Chapter 12: Spanning Tree, VLANs, EAP-LEAP, and CDP

OVERVIEW

In the preceding parts of the book, we concentrated on attacking specific Cisco devices as well as possible outcomes from such attacks. Now we shift our attention to attacking a network as a whole which in plain language amounts to hacking a protocol rather than hacking a box . Plenty of network protocols (including IP itself) have known design flaws that may allow a network takeover. Here we will try to be as specific as possible while examining the security of common Cisco proprietary protocols and supporting applications, or at least protocols that employ Cisco routers and switches in the majority of cases. Such protocols include 802.1q and 802.1d. While both 802.1q and 802.1d are open Internet Engineering Task Force (IETF) standards supported by all intelligent Layer 2 devices, the abundance of Cisco Catalyst switches in the real world means that in most cases, the Catalysts either allow these attacks to happen (if not secured properly) or stop them (by Cisco proprietary countermeasures being applied).

These standards examples are used intentionally. We tend to start examining lower Open System Interconnection (OSI) model layers first and gradually move to the higher ones. The reason for this is stealth. Layer 2 attacks are not detected by the majority of modern intrusion detection system (IDS) appliances (TippingPoint IPS being an exception we are well aware of). Discovering and understanding such attacks requires good knowledge of data link protocols operation, which usually belongs in the realm of the network designer or engineernot the security system administrator or security consultant. Very often, a corporate network is designed by experienced professionals from an external installer or integrator company and left in the hands of an in-house IT team, whose members may not know much about bridging and switching. New switches may be added or current switches removed from the network without consulting its architects , which can lead to all kinds of problems, security and otherwise . The threat of Layer 2 attacks is grossly underestimated. Thus, even though similar results can be achieved with Address Resolution Protocol (ARP) spoofing or CAM table flooding, manipulating traffic a layer below, where possible, is definitely worth considering. No one stops the attacker from combining such attacks with "good old ARP tricks," and even networks that are well-protected against ARP manipulation can fall to these "hits below." The exploitations we discuss here belong in the realm of local attacks. As we've repeated many times in this book, you must never underestimate the local attacker. However, the attacker may not be so local after allbackdoors and wireless hacking allow remote crackers to employ these methods to extend their control over a network into which they have managed to sneak . In addition, some of the network-centric attacks described in the next chapter, such as attacks against Generic Routing Encapsulation (GRE) or virtual private networks (VPNs), can be launched remotely.