The main function of this switch is to connect the network interfaces of experimental PCs through VLANs while containing security experiments. The containment has three aspects:

1. Experiments should not be able to communicate with networks outside the ReAssure testbed.
2. An experiment should not be able to affect other experiments.
3. The management interface of the switch should not be accessible to any of the experiments, under any circumstances.

We assume that there are, or will be, bugs and vulnerabilities in the VLAN code such that it is not safe for the switch to be managed through an IP address. This is a safe bet, as there have been VLAN-related vulnerabilities. We want true Out-Of-Band management, in which management traffic is not mixed with operational traffic. This lowers the chance for malicious traffic to reconfigure the switch. For this purpose, there is no other alternative than using the serial port. This relates closely to the security principle of using different channels to communicate code (or commands) and data.

By using a single switch with as many ports as possible, we side-step all the issues of switch-to-switch communication, including trunking (and spoofing of trunks) and vulnerabilities in switch discovery protocols or VLAN database synchronization. This also insures that the full bandwidth of the switch is available to all experiments and not restricted by slower trunks.

Our design involves initially creating two vlans. One will contain all the unassigned interfaces. Another, the management VLAN (as there has to be one, unfortunately, and we want it to be different from VLAN 1) will not have any interfaces (nor an IP address) assigned to it. The configuration can be obtained either by configuring the switch manually or by using the SOOBML library functions. Then, VLANs will be dynamically created when an experiment should start, and destroyed afterwards. This design assumes that interfaces assigned to the unused interfaces VLAN will in fact remain unused. Otherwise, this may present a path for experiment-to-experiment interference.

Why did we choose a model 4948 Cisco switch (specs)?
Because:

• Experienced system administrators reported fewer problems with the Cisco brand
• They have been tested for vulnerabilities
• Their security and performance features (e.g., switch fabric bandwidth) are better documented than those of competitors
• The switch fabric bandwidth is 96gbps, which should allow all 48 gigabit interfaces to talk at full speed in full duplex mode. Slower fabrics implied that one experiment could possibly steal bandwidth from other experiments.
• We thought that "Ethernet Management interface" in the features list meant that it had a true OOB, dedicated management interface. How sadly mistaken were we. After much frustration and reading of unhelpful documentation, we had to talk with Cisco engineers to discover that the interface is only active during boot, in "ROMmon" mode. It is only an emergency recovery interface, nothing more.

The hardened switch configuration we developed is available here
The experimental switch configuration how-to is available here

Developed By: Mayank Ramkishore Gupta, Patrick Perrone and Pascal Meunier Purdue University CERIAS