4

I'm trying to figure out what makes a "top brand" switch better than a "cheap unknown brand" one with the same features.

I often see security thrown in the mix, but really can't understand how this is relevant, so I'm trying to figure out if it is.

The way I see it, most (all?) L2 switches just get some data that they have to pass to specific devices, no L3 stuff, no look up, just Alice has MAC X and is on port Y, I need to pass Z from port W to Y.

Now, besides CAM overflow and web interface exploits (I'm leaving VLAN hopping and other similar exploits out because they won't hack the switch itself) What could possibly go wrong? It looks like the Linux kernel used in most switches is ancient, but apparently, it doesn't get exposed to anything as it only runs the web UI/shell (the ASIC does everything?).

Am I missing something here?

Dgm
  • 41
  • 1

2 Answers2

2

Attack Surface:

  • Management
  • Traffic Isolation (VLAN)
  • Traffic Monitoring / Sniffing
  • Actual Traffic Passing / extra services

Management

Look at the management interfaces. A cheap switch example is a home router. Yes, it does more than switching, but the bugs are in the management interfaces. Similar to even the "top" tier cisco devices. Most of the CVEs are around baked in credentials, problems with the management, or problems with implementation of complex protocols.

Traffic Isolation

Many L2 switches will setup VLANs which should be isolated networks, and often we depend on this isolation for security. If you are using an L2 switch in this mode, then a compromise of the management or of the VLAN tagging that allows you to hop VLANs is your biggest worry.

If you're not segmenting traffic by VLANs, I'd argue the security of the switch really doesn't matter.

Traffic Monitoring / sniffing

Take the next level. You can setup a span port and monitor all traffic from all other ports. I personally assume any traffic that leaves my device will be monitored. So I focus on transit encryption. And in today's WiFi world, it's pretty typical for may devices to sniff your traffic. Maybe not a strong threat.

Actual Traffic Passing and extra services

What's left, actual traffic passing. These are the bugs that the NSA used to hack firewalls from the public internet. They find bugs in traffic that isn't simply passed from port to port. Spanning tree, VLAN logic, and the like. This is the stuff where the remaining attack surface lies. Example:

  1. Cisco CDP DOS
  2. vulnerability in the Simple Network Management Protocol (SNMP) running on certain models of Cisco Catalyst Switches
Jonathan
  • 2,288
  • 13
  • 16
  • So it looks like the only ways to hack a switch (the brick itself, not the network) are hacking the management interface or finding a backdoor. Even if my switch ran MS-DOS it would be pretty hard to hack if I put management on a separate VLAN, right? – Dgm Jun 02 '18 at 02:16
  • Yes. The management interface has the largest attack surface followed by bugs in extraneous services like STP, SNMP, CDP, and whatever other traffic management services running. – Jonathan Jun 02 '18 at 14:28
1

Actually, the biggest hole are various services, that are enabled by default and must be deliberately disabled or secured before deployment. Like *STP, which should never be enabled on customer ports (you need to enable BPDU protections), various topology detection protocols (Cisco Discovery Protocol, LLDP), misconfigured management protocols (CFM, OAM), or - if you ask about taking over the switch itself, SNMP, which is usually enabled with public and private ro/rw communities (v2) and has no trusted ports set up by default (meaning all the ports are trusted, no restrictions at all).

Tomasz Pala
  • 139
  • 5