Security & Risks
Chapter 6 — Core Switch Security Hardening Design Guide
Understanding the threat landscape for core switches is a prerequisite for effective hardening. Core switches are high-value targets because they sit at the center of the network and have visibility into all traffic flows. A successful attack on a core switch can result in complete network disruption, data exfiltration, lateral movement to any connected segment, or persistent access through configuration backdoors. The threat model must account for both external attackers who have gained a foothold in the network and insider threats with legitimate access.
This chapter presents the primary threat categories, specific attack vectors, risk ratings, and the hardening controls that mitigate each risk. The risk ratings are based on a combination of likelihood and impact, using a standard 5×5 risk matrix. Controls are mapped to the eight hardening domains defined in Chapter 2, providing a clear link between threats and the specific actions required to address them.
6.1 Threat Categories and Attack Vectors
| Threat Category | Attack Vector | Target | Likelihood | Impact | Risk Rating |
|---|---|---|---|---|---|
| Management Plane Attacks | Brute-force SSH/Telnet; credential stuffing; session hijacking | Management access; configuration | High | Critical | Critical |
| Control Plane Flooding | BGP/OSPF packet flood; ICMP flood; ARP storm targeting CPU | Routing stability; availability | Medium | Critical | High |
| Routing Protocol Attacks | BGP route injection; OSPF neighbor spoofing; route hijacking | Traffic forwarding; routing table | Medium | Critical | High |
| L2 Attacks | ARP spoofing; DHCP starvation; STP topology manipulation; MAC flooding | L2 forwarding; VLAN integrity | High | High | High |
| Configuration Tampering | Unauthorized config change; backdoor account creation; ACL modification | Security policy; access control | Medium | Critical | High |
| Physical Access Attacks | Console port access; USB boot; port insertion; hardware tampering | Full device control | Low | Critical | Medium |
| Supply Chain Attacks | Compromised firmware/software; counterfeit hardware; malicious transceiver | Device integrity; data confidentiality | Low | Critical | Medium |
| Insider Threats | Privileged user abuse; credential sharing; unauthorized config changes | Configuration; data; availability | Medium | High | High |
| Denial of Service | Traffic flooding; control plane exhaustion; resource exhaustion attacks | Availability; forwarding performance | High | High | High |
| Credential Compromise | Password spray; phishing targeting network admins; TACACS+ server compromise | Management access; AAA infrastructure | Medium | Critical | High |
6.2 Management Plane Threat Analysis
The management plane is the highest-value target for attackers because control of the management plane means control of the entire device. Management plane attacks can be divided into two categories: authentication attacks that attempt to gain unauthorized access, and post-authentication attacks that abuse legitimate access to make unauthorized changes. Both categories require distinct countermeasures.
| Attack Type | Description | Primary Control | Detection Method |
|---|---|---|---|
| SSH Brute Force | Repeated login attempts against SSH service | Login rate limiting; source IP allowlist; key-only auth | Failed login threshold alert; AAA accounting |
| Telnet / HTTP Interception | Cleartext protocol credential capture | Disable Telnet and HTTP; enforce SSH/HTTPS only | Protocol usage monitoring; port scan detection |
| Session Hijacking | TCP session hijacking of active management session | SSHv2 with session encryption; session timeout; MFA | Anomalous session behavior; concurrent session alert |
| Unauthorized Config Change | Legitimate credentials used to make unauthorized changes | TACACS+ command authorization; change management; 4-eyes | Config change alert to SIEM; diff-based change detection |
| Backdoor Account Creation | Attacker creates hidden local account for persistent access | Prohibit local accounts (except emergency); AAA-only auth | Local account audit; periodic config review |
| SNMP Community String Exploitation | Default or weak SNMP community strings used for config read/write | Disable SNMPv1/v2c; SNMPv3 AuthPriv only; source IP filter | SNMP access logging; community string audit |
6.3 Control Plane Threat Analysis
Control plane attacks target the routing and switching protocols that determine how traffic is forwarded through the network. These attacks can range from simple flooding attacks that exhaust CPU resources to sophisticated route injection attacks that redirect traffic through attacker-controlled paths. Control Plane Policing (CoPP) is the primary defense mechanism, but routing protocol authentication and prefix filtering are equally important for preventing protocol-level attacks.
| Attack Type | Protocol Affected | Attack Mechanism | Primary Control | Detection |
|---|---|---|---|---|
| BGP Route Injection | BGP | Attacker establishes BGP session and injects false routes | BGP MD5/SHA auth; prefix filtering; RPKI ROV | BGP prefix count anomaly; RPKI invalid alerts |
| OSPF Neighbor Spoofing | OSPF | Rogue router forms OSPF adjacency and injects LSAs | OSPF MD5/SHA auth; passive interfaces; GTSM | Unexpected OSPF neighbor alert; LSA anomaly |
| CPU Exhaustion via Flooding | All protocols | High-rate control packets sent to CPU | CoPP with per-class rate limits; hardware-enforced | CoPP drop counters; CPU utilization alert |
| BFD Session Disruption | BFD | Spoofed BFD packets cause false failure detection | BFD authentication; GTSM on BFD sessions | BFD session flap alert; routing convergence event |
| STP Topology Manipulation | STP/RSTP | Rogue switch sends superior BPDUs to become root | BPDU Guard; Root Guard; BPDU authentication | Root bridge change alert; topology change notification |
| ICMP Redirect Attack | ICMP | ICMP redirects used to redirect traffic through attacker | Disable ICMP redirects on all interfaces | ICMP redirect packet detection; routing anomaly |
6.4 Risk Mitigation Priority Matrix
The risk mitigation priority matrix maps each identified risk to the hardening domain responsible for its mitigation, the implementation effort required, and the residual risk after controls are applied. This matrix is intended to guide the prioritization of hardening activities when resources are constrained.
| Risk | Hardening Domain | Effort | Residual Risk | Priority |
|---|---|---|---|---|
| Unauthorized management access | Management Plane Hardening | Low | Low | P1 — Immediate |
| Control plane CPU exhaustion | Control Plane Protection (CoPP) | Medium | Low | P1 — Immediate |
| BGP route injection | Routing Protocol Security | Low | Low | P1 — Immediate |
| ARP spoofing / DHCP starvation | Data Plane / L2 Hardening | Low | Low | P2 — Short-term |
| Unauthorized config changes | Configuration Lifecycle Security | Medium | Low | P2 — Short-term |
| Undetected security events | Monitoring & Logging | Medium | Medium | P2 — Short-term |
| Physical access exploitation | Physical Security | Low | Low | P3 — Medium-term |
| Supply chain compromise | Software & Supply Chain Security | High | Medium | P3 — Medium-term |
| HA failover security gap | High Availability Security | Medium | Low | P3 — Medium-term |