Get this Security+ CertiGuide for your own computer.
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9  3.1  Devices

Previous Topic/Section
3.1.2  Routers
Previous Page
Pages in Current Topic/Section
1
Next Page
3.1.4  Wireless
Next Topic/Section

3.1.3  Switches

A switch is a network device that, like routers, forwards packets between LAN segments, providing somewhat of a subset of the functionality of a router, at a lower price. The simplest switches generally operate at the data link layer (OSI Layer 2), and base packet-forwarding decisions on physical device locations (for example, destination MAC address) rather than on supplied network-level rules for packet routing using IP network addresses, as in full routers.

Switches are useful in controlling access to network packets traveling on a wire. Since switches avoid making a packet sent by one host available to all other hosts on the switch (unlike hubs), the potential for sniffing is greatly reduced.

Switches

Switches, like routers, forward traffic to the network connections as required.

Switches work at a data-link layer, using MAC addresses, rather than at the network layer used by routers.

Unlike hubs, they do not automatically make a packet sent by a host on the switch available to all other hosts connected to that switch. Only the network links and nodes directly involved in the conversation see the packet, so opportunities for packet-sniffing are reduced.


Of course, a caveat to this is that switches have been designed primarily to enhance network performance, not network security.

Security Issues with Switches

It is possible to barrage some switches with an excessive amount of traffic from unused MAC addresses, causing the switch to overflow its MAC address table and reconfigure itself into working just like a hub. Once the switch is in hub mode, traffic is no longer restricted and sniffing is once again possible. With another switch, frames are always forwarded to all ports on the switch and the switch processor is relied upon to explicitly tell all ports except the correct one to drop the frame. If there is an excessive amount of processing on the switch (say, from handling bad packets) the processor may not get around to telling the other ports to drop the frames and the frames are sent out on all ports, as with a hub.272 Another way to sniff switched traffic is to use spoofed ARP packets to misinform the switch of the MAC addresses for the hosts whose traffic you wish to sniff.273

Switches can be targets for attackers, who can gain access to administrative features of managed switches by using default passwords, or sniffing switch passwords sent in clear text via SNMP or telnet.

As with routers, improper configuration can be an issue limiting the effectiveness of a switch as a traffic isolation device. Also, as with all hardware, it’s important to watch for security-related firmware updates and install them when available.


 __________________

272. Turner, Aaron D., Network Insecurity with Switches, http://synfin.net/docs/switch_security.html

273. Switching and VLAN Security FAQ, http://www.fefe.de/switch

Previous Topic/Section
3.1.2  Routers
Previous Page
Pages in Current Topic/Section
1
Next Page
3.1.4  Wireless
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.