance, a port can be configured to accept a single, pre-approved MAC address. If another device tries to connect, the port can be disabled or placed into an alert state. This prevents unauthorized devices from gaining access to the network.

Command Example:

• VLAN Segmentation Use Virtual Local Area Networks (VLANs) to segment traffic and reduce the attack surface. For example, isolate critical servers from user devices to minimize lateral movement in case of a breach. VLAN segmentation ensures that even if a switch is compromised, the attacker’s ability to move across the network is restricted.

Fun Fact: Studies show that VLAN segmentation can reduce the impact of network breaches by up to 75% when properly configured.

Example: Configure separate VLANs for critical servers, administrative systems, and general employee devices.

• Disable Unused Ports Any unused ports on a switch should be disabled to prevent unauthorized access. This simple step prevents someone from plugging into an empty port and gaining network access.

Command Example:

•  Implement Spanning Tree Protocol (STP) STP helps prevent network loops by disabling redundant paths in a LAN. Network loops can cause severe disruptions, overwhelming your switch and bringing down the entire network. By enabling STP, you ensure that switches can detect loops and prevent them.

Command Example:

• Use SSH Instead of Telnet Always use Secure Shell (SSH) instead of Telnet for remote management of switches. Telnet transmits data in plaintext, making it easy for attackers to intercept credentials. SSH, on the other hand, encrypts the session, ensuring that your management traffic is secure.

• Enable 802.1X AuthenticationIEEE 802.1X is a network access control protocol that authenticates devices attempting to connect to the network. This ensures only trusted devices are allowed on the network, significantly reducing the risk of unauthorized access. Fact: According to Cisco, implementing 802.1X on switches can reduce unauthorized network access by over 80%.

Vulnerabilities in Switches

Switches are powerful, but they are also vulnerable to various attacks if not properly secured. Here are some common threats:

• MAC Flooding Attacks: Attackers can flood a switch with fake MAC addresses, forcing it to enter "fail-open mode" and behave like a hub, allowing them to capture network traffic.

Mitigation: Configure port security to limit the number of allowed MAC addresses on a port.

• VLAN Hopping: Attackers can exploit misconfigured VLANs to gain unauthorized access to traffic on other VLANs.

Mitigation: Disable dynamic trunking and manually configure trunk ports.

• DHCP Snooping Attacks: Malicious actors may set up a rogue DHCP server on the network, tricking devices into connecting through it and intercepting data.

Mitigation: Enable DHCP snooping on the switch to block rogue DHCP traffic.

Command Example:

• ARP Spoofing: Attackers send falsified ARP messages, allowing them to intercept data meant for other devices.

Mitigation: Enable Dynamic ARP Inspection (DAI) to prevent ARP spoofing.

Command Example:

Monitoring and Maintenance

1. Use SNMP (Simple Network Management Protocol): Managed switches support SNMP, which allows you to monitor switch performance, detect anomalies, and ensure smooth network operation.
2. Apply Regular Firmware Updates: Outdated switch firmware can have known vulnerabilities. Regularly applying updates from manufacturers ensures your devices remain protected.
3. Configure Syslog: Syslog logging allows you to monitor events and potential security threats on your switches in real-time. This is invaluable for detecting issues like port scans or unauthorized access attempts.

Case Study: The Target Breach

In the 2013 Target data breach, attackers gained access to Target’s network by compromising a third-party vendor’s credentials. They then moved laterally through the network, eventually gaining access to the POS systems. A properly configured network segmentation with VLANs would have contained the attack and prevented access to sensitive areas.

 Final Thoughts

Switches are the silent workhorses of your network, efficiently directing traffic and ensuring smooth communication between devices. Proper configuration and regular maintenance are key to ensuring that switches remain secure, resilient, and functional in a business-critical environment. From port security to VLAN segmentation, each step taken to secure a switch helps build a robust cybersecurity posture.

Have you had any experiences configuring or securing switches?

Let’s discuss and share insights in the comments below! Together, we can bolster our understanding and defense against the ever-evolving landscape of cyber threats.