8.2 Protecting Against VLAN Attacks
8.2.1 Explaining VLAN Hopping
VLAN hopping is a network attack whereby an end system sends packets to, or collects packets from, a VLAN that should not be accessible to that end system. 
This is accomplished by tagging the invasive traffic with a specific VLAN ID or by negotiating a trunk link to send or receive traffic on penetrated VLANs. VLAN hopping can be accomplished by switch spoofing or double tagging.
In a switch spoofing attack, the network attacker configures a system to spoof itself as a switch by performing Inter-Switch Link (ISL) or 802.1Q trunking, along with Dynamic Trunking Protocol (DTP) negotiations, to establish a trunk connection to the switch. Any switch port configured as DTP auto may become a trunk port when a DTP packet generated by the attacking device is received, and thereby accept traffic destined for any VLAN supported on that trunk. The malicious device can then send packets to, or collect packets from, any VLAN carried on the negotiated trunk.
Figure 
describes the switch spoofing sequence of events.
Another method of VLAN hopping is for a workstation to generate frames with two 802.1Q headers to get the switch to forward the frames onto a VLAN that would be inaccessible to the attacker through legitimate means. 
If the double-tagged frame has a multicast, broadcast, or unknown destination, the switch that receives the frame floods this frame out all ports attached to the same VLAN (VLAN 10) as the attacker’s port native VLAN. The switch would strip the first VLAN tag before forwarding, provided this tag matched the native VLAN of the port it was received on. Any access port on this first switch assigned to VLAN 10 would receive the frame with the second VLAN tag. If a trunk port has the same native VLAN (VLAN 10), the switch would not re-tag the frame and it would arrive at the next switch with only the second VLAN tag. The second switch would then believe the frame originated from a different VLAN (VLAN 20) and thus flood it out to all ports active in this second VLAN. Also the second switch would forward the frame on any additional trunks that were active with the second VLAN.
If the trunk port on the first switch was assigned a different VLAN than the attacker’s port, the frame would simply be flooded to all active ports in VLAN 10 on both switches (no VLAN hopping). The reason is that the first switch would tag the 801.1Q frame with the attacker’s port VLAN prior to sending it across the trunk.
Figure 
describes the double-tagging method of VLAN hopping.
8.2.2 Mitigating VLAN Hopping
The measures to defend the network from VLAN hopping consist of a series of best practices for all switch ports and a set of parameters to follow when establishing a trunk port:
Configure all unused ports as access ports so that trunking cannot be negotiated across those links.
Place all unused ports in the shutdown state and associate with a VLAN designated only for unused ports, carrying no user data traffic.
When establishing a trunk link, configure the following:
Make the native VLAN different from any data VLANs
Set trunking as “on,” rather than negotiated
Specify the VLAN range to be carried on the trunk
Note:
The configuration commands in Figure
8.2.3 VLAN Access Control Lists
Cisco multilayer switches support three types of ACLs:
Router access control list (RACL): Applied to Layer 3 interfaces such as SVI or L3 routed ports. It controls the access of routed traffic between VLANs. RACLs are applied on interfaces for specific directions (inbound or outbound). You can apply one access list in each direction. To improve performance in Cisco Catalyst multilayer switches, RACLs are supported in ternary content addressable memory (TCAM).
Port access control list (PACL): Applied on a Layer 2 switch port, trunk port, or EtherChannel port. PACLs perform access control on traffic entering a Layer 2 interface. With PACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. When you apply a PACL to a trunk port, it filters traffic on all VLANs present on the trunk port.
VLAN access control list (VACL): Supported in software on Cisco multilayer switches. Filtering based on Layer 2 or Layer 3 parameters within a VLAN. Unlike RACLs, VACLs are not defined by direction (input or output).
Catalyst switches support four ACL lookups per packet: input and output security ACL, and input and output Quality of Service (QoS) ACL.
Catalyst switches use two methods of performing a merge: order independent and order dependent. With order-independent merge, ACLs are transformed from a series of order-dependent actions to a set of order-independent masks and patterns. The resulting access control entry (ACE) can be very large. The merge is processor and memory intensive.
An order-dependent merge is a recent improvement on some Catalyst switches in which ACLs retain their order-dependent aspect. The computation is much faster and is less processor intensive.
RACLs are supported in hardware through IP standard ACLs and IP extended ACLs, with permit and deny actions. ACL processing is an intrinsic part of the packet forwarding process. ACL entries are programmed in hardware. Lookups occur in the pipeline whether ACLs are configured or not. With RACLs, access list statistics and logging are not supported.
8.2.4 Configuring VACLs
VACLs (also called VLAN access maps in Cisco IOS software) apply to all traffic on the VLAN. You can configure VACLs for IP and MAC-layer traffic.
VACLs follow route-map conventions in which map sequences are checked in order.
When a matching permit ACE is encountered, the switch takes the action. When a matching deny ACE is encountered, the switch checks the next ACL in the sequence or checks the next sequence.
Three VACL actions are permitted:
Permit (with capture, Catalyst 6500 only)
Redirect (Catalyst 6500 only)
Deny (with logging, Catalyst 6500 only)
Two features are supported only on the Cisco Catalyst 6500:
VACL capture: Forwarded packets are captured on capture ports. The capture option is only on permit ACEs. The capture port can be an IDS monitor port or any Ethernet port. The capture port must be in an output VLAN for Layer 3 switched traffic.
VACL redirect: Matching packets are redirected to specified ports. You can configure up to five redirect ports. Redirect ports must be in a VLAN where the VACL is applied.
The VACL capture option copies traffic to specified capture ports. VACL ACEs installed in hardware are merged with RACLs and other features.
Figure lists the commands used to configure VACLs. Figure describes the steps used to configure VACLs.
Figure shows a sample configuration.
The above configuration does not allow any host using a source IP address from 10.1.0.0 through 10.1.255.255 to send frames across this switch. If the switch receives a frame sourced from this range of IP addresses, they are dropped. It does not matter which VLAN the frame originates from or if the frame is destined for the same originating VLAN. Frames with any other source are allowed to forward.
Note:
You may also specify MAC address filtering within a VLAN using VACL configurations.
8.2.5 Private VLANs and Protected Ports
Internet service providers (ISPs) often have devices from multiple clients, as well as their own servers, on a single Demilitarized Zone (DMZ) segment or VLAN. As security issues proliferate, it becomes necessary to provide traffic isolation between devices, even though they may exist on the same Layer 3 segment and VLAN. Catalyst 6500/4500/3750/3560 switches implement private VLANs to keep some switch ports shared and some isolated, although all ports exist on the same VLAN. The 2960 supports “protected ports,” which is functionally similar to PVLANs on a per-switch basis.
The traditional solution to address these ISP requirements is to provide one VLAN per customer, with each VLAN having its own IP subnet. A Layer 3 device then provides interconnectivity between VLANs and Internet destinations.
These are the challenges with this traditional solution:
Supporting a separate VLAN per customer may require a high number of interfaces on service provider network devices.
Spanning tree becomes more complicated with many VLAN iterations.
Network address space must be divided into many subnets, which wastes space and increases management complexity.
Multiple ACL applications are required to maintain security on multiple VLANs, resulting in increased management complexity.
PVLANs and protected ports provide Layer 2 isolation between ports within the same VLAN. This isolation eliminates the need for a separate VLAN and IP subnet per customer.
A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Traffic cannot be forwarded between protected ports at Layer 2; all traffic passing between protected ports must be forwarded through a Layer 3 device. The forwarding behavior between a protected port and a non-protected port is not affected and proceeds normally.
The example in Figure shows how to configure Fast Ethernet 0/1 interface as a protected port and verify the configuration.
PVLANs are supported on Catalyst 3560, 3750, 4500 and 6500 switches.
A port in a PVLAN can be one of three types:
Isolated: Has complete Layer 2 separation from other ports within the same PVLAN, except for the promiscuous port. PVLANs block all traffic to isolated ports, except the traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.
Promiscuous: Communicates with all ports within the PVLAN, including the community and isolated ports. The default gateway for the segment would likely be hosted on a promiscuous port, given that all devices in the PVLAN need to communicate with that port.
Community: Communicate among themselves and with their promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities, or in isolated ports within their PVLAN.
Note:
Because trunks can support the VLANs carrying traffic between isolated, community, and promiscuous ports, isolated and community port traffic might enter or leave the switch through a trunk interface.
PVLAN ports are associated with a set of supporting VLANs that are used to create the PVLAN structure. A PVLAN uses VLANs in three ways:
As a primary VLAN: Carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in the same primary VLAN.
As an isolated VLAN: Carries traffic from isolated ports to a promiscuous port.
As a community VLAN: Carries traffic between community ports and to promiscuous ports. You can configure multiple community VLANs in a PVLAN.
Isolated and community VLANs are called secondary VLANs. You can extend PVLANs across multiple devices by trunking the primary, isolated, and community VLANs to other devices that support PVLANs.
Note:
A promiscuous port can service only one primary VLAN. A promiscuous port can service one isolated or many community VLANs.
With a promiscuous port, you can connect a wide range of devices as access points to a PVLAN. For example, you can connect a promiscuous port to the server port to connect an isolated VLAN or a number of community VLANs to the server. A load balancer may be used to load-balance the servers present in the isolated or community VLANs, or you can use a promiscuous port to monitor or back up all the PVLAN servers from an administration workstation.
8.2.6 Configuring PVLANs
To configure a PVLAN on an IOS-based Catalyst 3560, 3750, 4500, or 6500, follow these steps:
Step 1 Set VTP mode to transparent.
Step 2 Create the secondary VLANs.
Note:
Isolated and community VLANs are secondary VLANs.
Step 3 Create the primary VLAN.
Step 4 Associate the secondary VLAN with the primary VLAN. Only one isolated VLAN can be mapped to a primary VLAN, but more than one community VLAN can be mapped to a primary VLAN.
Step 5 Configure an interface as an isolated or community port.
Step 6 Associate the isolated port or community port with the primary-secondary VLAN pair.
Step 7 Configure an interface as a promiscuous port.
Step 8 Map the promiscuous port to the primary-secondary VLAN pair.
Use these commands to configure a VLAN as a PVLAN:
Switch(config)#vlan vlan_ID
Switch(config-vlan)#[no] private-vlan {isolated | primary}
The following example shows how to configure VLAN202 as a primary VLAN and verify the configuration:
Switch#configure terminal
Switch(config)#vlan 202
Switch(config-vlan)#private-vlan primary
Switch(config-vlan)#end
Switch#show vlan private-vlan type
Primary Secondary Type Interfaces
------- --------- ----------------- ------------
202 primary
This example shows how to configure VLAN 200 as an isolated VLAN and verify the configuration:
Switch#configure terminal
Switch(config)#vlan 200
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#end
Switch#show vlan private-vlan type
Primary Secondary Type Interfaces
------- --------- ----------------- ------------
202 primary
200 isolated
To associate secondary VLANs with a primary VLAN, perform this procedure:
Switch(config)#vlan primary_vlan_ID
Switch(config-vlan)#[no] private-vlan association {secondary_vlan_list | add secondary_vlan_list | remove secondary_vlan_list}
When you associate secondary VLANs with a primary VLAN, note the following:
The secondary_vlan_list parameter contains only one isolated VLAN ID.
Use the remove keyword with the secondary_vlan_list parameter to clear the association between the secondary and primary VLANs. The list can contain only one VLAN.
Use the no keyword to clear all associations with the primary VLAN.
The command does not take effect until you exit VLAN configuration mode.
To configure a Layer 2 interface as a PVLAN promiscuous port, perform this procedure:
Switch(config)#interface {fastethernet | gigabitethernet} slot/port
Switch(config-if)#switchport mode private-vlan {host | promiscuous}
Switch(config-if)#[no] switchport private-vlan mapping primary_vlan_ID {secondary_vlan_list | add secondary_vlan_list | remove secondary_vlan_list}
When you configure a Layer 2 interface as a PVLAN promiscuous port, note the following:
The secondary_vlan_list parameter cannot contain spaces. It can contain multiple comma-separated items. Each item can be a single PVLAN ID or a hyphenated range of PVLAN IDs.
Enter a secondary_vlan_list or use the add keyword with a secondary_vlan_list to map the secondary VLANs to the PVLAN promiscuous port.
Use the remove keyword with a secondary_vlan_list to clear the mapping between secondary VLANs and the PVLAN promiscuous port.
Use the no keyword to clear all mappings with the PVLAN promiscuous port.
This example shows how to configure interface FastEthernet 5/2 as a PVLAN promiscuous port, map it to a PVLAN, and verify the configuration:
Switch#configure terminal
Switch(config)#interface fastethernet 5/2
Switch(config-if)#switchport mode private-vlan promiscuous
Switch(config-if)#switchport private-vlan mapping 202 440
Switch(config-if)#end
Switch#show interfaces fastethernet 5/2 switchport
Name: Fa5/2
Switchport: Enabled
Administrative Mode: private-vlan promiscuous
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative private-vlan host-association: none ((Inactive))
Administrative private-vlan mapping: 202 (VLAN0202) 440 (VLAN0440)
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
To configure a Layer 2 interface as a PVLAN host port, perform this procedure:
Switch(config)#interface {fastethernet | gigabitethernet} slot/port
Switch(config-if)#switchport mode private-vlan {host | promiscuous}
Switch(config-if)#[no] switchport private-vlan host-association primary_vlan_ID secondary_vlan_ID
This example shows how to configure interface FastEthernet 5/1 as a PVLAN host port and verify the configuration:
Switch#configure terminal
Switch(config)#interface fastethernet 5/1
Switch(config-if)#switchport mode private-vlan host
Switch(config-if)#switchport private-vlan host-association 202 440
Switch(config-if)#end
Switch#show interfaces fastethernet 5/1 switchport
Name: Fa5/1
Switchport: Enabled
Administrative Mode: private-vlan host
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative private-vlan host-association: 202 (VLAN0202)
Administrative private-vlan mapping: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
To permit routing of secondary VLAN ingress traffic, perform this procedure:
Switch(config)#interface vlan primary_vlan_ID
Switch(config-if)#[no] private-vlan mapping primary_vlan_ID {secondary_vlan_list | add secondary_vlan_list | remove secondary_vlan_list}
When you permit routing on the secondary VLAN ingress traffic, note the following:
Enter a value for the secondary_vlan_list parameter or use the add keyword with the secondary_vlan_list parameter to map the secondary VLANs to the primary VLAN.
Use the remove keyword with the secondary_vlan_list parameter to clear the mapping between secondary VLANs and the primary VLAN.
Use the no keyword to clear all mappings with the PVLAN promiscuous port.
This example shows how to permit routing of secondary VLAN ingress traffic from PVLAN440 and verify the configuration:
Switch#configure terminal
Switch(config)#interface vlan 202
Switch(config-if)#private-vlan mapping add 440
Switch(config-if)#end
Switch#show interfaces private-vlan mapping
Interface Secondary VLAN Type
--------- --------- -----------------
vlan202 440 isolated
No hay comentarios:
Publicar un comentario