Cisco exchange security issues

I. Security of the TRUNK interface and VTP Protocol

Security of the TRUNK interface:

The switch port has two working statuses: Access, which is the port status required for Access to the user's host, and Trunk, it is mainly used for VLAN communication between the same VLAN_ID in cross-exchange mode. The Access status is generally called a normal status, which is the normal Access interface of the host. Trunk Technology (Trunking) is a method for carrying multiple VLAN data through point-to-point connections between two devices. The following two methods can be used to achieve Ethernet trunk connection: ISL (Inter-switch link, Cisco private Protocol) and 802.1Q (IEEE organization system, international standard ).
Currently, common 802.1Q and ISL mark attacks are implemented using the Trunk principle. When Trunk is implemented, communication between the same VLAN-ID across exchanges can be completed without any command operation, because there is DTP (dynamic trunk protcol ), the following command is used by default on all interfaces:

Switch (config-if) # switchport mode dynamic desirable

This command changes all interfaces in an adaptive state according to the interface status of the other party. If the other party is Access, set itself to Access. If the other party is Trunk, set yourself to Trunk. In addition to the desirable parameter, there is also a parameter similar to its function: Auto. Both of these parameters actually have adaptive functions. The slight difference lies in whether it is an active DTP (dynamic trunk protcol) package, whether to negotiate the port status with the other party. Desirable can actively send and receive DTP packets, actively discuss the port with the other party, and does not consider whether the other party's interface is a valid working interface; while Auto can only passively receive DTP packets, if the recipient cannot send DTP messages, data communication will never be completed. In fact, the security coefficient of the Auto parameter is not higher than that of the Desirable parameter. The implementation of the two parameters produces the same security risks. A VLAN hop attack usually occurs when the other party sets its own interface as an active adaptive state. Therefore, if no parameter is used, the result is the same.
These two parameters are designed to reduce workload and accelerate VLAN configuration. However, with the continuous development of the network, this feature also raises some security risks (for example, VLAN jump attacks use this feature ). To solve this security risk, perform the following operations:

Step 1: Enter the following command on all the interfaces of the vswitch:

Switch (config-if) # switchport mode access

All interfaces of the vswitch are forcibly set to the Access status. The purpose is to obtain the Accsee status when the attacker sets the interface to the Desirable status. Attackers cannot exploit the idle ports on the vswitch to disguise them as Trunk ports and conduct LAN attacks.

Step 2: Enter:

Switch (config-if) # switchport mode trunk

The function of this command is to force the port to be in the Trunk state. The interface status of the other party is not considered. That is to say, the interface is a Trunk regardless of the interface status of the other party. Note: This command is only input on the real interface of Trunk, so that the interface is unique in status and the controllability is significantly enhanced.

Step 3: Enter the following command on the Trunk interface:

Switch (config-if) # switchport trunk allowed vlan 10, 20, 30

This command defines that the Trunk interface only allows data of VLAN10, 20, and 30 to pass through. If other VLANs exist, their data cannot pass through this Trunk interface. Security is achieved through this simple control of data flow.
After completing the preceding three commands to improve VLAN security, these interfaces have high security. But after using these commands, are the DTP protocols still working? The answer is yes. The DTP protocol is still working.

Therefore, there is also a command that is strongly recommended when preparing a VLAN:

Switch (config-if) # switchport nonegotiate

Nonegotiate means no negotiation. Therefore, the above command completely disables the function of sending and receiving DTP packets. After the DTP protocol is disabled, the status of the interface will always be stable to Trunk, so that the status of the interface reaches the maximum stability, and the attacker's test efforts are avoided to the maximum extent.
In addition, there is a related security problem in the Trunk of 802.1Q, that is, the Native VLAN. There are several default VLANs in Cisco Catalyst series switches. For Ethernet users, the most important one is VLAN 1. By default, all Ethernet interfaces of A vswitch belong to VLAN 1. When configuring an IP address on a L2 Switch, VLAN 1 is also used.

In the 802.1Q trunk Protocol, each 802.1Q encapsulated interface is used as the trunk cable. This interface has a Native VLAN and is assigned a Native vlan id (default: VLAN 1 ), 802.1Q does not mark data frames belonging to the Native VLAN, and all data frames not labeled with VLAN numbers are considered as data of the Native VLAN. Therefore, VLAN 1, as the default Native VLAN, is the same on all switches. Therefore, security issues caused by Native VLAN must be paid attention to in the LAN. To solve this security risk, you can change the default Native VLAN by using the following command:

Switch (config-if) # switchport trunk native vlan 999

This command needs to be entered under an interface encapsulated with 801.1Q. This command changes the default Native VLAN to VLAN 999. After executing this command, switches with different Native VLANs cannot communicate with each other, increasing the security of the switches after VLAN division.

Security of VTP Protocol

VTP (VLAN Trunking Protocol) is a Protocol used to disseminate and synchronize VLAN information about the entire switched network. It works on the Layer 2 of the OSI reference model. VTP allows us to reduce the workload of manual configuration when expanding the swap network, and uniformly manage the addition, deletion, and name change of VLANs in the SWAp network, to maintain the consistency of the network VLAN configuration, and minimize the mismatch and configuration inconsistency that may cause problems (such as repeated VLAN names or incorrect VLAN types ).
A VTP domain consists of one or more interconnected switches that share the same VTP environment. A vswitch can only be configured in one VTP domain. By default, a Catalyst switch is placed in a State that does not belong to any VTP domain ), until it receives a notification about a VTP domain through the trunk link or manually configures it to a VTP domain. The VLAN configuration of a single vtp server is transmitted to all switches connected to the VTP domain through the trunk link. VTP information is transmitted only on the trunk link.
In actual work, we often need to configure multiple Cisco switches at a time. At this time, The VTP protocol is very helpful for us to quickly complete VLAN deployment. However, The VTP Protocol has the same problems as the DTP protocol in the application process. VLAN relay attacks are based on the disadvantages of VTP. Before explaining how to prevent VTP attacks, let's briefly review the principles of VTP:
Vswitches work in one of three modes in The VTP domain: SERVER mode, customer mode, and transparent mode. The default mode is server mode, but only when a management domain name is specified or known, its VLAN information will be advertised. VTP notifications are routed to the entire VTP domain. Generally, VTP notifications are generated every five minutes or when the VLAN configuration is changed. The VTP announcement uses the default VLAN (VLAN l) of the manufacturer to transmit multicast frames. The VLAN configuration version contained in The VTP announcement plays a key role, the high version number indicates that the advertised VLAN information is updated compared with the originally stored information.
Before synchronizing VLAN information, the device receiving the VTP announcement must check various parameters: First, check whether the VTP domain name and domain Password Match the one configured by the local switch, then, check whether the configuration version number is higher than the current version number. If so, the switch synchronizes the advertised VLAN information, which is overwritten. If you want to reset the current configuration version number, run the delete vtp command.
Each time the vtp server adjusts VLAN information, it will increase the configuration version number by 1 and issue a VTP announcement with the new configuration version number. However, in VTP transparent mode, the vswitch does not participate in update synchronization, And the configuration version is always 0.
VTP cropping (Pruning) uses VLAN announcements to determine when flood occurs over trunk connections. By default, the trunk links in the VTP domain carry the data of all VLANs. In the enterprise network, not every switch has interfaces divided into all VLANs, the VIP trim function increases available bandwidth by limiting the transmission of flood data to unnecessary trunk links. The TRIM function can only be enabled on the vtp server.
After reviewing the basic principles of VTP, let's take a look at the default VTP configuration on the CISCO Catalyst Switch:

The default VTP configuration depends on the vswitch model and software version.

VTP mode: the default mode is vtp server mode.

VTP cropping: disabled at 2950,3550

VTP version: VTP protocols include version 1 and version 2.

VTP Domain Name: You can directly specify or learn from the trunk link. The default vswitch does not have a VTP domain name.

VTP password: None

The default VTP mode is the vtp server mode. In this mode, you can delete, add, or modify VLAN information. Therefore, security in this mode is very important. After attackers obtain permissions through VTP attacks, their LAN architecture can be changed at will, causing serious network confusion. Therefore, we recommend that you retain only one vtp server mode regardless of the number of vswitches in a domain during VTP protocol implementation. The other is the VTP customer mode.
In addition, to ensure the security of the VTP domain, you can set a password for the VTP domain. All vswitches in the domain must be set with the same password, VTP can work normally, but a switch that does not know the password or password is wrong cannot learn the VLAN message.

Ii. Security of Spanning Tree Protocol

STPSpanning Tree Protocol is a bridge Protocol that uses Stas to dynamically identify redundant links and create a spanning Tree topology database. Bridges exchange BPDU information to detect loops in the network, and then delete these loops by closing the selected bridge interface.
Currently, common Spanning Tree Protocol attacks include:
1. Seize the root bridge or disguise the root bridge. This will cause network performance or network connection problems.
2. Sending fake BPDU consumes switch resources or generates a loop on the network, and even causes a network crash.
For the above situations, Cisco's solution is mainly based on the following features:
• Root protection: prevents the switch or attack source simulation of the access port from becoming the root bridge.

Switch (config) # spanning-tree portfast bpduguard

• BPDU protection: prevents exchange devices from connecting to a port with the PortFast feature accidentally or intentionally by attackers.

Switch (config) # spanning-tree guard root

• BPDU Filtering: It can restrict the switch from sending unnecessary BPDU to the access port.
Note: you cannot configure the BPDU filter on the ports connected to other switches. Otherwise, the bridge loop may occur. Be careful when deploying the BPDU filter. BPDU filtering is not a recommended configuration.

Switch (config) # spanning-tree bpdufilter default

For more information, please advise!