Average Reviews:
(More customer reviews)I really looked forward to reading LAN Switch Security (LSS), simply because it covered layer 2 issues. These days application security, rootkits, and similar topics get all the press, but the foundation of the network is still critical. Unfortunately, LSS disappointed me enough to warrant this three star review. I'm afraid those before me who wrote five star reviews 1) don't read enough other books or 2) don't set their expectations high enough.
Let me first say I am not anti-Cisco, nor anti-Cisco-book. For an earlier Cisco Press book I wrote "I really enjoyed reading Cisco Router Firewall Security (CRFS) by Richard Deal. This book delivers just what a technical Cisco book should: discussion of concepts, explanation of command syntax, and practical examples." LSS, however, is not what I like to see in a Cisco book. It suffers the major flaw found in almost all technical books featuring large numbers of writers (LSS has 2 authors, 4 contributors, 2 tech editors): incoherence and overlapping discussions. Furthermore, many of these contributors do not write clearly. I found large sections to be disjointed and inconsistent. It is clear that no one stepped up to the plate to see if the finished product made any sense from the reader's perspective.
The second major problem with this book is that older books easily overpower LSS. For example, in March 2006 I gave Hacking Exposed: Cisco Networks (HECN) four stars. HECN covers many of the same topics as LSS, more clearly, with more syntax, and better explanations. Anyone who wants to buy a book about layer 2 security should start with HECN. If you don't want to buy a book, just download the free 86-page Cisco IOS Switch Security Configuration Guide published by NSA.
If you read HECN or the NSA guide, you'll be struck by the amount of configuration syntax in those resources. If you glance through LSS you'll see syntax, but (and this bothered me greatly) not for all the features discussed. For example, LSS ch 16 (Wire Speed Access Control Lists) features sections titled "Working with RACL", "Working with VACL", and "Working with PACL". That's great -- six pages (pp 263-268), with no command syntax! Sure, you can read about using VACLs for traffic capture, but where are the examples? If you tell me they are the same as other examples, I want to see the proof. This is the sort of glaring omission that really frustrated me.
I did like some of LSS. I thought attacks against link aggregation protocols, discussions of control plane policy, and spanning tree protocol were interesting. Adding discussions of ARP spoofing a remote gateway using Yersinia would have been helpful. There's a decent number of typos (POP != "point of presence", replace "Ethernet" with "IP" on p 235), but technically the book seemed sound. (One of the authors was kind enough to confirm the p 235 typo; I wanted to be sure I hadn't missed something important.)
I notice Cisco is publishing a book titled Router Security Strategies: Securing IP Network Traffic Planes in December. Presumably that will be a counterpart to this title, except at layer 3. I hope that new book avoids the mistakes made by LSS.
Click Here to see more reviews about: LAN Switch Security: What Hackers Know About Your Switches
LAN Switch Security: What Hackers Know About Your SwitchesA practical guide to hardening Layer 2 devices and stopping campus network attacksEric VynckeChristopher Paggen, CCIE® No. 2659Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [STP], Cisco® Discovery Protocol [CDP], and so on) and data plane protocols, such as Address Routing Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP). LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches. Further, this book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. This book also includes a section on how to use an Ethernet switch to increase the security of a network and prevent future attacks.Divided into four parts, LAN Switch Security provides you with steps you can take to ensure the integrity of both voice and data traffic traveling over Layer 2 devices. Part I covers vulnerabilities in Layer 2 protocols and how to configure switches to prevent attacks against those vulnerabilities. Part II addresses denial-of-service (DoS) attacks on an Ethernet switch and shows how those attacks can be mitigated. Part III shows how a switch can actually augment the security of a network through the utilization of wirespeed access control list (ACL) processing and IEEE 802.1x for user authentication and authorization. Part IV examines future developments from the LinkSec working group at the IEEE. For all parts, most of the content is vendor independent and is useful for all network architects deploying Ethernet switches.After reading this book, you will have an in-depth understanding of LAN security and be prepared to plug the security holes that exist in a great number of campus networks. Eric Vyncke has a master's degree in computer science engineering from the University of Liège in Belgium. Since 1997, Eric has worked as a Distinguished Consulting Engineer for Cisco, where he is a technical consultant for security covering Europe. His area of expertise for 20 years has been mainly security from Layer 2 to applications. He is also guest professor at Belgian universities for security seminars. Christopher Paggen, CCIE® No. 2659, obtained a degree in computer science from IESSL in Liège (Belgium) and a master's degree in economics from University of Mons-Hainaut (UMH) in Belgium. He has been with Cisco since 1996 where he has held various positions in the fields of LAN switching and security, either as pre-sales support, post-sales support, network design engineer, or technical advisor to various engineering teams. Christopher is a frequent speaker at events, such as Networkers, and has filed several U.S. patents in the security area.Contributing Authors:Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco.Steinthor Bjarnason is a consulting engineer for Cisco.Ken Hook is a switch security solution manager for Cisco.Rajesh Bhandari is a technical leader and a network security solutions architect for Cisco.Use port security to protect against CAM attacksPrevent spanning-tree attacks Isolate VLANs with proper configuration techniquesProtect against rogue DHCP serversBlock ARP snoopingPrevent IPv6 neighbor discovery and router solicitation exploitationIdentify Power over Ethernet vulnerabilitiesMitigate risks from HSRP and VRPPStop information leaks with CDP, PaGP, VTP, CGMP and other Cisco ancillary protocolsUnderstand and prevent DoS attacks against switchesEnforce simple wirespeed security policies with ACLsImplement user authentication on a port base with IEEE 802.1xUse new IEEE protocols to encrypt all Ethernet frames at wirespeed.This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.Category: Cisco Press—SecurityCovers: Ethernet Switch Security$60.00 USA / $69.00 CANLAN Switch Security: What Hackers Know About Your SwitchesA practical guide to hardening Layer 2 devices and stopping campus network attacksEric VynckeChristopher Paggen, CCIE® No. 2659Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [STP], Cisco® Discovery Protocol [CDP], and so on) and data plane protocols, such as Address Routing Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP). LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches. Further, this book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. This book also includes a section on how to use an Ethernet switch to increase the security of a network and prevent future attacks.Divided into four parts, LAN Switch Security provides you with steps you can take to ensure the integrity of both voice and data traffic traveling over Layer 2 devices. Part I covers vulnerabilities in Layer 2 protocols and how to configure switches to prevent attacks against those vulnerabilities. Part II addresses denial-of-service (DoS) attacks on an Ethernet switch and shows how those attacks can be mitigated. Part III shows how a switch can actually augment the security of a network through the utilization of wirespeed access control list (ACL) processing and IEEE 802.1x for user authentication and authorization. Part IV examines future developments from the LinkSec working group at the IEEE. For all parts, most of the content is vendor independent and is useful for all network architects deploying Ethernet switches.After reading this book, you will have an in-depth understanding of LAN security and be prepared to plug the security holes that exist in a great number of campus networks. Eric Vyncke has a master's degree in computer science engineering from the University of Liège in Belgium. Since 1997, Eric has worked as a Distinguished Consulting Engineer for Cisco, where he is a technical consultant for security covering Europe. His area of expertise for 20 years has been mainly security from Layer 2 to applications. He is also guest professor at Belgian universities for security seminars. Christopher Paggen, CCIE® No. 2659, obtained a degree in computer science from IESSL in Liège (Belgium) and a master's degree in economics from University of Mons-Hainaut (UMH) in Belgium. He has been with Cisco since 1996 where he has held various positions in the fields of LAN switching and security, either as pre-sales support, post-sales support, network design engineer, or technical advisor to various engineering teams. Christopher is a frequent speaker at events, such as Networkers, and has filed several U.S. patents in the security area.Contributing Authors:Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco.Steinthor Bjarnason is a consulting engineer for Cisco.Ken Hook is a switch security solution manager for Cisco.Rajesh Bhandari is a technical leader and a network security solutions architect for Cisco.Use port security to protect against CAM attacksPrevent spanning-tree attacks Isolate VLANs with proper configuration techniquesProtect against rogue DHCP serversBlock ARP snoopingPrevent IPv6 neighbor discovery and router solicitation exploitationIdentify Power over Ethernet vulnerabilitiesMitigate risks from HSRP and VRPP...
Click here for more information about LAN Switch Security: What Hackers Know About Your Switches
No comments:
Post a Comment