Here's a simplified version:

---

**Switch Features for Network Security**

1. **Virtual LAN (VLAN)**

- VLANs group computers by switch ports, not location.
- Each switch port can belong to only one VLAN.
- VLANs can be set up on one or multiple switches.
- Trunk ports connect switches, carrying traffic for all VLANs.
- VLANs create separate broadcast domains, improving network management and security.
- Inter-VLAN communication requires a router or Layer 3 switch.

2. **MAC Filtering/Port Security**

- Limits which devices can connect to a switch port using their MAC addresses.
- MAC addresses can be manually set or learned automatically.
- Ports can be configured to allow one or multiple devices.
- Unauthorized devices are blocked or the port is shut down.

3. **Port Authentication (802.1X)**

- Only authenticated devices can connect to the LAN.
- Uses usernames, passwords, smart cards, etc., for authentication.
- Involves a supplicant (device), an authenticator (switch), and an authentication server.
- Uses EAP for flexible authentication methods and RADIUS for communication between the
switch and authentication server.

**Switch Security Considerations**

- **VLANs**:
- Help organize and manage devices.
- Control broadcast traffic and enhance security.
- Require routers for inter-VLAN communication and external data routing.

- **MAC Filtering**:
- Controls device access but is hard to manage and can be spoofed.
- Better security with 802.1X, requiring device/user authentication.

- **Air-gapped Networks**:
- Isolate critical systems physically from networks for enhanced security.
- Used in sensitive environments but are challenging to manage.

4. **Spanning Tree Protocol (STP)**

- Prevents switching loops by ensuring only one active path between switches.
 - Provides redundancy and automatically recovers from failures.
- Assigns roles and states to switch ports for optimal, loop-free paths.

---

This version distills the key points, focusing on the main concepts and benefits of each feature.

FULL NOTES
Switch Attacks 00:00-00:31

Threat actors look for any opening they can find, and network switches are no exception. Inside
attacks take advantage of anything accessible, and attackers can exploit switches to gain valuable
information. It's important for you to know that all network information flows through switches and
routers, including such things as authentication information and data. Attackers can use a variety of
switch attacks methods to gather valuable information that they can use later to exploit the network.

Common Switch Attacks 00:31-00:47

In this lesson, we'll go over the following attack methods: MAC flooding, ARP spoofing, VLAN
hopping, STP manipulation, double tagging, and MAC spoofing in regard to Layer 2 switches.
Remember, Layer 2 switches understand Ethernet frames at the OSI Data Link layer.

MAC Flooding 00:47-02:05

The first attack to examine is MAC flooding. Switches maintain MAC address tables, sometimes
called Content Access Memory tables, or CAM tables, to track workstations' and ports' associations.
Switches learn which workstation is connected to each port, and that information is stored in the
MAC address table and used when switches forward information.

For example, let's say that Workstation A wants to send information to Workstation D. The frame has
a source address ending in As, and the destination address is the address ending with Ds. When A
sends the information, the switch examines the destination address and sends the data out port 1 to
its destination. Workstations B and C aren't involved, so they never see the information.

Suppose an attacker wants to see all data passing through this switch. Considering that a switch's
normal operation only sends data to the intended recipient, the attacker would only be able see data
destined for his or her workstation, which is very unlikely. But the attacker can flood the switch with
fake MAC address information and fill up the MAC address table. Once the switch can no longer
store any more MAC addresses, the switch enters a fail-open mode and behaves the same as a
network hub or Layer 1 device. This means that any packet coming in now go out to all switch ports.

The next switch attack is called ARP spoofing, also known as ARP poisoning.

ARP Spoofing 02:05-03:00

But let's first talk about Address Resolution Protocol, or ARP, which works similarly to DNS. DNS
resolves a fully qualified domain name into an IP address, while ARP associates a device's MAC
address with the IP address assigned to that same device. To aid in this process, a switch creates
and stores an ARP table in memory for easy lookup.

Knowing this, an attacker sends commands to the switch to overwrite the contents of its ARP table
by replacing a good, known MAC address in the table with the MAC address of the attacker's device.
This is the ARP spoofing or ARP poisoning. As a result, data that was intended for the legitimate
device is now sent to the attacker's device. In many cases, the attacker captures the data and sends
it on to its rightful owner. Another attack method you should know about is VLAN hopping. VLANs
are used to separate traffic into sections that function like networks.

VLAN Hopping 03:00-03:26

This is often done to all the different VLANS that carry different types of traffic, such as data, voice,
or surveillance information. Since each VLAN is its own network, a device on one VLAN can't
communicate with a device on another VLAN without a router. There are a couple of techniques
attackers can use to take advantage of this VLAN separation.

The first is VLAN spoofing. VLAN spoofing takes advantage of a switch that's using its default
settings, which allows for dynamic trunk negotiation.

VLAN Spoofing 03:26-05:11

Depending on the switch, this default setting is known as dynamic auto or dynamic desirable. This
means that if you have a switch connected to the original switch, the ports connecting the two are
automatically configured as a trunk connection.

A trunk connection allows data from one switch to pass to another. A spoofing attach takes
advantage of this by fooling the switch into thinking the attacker is connected using a trunk line.
Although there are several ways to carry out a spoofing attach, such as adding a new switch, we'll
look at how someone could accomplish a spoofing attach with just one switch.

Our switch here is configured with two VLANs VLAN 10 and VLAN 20 with both having several
computers connected to it. Our attacker, a disgruntled employee, is connected to VLAN 10 and
wants to steal sensitive information from the company's chief executive officer. But as mentioned,
VLAN 10 is a separate network from VLAN 20. So as-is, the attacker can't access the CEO's
computer.

By using a tool like Yersinia, our disgruntled employee can send the switch a packet that tells the
switch the port he or she is using is really connected to another network switch. This is done using a
Dynamic Trunking Protocol frame, or DTP frame. Since the switch is configured to auto-negotiate for
a trunk line, it assumes the attacker really is a switch and opens his or her port as a trunk line. With
the attacker's port now configured this way, he or she can easily capture packets from the CEO's
computer. Keep in mind that the best way to protect your network from this type of attack is to
disable the switch's auto-negotiation setting for all ports except those to which an authorized switch
is attached.

Another method attackers use is called double tagging. This VLAN hopping technique is used when
the attacker's computer is on one VLAN switch, and the target computer is on a VLAN attached to a
separate switch.

Double Tagging 05:11-06:40

In addition, the switches must be configured to use what's called native VLANs.

When a packet is sent to a switch, it includes what's known as a VLAN tag. This tag's purpose is to
indicate which switch should process the frame. For example, you'll notice that both users are on
VLAN 10. If User A wants to send data to User B, the frame would include the VLAN tag indicating
that the frame was intended for VLAN 10. When the data reaches the switch, the VLAN tag is
removed and the packet is sent to its rightful destination.

Double tagging is accomplished by manipulating the frame being sent to include two VLAN tags. So
one for VLAN 10 and one for Switch 2, or VLAN 20. When this type of frame is received by VLAN
10's switch, the first VLAN tag is removed. But seeing that the second VLAN tag is referencing VLAN
20, the frame is forwarded to that switch.

Then, as it normally would, this switch strips off the second VLAN tag and sends the frame to the
victim's VLAN, successfully hopping from one VLAN to another. To prevent double tagging, it's
important to make sure that your switches aren't configured to use native VLANs. This is because
trunk ports configured with a native VLAN won't apply their own VLAN tag when sending these
frames, which lets the attacker's tagged frames to continue as I just described.

Another common switch attack is known as a Spanning Tree Protocol, or STP, manipulation attack.

STP Manipulation 06:40-08:59

STP is normally configured on a network with several switches. The primary purpose is to prevent
switching loops. Often, whether intentional or not, there are several paths data can take to get from
its source to its destination. STP dynamically turns off certain switch ports to ensure that data can't
get stuck hopping from switch to switch without ever reaching its intended target.

While STP configuration is beyond the scope of this lesson, it's important to understand that a single
switch is designated as the root bridge. The root bridge is an optimized data path's primary source.
This is necessary because some switches often connect to other switches to form redundant
connections to ensure communications continue even if a switch or port fails. The root bridge is used
to pass data from switch to switch since all switches that participate in the tree know where the root
bridge is located.

So the root bridge is responsible for calculating the spanning tree from topology changes advertised
by non-root bridges. If an attacker can become the root bridge, he or she is then able to see a
variety of frames that they normally wouldn't see. To perpetrate this attack, the attacker inserts their
switch into the tree and manipulates it to appoint his or her switch as the root bridge. By doing this,
he or she can use a sniffer to collect data traversing the network. An attacker accomplishes this
manipulation by sending bridge ID frames, or BID frames, with a lower ID than that currently being
used by the legitimate root bridge.

There are several step you can take to mitigate this type of attack. First, make sure that attackers
can't easily guess which bridge ID number is being used by the legitimate root bridge. Most switches
have a default root bridge ID, ensuring that your bridge ID is considerably lower than the default one.
If your switch supports it, a second option is to set up Bridge Protocol Data Units Guard, or BPDU
Guard. This feature allows an interface to put itself into blocking state when it receives a BPDU
packet meant to change the root bridge switch. Your third option is to enable Root Guard on the
ports not being used as trunk lines. This keeps ports in their assigned roles. If one of these ports
receives a BPDU frame, a sys error is logged and that port is blocked, thwarting the attacker's
attempt to change the root bridge.
The last common switch attack to discuss is known as MAC spoofing.

MAC Spoofing 08:59-10:55

MAC spoofing is the process of sending out data from a computer using a MAC address that's
different from the MAC address physically hard-coded on a network interface card, or NIC. Although
you can't physically change your MAC address, there are tools like Windows Network and Sharing
Center in Control Panel, SMAC for Windows, and others that can make an operating system believe
that the NIC has a different MAC address. There are several reasons attackers may use this method
to attack a network, such as to defeat switch port security.

For example, in some networks, part of a switch's security is the creation of a whitelist of MAC
addresses. Only devices with a MAC address in the whitelist can be processed through that switch.
If an attacker can use a network sniffer to find a MAC address that's being used by a legitimate host
attached to the switch, he or she can change their MAC address to a valid one on the whitelist. Then
they've successfully gained access to the switch and any data being transmitted through it.

An attacker could use MAC spoofing to change their MAC address to mimic a targeted system as
well. For example, once an attacker has assumed a valid computer's MAC address, he or she could
send the switch a MAC update command, changing the MAC address table. Now, the switch sends
any data that was destined for the target system to the attacker's system. The important thing to
know here is that since it's controlled on the attacker's computer, there really isn't a way to prevent
MAC spoofing. If this becomes an issue, you'll need to use techniques at the Application level of the
OSI model.

As we end this lesson, you've probably noticed that for any of these attacks to work, the attacker
must have physical network access. So physical security is a must! One thing to keep in mind is that
for every offense, there's a defense. Administrators can make configuration settings that help to
avoid some of these attacks or, at least, notify them something strange is going on.

That's it for this lesson. In this lesson, we examined several methods attackers utilize to exploit
switch configuration weaknesses, such as the ones shown here.

Summary 10:55-11:09

With each of these attacks, one of the primary goals is to collect information that can be used to
exploit vulnerabilities at a later time.

This lesson covers the following topics:

 ● Common switch attacks
● Switch hardening
● Implementing secure protocols

Common Switch Attacks

The following table describes common attacks that are perpetrated against switches.

Attack Description

MAC flooding MAC flooding overloads the switch's MAC forwarding table to
make the switch function like a hub. MAC flooding is performed
using the following method:

1. The attacker floods the switch with packets, each

containing a different source MAC address.
2. The flood of packets fills up the forwarding table and
consumes so much of the memory in the switch that it
causes the switch to enter a state called fail open mode. In
fail open mode, all incoming packets are broadcast out to
all ports (as with a hub), instead of to the designated port
(as a switch normally does).
3. The attacker then captures all the traffic with a protocol
analyzer/sniffer.
ARP ARP spoofing/poisoning associates the attacker's MAC address
spoofing/poisonin with the IP address of victim's device.
g
​ When computers send an ARP request for the MAC
address of a known IP address, the attacker's system
responds with its MAC address.
​ The source device sends frames to the attacker's MAC
address instead of the correct device.
​ Switches are indirectly involved in the attack because they
do not verify the MAC address/IP address association.
​ A default gateway is a prime target because local traffic
goes through a default gateway to get to non-local
destinations such as the internet.
​ When the attacker's system MAC address receives packets
intended for the default gateway, the attacker can:
○ Forward the packets to the actual default gateway (
passive sniffing).
○ Modify data in the packets before forwarding it (
man-in-the-middle).
 MAC spoofing MAC spoofing is changing the source MAC address on frames.
The attacker's system sends frames with the spoofed MAC
address. The switch reads the source address contained in the
frames and associates the MAC address with the port where the
attacker is connected. MAC spoofing can be used to:

● Bypass 802.1x port-based security.

● Bypass wireless MAC filtering.
● Hide the identity of the attacker's computer or to
impersonate another device on the network.
● Impersonate a device on the network to capture frames
addressed to that device.
● Impersonate a valid device on the network to gain network
access. For example, to gain access when the switch is
using the MAC address to allow or deny a network
connection.

Dynamic Switches have the ability to automatically detect trunk ports and
Trunking Protocol negotiate the trunking protocol used between devices. The
(DTP) Dynamic Trunking Protocol is not secure and allows unauthorized
devices to possibly modify configuration information. You should
disable the DTP services on the switch's end user (access) ports
before implementing the switch configuration into the network.

Switch Hardening
Examples of changes designed to improve the security of switches from the default
settings include the following:

● Change Default Credentials that are well documented and pose a significant
security risk.
 ● Disable Unnecessary Services and Interfaces on a switch or router. Not every
service or interface is needed. For example, services like HTTP or Telnet should
be avoided.
● Use Secure Management Protocols such as SSH instead of Telnet or HTTPS
instead of HTTP.
● Implement Access Control Lists (ACLs) to restrict access to the switch to only
required devices and networks.
● Enable Logging and Monitoring to help identify issues like repeated login failures,
configuration changes, and many others.
● Configure Port Security helps limit the devices that can connect to a switch port
to prevent unauthorized access.
● Strong Password Policies help reduce the risk of password attacks.
● Physically Secure Equipment like keeping devices in a locked room to prevent
unauthorized physical access.

Implementing Secure Protocols

Organizations usually follow formal processes when selecting secure protocols to
ensure comprehensive documentation and well-informed decision-making. These
processes include assessing risks, reviewing policies, and evaluating the security
features of different protocols. Organizations may also consult with technical experts or
vendors for recommendations. The outcomes of these processes are documented,
which is useful for audits and compliance reviews. Additionally, these process outcomes
will typically impact security baselines and configuration management systems.

Selecting protocols, assigning ports, setting transport methods, and other security
considerations require careful consideration. The first step requires evaluating the data
type used and its sensitivity level. Organizations should select secure protocols like
HTTPS, SSH, and SFTP/FTPS for transmitting sensitive or private data. Configuring
TCP ports depends on the protocol, as standard ports are associated with specific
protocols (HTTP commonly uses port 80, HTTPS uses port 443). While default protocol
ports can be changed, doing so may complicate configuration and cause potential
accessibility issues.

However, many administrators choose to change standard default ports and a method
to obscure them. TCP (Transmission Control Protocol) and UDP (User Datagram
Protocol) are two principal transport methods. TCP is connection-oriented and provides
reliability, ordering, and error-checking, making it suitable for applications requiring high
levels of reliability. UDP is connectionless, making it faster than TCP and more suitable
for real-time applications like video streaming, telephony, and gaming, where occasional
packet loss is less impactful.

When selecting secure protocols, administrators and analysts must consider suitable
encryption levels, authentication methods, existing firewalls or other security equipment,
and other factors which may impact the operation of the systems and software they are
intended to protect. Ultimately, protocol selection requires an optimum balance among
security, maintainability, performance, and cost.

Hardening a Switch 00:00-00:27

In this demonstration we'll look at various methods to harden a managed switch. In this
case we're using a Cisco Small Business Managed Switch and are logged into the
management interface using Internet Explorer. We're authenticated as the Admin User
so we can make changes. In this demonstration we'll look at port security, management
access, and access control using access control lists, ACLs.

Configure Port Settings 00:27-02:07

To begin, let's look at port security. When hardening a switch, one of the first things we
want to do is shut down any unused ports. Click on Configure Port Settings, which
will take us directly to the Port Settings page under Port Management.
On this page we can select one of the unused ports. You'll notice we have several ports
here that are either down and unused, or up and used. The ones that are unused are
currently down. We want to make sure they're administratively down, meaning they
have to be turned on before they can be used. Let's take a look at Port Two. It's down.

Let's scroll to the bottom of the page and click Edit. On this page you'll notice that
the Administrative Status of this port is actually up, even though it's operationally down.
This means there's nothing plugged into it. To make sure that this port remains down
and is not used without permission, we'll set the Administrative Status as Down.
Click Apply, Close.

To set all other unused ports as Administratively Down, we'll select Port Two then click
Copy Settings. In the Copy Settings window we can list all the ports that we want to be
down. In this case, we'll type Three, Six, and Eight through 28. Go ahead and click
Apply. All of those ports are now administratively down.

Let's look at Port Three for confirmation. Select Port Three and click Edit. You'll notice
on this page that the status Administratively Down. So, the status that we copied from
Port Two went to the rest of the ports. Click Close.

By setting the ports that we're not using to Administratively Down, those ports will come
up at a down state each time the switch starts up. At the end we'll make sure that we
save our Configuration File to the Startup Configuration.

Enable Port Security 02:07-04:13

Next, we also want to enable port security. To do that, we'll open the Security Tab and
click on Port Security. Under this tab we can configure the locking mechanism for
each of these ports. We'll click on Port One and select Edit.

On this page you'll notice that we can lock the port, meaning we're going to only allow
certain MAC addresses to pass traffic through this port. A Classic Lock means that
the first device you connect to that port will be remembered and allowed to pass
traffic through this port. You can also select Limited Dynamic Lock, which gives
you a variable number from one to 256. Let's change this to four.

Now, if you connect a hub to a specific port on the switch and connect four devices to
that, you can allow all four of those devices to talk through that port. No additional
devices would be allowed to pass traffic.

We'll go ahead and select the Classic Lock. That will give us one device, and the
device will be locked in. If you try to connect a device that is not supposed to be
on that port, the Action on Violation determines what happens. The default is to
discard the packet. If you connect any other device to the port, the traffic will be ignored.

You can also forward the traffic, or you can shut down the port. That's a little drastic for
our purposes. However, if you're extremely cautious about your security and you don't
want anybody connecting a device you don't know about, being able to shut down the
port is one of the most secure things that you can do.

We'll go ahead and select Discard if it's a device that we aren't sure about. If somebody
plugs in a device that's not locked in you can also trap the MAC addresses of the
offending device. We've enabled locking for Port One, as well as the classic lock. We're
going to discard the frames of any other devices that come onto that port. We'll go
ahead and click Apply, Close.

Once again, we can take the settings that we've created for Port One and apply them to
the rest of the ports. Scroll down to the bottom and select Copy Settings. In this case,
we'll select all of the ports, or Two through 28, and click Apply. You'll see that the
settings that we've created for port security now apply to all 28 ports.

Management Access 04:13-06:17

The next piece that we would like to cover is management access. We'll go to
Management Access Method (under “security”) and click Access Profiles. In this
case, the only profile that's on the machine is the Console Profile, which is the default.
We're going to add a new access profile, so click Add. We'll call this access profile
Management. In this Management Profile the very first rule, or Rule One that we want to
have will deny all management. We'll go ahead and select Deny and specify all different
management methods, and apply it to all interfaces. That will be our first and main rule.
We'll go ahead and click Apply, Close.

Now that we've created our Management Profile, we can select Profile Rules. It can
seem a little confusing that you create a Management Profile then add a rule to it. We'll
go ahead and select our Management Profile, and add another rule. It looks very similar
to the page we just used.

For Rule Number Two, we want to allow HTTP access. We want to select all
interfaces, but we also only want to allow traffic from a specific workstation or IP
address. We'll specify that 192.168.1.200 will be the only workstation allowed to
access this port. We'll also input the network mask by typing 255.255.255.0.
Alternatively, we can use the prefix length and use the prefix instead. We'll go ahead
and click Apply, Close.

We now have a management access rule that denies all traffic, and one access rule
which allows us to access the HTTP interface from one specific workstation. But, we're
not done yet.

We need to go back to Access Profiles and set the Active Profile. Right now, we
don't have an active management profile. Go ahead and select Management. This
denies all types of management interfaces with this switch, except for the HTTP access
from the one workstation that we have selected.

We're not going to click Apply this time. If we do, we'll probably be locked out of the
switch, and we want to make sure that we have access to complete this demo.

Firmware Updates 06:17-07:01

Let's go to the next section, and look at firmware updates. Under Administration, File
Management we can select Upgrade, Backup Firmware. Part of hardening the device or
a computer of any kind is to make sure you have the latest software and patches. You
can use browse to select the latest firmware and download it.

In this particular switch, you have to select the Active Image once you've loaded the
firmware. You can select Image One or the new image, Image Two, and apply it. Next
you'll need to reboot the switch. Once you do that the switch will come back with the
latest and greatest software and the best enhancements. This allows you to have the
best possible security for this switch. Upgrading firmware for the switch as well as
applying patches to any computer is a key element to hardening the switch.

Access Control using ACLs 07:01-10:23

The last aspect of hardening the switch is access control using the ACLs. Let's select
Access Control. On this switch, we have various methods of access control. We can
use a MAC based ACL. We can use an IPV4 based ACL. And we can also use an IPV6
based ACL. We'll set up a MAC based ACL.

In this case, we don't have an access control list, so we'll go ahead and create one. We
want to make sure that nobody can attach game consoles or connect any game to our
switch. Type Games as the name of our ACL. Click Apply, Close.

We have the ACL, but to put access control entries, ACE, into this access control list,
we need to click the MAC Based ACE Table. It has a slightly different interface, but let's
click Add to add an entry to this page.

For our first access control entry, Entry One, we're going to select Deny. We'll select
Any for the Destination MAC address. Under Source MAC Address, we're going to
select User Defined and put in the address, one of the game consoles, or the prefix of
the MAC address, which is used for all devices of the same manufacturer. We'll go
ahead and enter 00041F followed by six ones. Under Source MAC Wildcard Mask we'll
enter six zeroes followed by six ones.
This says that we only care about the first six digits of the MAC Address. This is
preventing any device from the same manufacturer from being connected. We'll go
ahead and click Apply.

That creates our first entry into the Access Control List Entry Table. We'll add one more
just for demonstration purposes. We'll go ahead and create Priority Two.

Once again, we're going to select Deny, and specify the Destination MAC Address as
Any. We're going to specify the Source MAC Address value as 005042 followed by six
ones. We'll do the same Source MAC Wildcard Mask, or six zeroes followed by six
ones. Click Apply, Close to create our access control entries.

We could add more for any of the game console types that are out there, or any other
device that we want to prohibit from using our network.

We can also add anything we want to allow on the network. Now that we've created the
MAC Based ACL Table, and have created the entries in that table, we need to make
sure that the ports have a binding to that table. We'll go ahead and click on ACL
Binding. Select Port One, scroll down, and click Edit. We want to apply this MAC based
ACL, so we'll select that and then select Games, which we just created. If there were
additional ones, we could choose from them as well. We'll go ahead and click Apply,
Close.

Just as we've done in the previous portions of this demonstration, we'll select Port One.
The GE One interface, and click on Copy Settings. We'll enter two through 28 and click
Apply. That gave us a successful binding of the Games ACL to all of the ports in our
interface.

One final thing that you will always want to do when you've made configuration changes
to your switch is to save the Running Configuration to the Startup Configuration. On this
switch, simply click Save at the top. It will blink when there have been changes. Select
Running Configuration as the Source File Name. And set the Destination File Name as
Startup Configuration, then click Apply.
Summary 10:23-10:35

In this demonstration we've examined the idea of port security. We've looked at
management access to our switch. And we've also looked at restricting certain traffic to
the switch using ACLs.