Cisco Vlan Security White Paper and Cliff Notes

Cisco Security

Vlans

White Paper Link:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

Purpose

The purpose of a vlan is to tag traffic with an identifier so that it can be distinguished where it came from and where it is going. This way traffic that is not suppose to talk to certain devices on the network are not allowed to and it is isolated in case of a successful attack.  Let’s say you have a server vlan on .2 and a printer vlan on .3 you wouldn’t want someone printing be able to see any servers in case they spoofed a printer.

Technical note on above topic

It uses 802.1q and layer 2 switching. This is also known as trunking the network.

Vlan 1 is dedicated to management, do not use this for other than managing the switch.

Possible security vulnerabilities and prevention

MAC Flooding Attack

How

Flooding a port with multiple mac addresses

Prevention

Prevented by allowing a certain amount of mac addresses on a port and it will be contained to the vlan the attackers origin came from. So if it was not allowed on any internal vlans it wouldn’t comprise any other networks.

802.1Q and ISL Tagging Attack

How

DTP (Dynamic Trunking Protocol) auto and were to receive a fake DTP packet, it might become a trunk port and it might start accepting traffic destined for any VLAN.

Prevention

Turn off DTP on all non trusted ports.

Double-Encapsulated 802.1Q/Nested VLAN Attack

How

With regular 802.1Q because of it backwards compatibility with other devices it allow untagged packets through. This can lend itself for attack.

Prevention

Cisco uses ISL property tagging for double encapsulation tagging and tagging every packet through the switches making sure it can get through without an attack and hop vlans if needed.

ARP Attacks

How

Since anyone can spoof the information in an arp (sending information out to all the macs on the network) by forging the identity it can get a switch to forward traffic to any vlan.  This can lend itself to man in the middle attacks but usually only within one vlan.

Prevention

Cisco uses an algorithm to contain the mac addresses that forged within one network and with arp inspection it can check to make sure it is a legal arp request.  Also forcing al traffic through Layer 2 switching no device could directly attack another device without inspection.

Technical

Cisco uses orthogonal for the inspection so it can’t spoof and hop vlans. More infor found here

http://en.wikipedia.org/wiki/Orthogonal

Multicast Brute Force Attack

How

This attack tries to exploit switches' potential vulnerabilities against a storm of L2 multicast frame and cause frame leakage.

Prevention

Cisco Catalysts devices prevent this by keeping all frames within their proper broadcast domain.

Spanning-Tree Attack

How

Since STP (spanning tree protocol) is turned on every port. Attacker would begin sending out STP Configuration/Topology Change Acknowledgement BPDUs announcing that he was the new root bridge with a much lower priority.

Prevention

Cisco devices are tested for these attacks and the robustness of STP seems to have prevented these type of attacks

Conclusion

Layer 2 switching and vlans is very important for security because of the protocols used to separate network traffic.

Cisco Vlan Security White Paper and Cliff Notes

Cisco Security

Vlans

Purpose

The purpose of a vlan is to tag traffic with an identifier so that it can be distinguished where it came from and where it is going. This way traffic that is not suppose to talk to certain devices on the network are not allowed to and it is isolated in case of a successful attack.  Let’s say you have a server vlan on .2 and a printer vlan on .3 you wouldn’t want someone printing be able to see any servers in case they spoofed a printer.

Technical note on above topic

It uses 802.1q and layer 2 switching. This is also known as trunking the network.

Vlan 1 is dedicated to management, do not use this for other than managing the switch.

Possible security vulnerabilities and prevention

MAC Flooding Attack

How

Flooding a port with multiple mac addresses

Prevention

Prevented by allowing a certain amount of mac addresses on a port and it will be contained to the vlan the attackers origin came from. So if it was not allowed on any internal vlans it wouldn’t comprise any other networks.

802.1Q and ISL Tagging Attack

How

DTP (Dynamic Trunking Protocol) auto and were to receive a fake DTP packet, it might become a trunk port and it might start accepting traffic destined for any VLAN.

Prevention

Turn off DTP on all non trusted ports.

Double-Encapsulated 802.1Q/Nested VLAN Attack

How

With regular 802.1Q because of it backwards compatibility with other devices it allow untagged packets through. This can lend itself for attack.

Prevention

Cisco uses ISL property tagging for double encapsulation tagging and tagging every packet through the switches making sure it can get through without an attack and hop vlans if needed.

ARP Attacks

How

Since anyone can spoof the information in an arp (sending information out to all the macs on the network) by forging the identity it can get a switch to forward traffic to any vlan.  This can lend itself to man in the middle attacks but usually only within one vlan.

Prevention

Cisco uses an algorithm to contain the mac addresses that forged within one network and with arp inspection it can check to make sure it is a legal arp request.  Also forcing al traffic through Layer 2 switching no device could directly attack another device without inspection.

Technical

Cisco uses orthogonal for the inspection so it can’t spoof and hop vlans. More infor found here

http://en.wikipedia.org/wiki/Orthogonal

Multicast Brute Force Attack

How

This attack tries to exploit switches' potential vulnerabilities against a storm of L2 multicast frame and cause frame leakage.

Prevention

Cisco Catalysts devices prevent this by keeping all frames within their proper broadcast domain.

Spanning-Tree Attack

How

Since STP (spanning tree protocol) is turned on every port. Attacker would begin sending out STP Configuration/Topology Change Acknowledgement BPDUs announcing that he was the new root bridge with a much lower priority.

Prevention

Cisco devices are tested for these attacks and the robustness of STP seems to have prevented these type of attacks

Conclusion

Layer 2 switching and vlans is very important for security because of the protocols used to separate network traffic.