|
Cisco Security Vlans Purpose The purpose of a vlan is to tag traffic with an identifier so that it can be distinguished where it came from and where it is going. This way traffic that is not suppose to talk to certain devices on the network are not allowed to and it is isolated in case of a successful attack. Let’s say you have a server vlan on .2 and a printer vlan on .3 you wouldn’t want someone printing be able to see any servers in case they spoofed a printer. Technical note on above topic It uses 802.1q and layer 2 switching. This is also known as trunking the network. Vlan 1 is dedicated to management, do not use this for other than managing the switch. Possible security vulnerabilities and prevention MAC Flooding Attack How Flooding a port with multiple mac addresses Prevention Prevented by allowing a certain amount of mac addresses on a port and it will be contained to the vlan the attackers origin came from. So if it was not allowed on any internal vlans it wouldn’t comprise any other networks. 802.1Q and ISL Tagging Attack How DTP (Dynamic Trunking Protocol) auto and were to receive a fake DTP packet, it might become a trunk port and it might start accepting traffic destined for any VLAN. Prevention Turn off DTP on all non trusted ports. Double-Encapsulated 802.1Q/Nested VLAN Attack How With regular 802.1Q because of it backwards compatibility with other devices it allow untagged packets through. This can lend itself for attack. Prevention Cisco uses ISL property tagging for double encapsulation tagging and tagging every packet through the switches making sure it can get through without an attack and hop vlans if needed. ARP AttacksHowSince anyone can spoof the information in an arp (sending information out to all the macs on the network) by forging the identity it can get a switch to forward traffic to any vlan. This can lend itself to man in the middle attacks but usually only within one vlan.Prevention Cisco uses an algorithm to contain the mac addresses that forged within one network and with arp inspection it can check to make sure it is a legal arp request. Also forcing al traffic through Layer 2 switching no device could directly attack another device without inspection. Technical Cisco uses orthogonal for the inspection so it can’t spoof and hop vlans. More infor found here http://en.wikipedia.org/wiki/Orthogonal Multicast Brute Force Attack How This attack tries to exploit switches' potential vulnerabilities against a storm of L2 multicast frame and cause frame leakage. Prevention Cisco Catalysts devices prevent this by keeping all frames within their proper broadcast domain. Spanning-Tree Attack HowSince STP (spanning tree protocol) is turned on every port. Attacker would begin sending out STP Configuration/Topology Change Acknowledgement BPDUs announcing that he was the new root bridge with a much lower priority.PreventionCisco devices are tested for these attacks and the robustness of STP seems to have prevented these type of attacksConclusionLayer 2 switching and vlans is very important for security because of the protocols used to separate network traffic.
Tags : vlan, security, cisco posted by Paul Ezhaya on Sunday, April 27 2008
|
Recent Comments
