How Network Switches Help Strengthen Threat Protection

Igor Girkin, information security systems architect at Garda, shares insights on network protection.

The reason I decided to write about this topic was an incredible event during a recent presentation. For several years, I’ve been talking about the Garda NDR product (I’ve spoken about NTA/NDR more than a hundred times). At that seminar, I, as usual, emphasized to the audience the need to use NDR analytics for lateral traffic (basically, traffic within a VLAN), since there are often no other network security tools in this segment. And suddenly, a remark from the audience: "Can we use private VLAN to limit lateral traffic and thus reduce the severity of the problem?" The thunderbolt in the clear sky was not the acquisition of new knowledge (I know private VLAN both theoretically and practically)—what was unexpected was that for the first time in a long time, someone had remembered that network switches have built-in mechanisms for ensuring information security.

Previously, the only requirement from a network device was this: to transmit packets quickly and without loss. Those days are now in the past. A modern switch is an important element of the security perimeter, located on the first line of defense. By using it only for traffic switching, you miss a powerful tool for countering threats.

In this article, I will discuss the built-in protection mechanisms in modern L2/L3 switches and how to properly apply them for network security.

“Iron” Network Protection

The key element inside switches is a specialized ASIC chip for packet processing, allowing necessary traffic manipulations without reducing transmission speed. Global chip manufacturers have long turned their ASICs from simple forwarding engines into complex security processors. Hardware acceleration of switches is the key to ensuring that information security functions don’t "eat up" all the performance.

Next, I will break down the main functions built into the switch that help ensure network security without burdening the network.

Access Control Lists (ACL), or access lists. This is not about simple filters. Modern chips allow the use of

Port security. This feature limits the learning of new MAC addresses on a switch port and prevents turning a switch into a tool for traffic interception by attackers, thus reducing the risk of Man-in-the-Middle (MitM) attacks. Typically, the configuration of this feature involves specifying the maximum allowed number of MAC addresses on a port that the switch will store in its internal forwarding table. Usually, the limit is set to two MAC addresses, since in most cases, no more than two devices are likely to be connected to a user port or an access port (a rare setup today, where a computer is connected through an IP phone to a switch).

DHCP Snooping, Dynamic ARP Inspection, and IP Source Guard — these are the "holy trinity" in combating attacks at L2/L3. DHCP Snooping builds a "white" list of trusted IP address leases by analyzing DHCP requests and responses. Dynamic ARP Inspection checks ARP responses against this table, and IP Source Guard filters traffic with spoofed IP addresses. This reduces the risk of ARP/DHCP spoofing and MitM attacks. These features, under similar (but slightly different) names, are available from all manufacturers and prevent the emergence of unauthorized DHCP servers on the network, which may unintentionally appear on servers or user computers due to the installation of a new operating system.

Private VLAN/MUX VLAN. This feature limits lateral traffic between ports of one or more switches within a single broadcast domain. This reduces the risks associated with the reconnaissance and spread of threats. Like the previous mechanisms, this feature is available in nearly any switch, regardless of the manufacturer. However, there are nuances. First, not all devices in the manufacturer's product line may support it. Second, isolation of direct port interactions may only work within a single switch. This is certainly inconvenient, but not critical. In both cases, NDR-class solutions can help, which effectively analyze horizontal (lateral) traffic and can detect direct interactions between user computers.

IEEE 802.1X — provides extended authentication and client authorization on the switch port (the basis of the Zero Trust architecture). This security standard ensures authentication of wired and wireless devices before granting network access. This approach helps prevent unauthorized access by blocking the switch port until authentication is confirmed via a RADIUS server. Credential verification uses protocols from the EAP family (including PEAP, EAP-TLS). Support for the standard is implemented by the vast majority of equipment vendors, but its presence in a specific device model must be taken into account. In addition, there are nuances related to 802.1X extensions from specific vendors for connecting devices that do not support EAP protocols.

BPDUGuard, BPDUFilter, RootGuard and

Control Plane Policy (CoPP) and Storm Control — mechanisms for hardware rate-limiting of broadcast, multicast, and unknown unicast traffic. These functions help minimize the risks of DDoS/DoS attacks by protecting the device control plane and preventing overload of communication channels. On one hand, they prevent targeted attacks; on the other, they serve as protection against mistakes by personnel that could trigger a broadcast storm. These mechanisms are supported by most equipment vendors, but their availability and functionality may vary depending on the switch model.

Hardware is not a panacea, or why a switch needs help

After all, the goal of this article is not to present the switch as the sole means of protection, but to demonstrate that we are walking on a precious ore without realizing it. And it only takes a scrape of the ground with the tip of a boot for a sparkling, far from unnecessary, gemstone to appear in our "crown" of information security. However, to properly handle this find, it is important to understand the limitations of the aforementioned mechanisms:

  • Content blindness. Due to its architecture, a switch sees headers, not data. Therefore, you shouldn’t expect the device to distinguish a legitimate HTTP request from a web application exploit or to detect a virus in a transmitted file.

  • Static security rules. Most ACLs and policies cannot automatically adapt to new threats, so manual configuration is required here.

  • Lack of context. A switch knows nothing about the business logic of applications or fresh IoCs from Threat Intelligence.

  • Limited scope of responsibility. The device only protects the segment of the network it resides in.

The hardware features of a switch provide the necessary basic level of protection, without which all other measures would drown in a stream of unfiltered traffic. However, it is only the foundation, not the whole building. Therefore, for more comprehensive protection, it is important to configure the switch to mitigate L2/L3 threats by enabling the features listed in the article, delegate content and context analysis to an NDR system, and entrust investigation and response to a SIEM platform.

Finally — it’s also important not to forget the critical role of a switch in forwarding a copy of traffic (SPAN/RSPAN/ERSPAN/port mirror) and telemetry (NetFlow, IPFIX, jFlow, NetStream). Support for these protocols turns the network into a sensor, allowing you to see who is communicating with whom, which protocols are in use, and where anomalies begin. These are the "eyes" for monitoring systems.

Comments

    Also read