Best practices for Virtual LAN security)

The purpose of this article is to fully introduce the rich experience and suggestions accumulated by Cisco engineers over the years to help customers and field engineers correctly configure VLANs on CISCO switches. In addition, this article will explain the main results of the @ stake test through key points and explain the methods to solve the security problem.

Basic security rules

To create a secure exchange network, you must first familiarize yourself with the basic security rules. Note that the basic principles highlighted in SAFE best practices [2] are the cornerstone of any security exchange network design.

If you do not want any device to be damaged, you must strictly control access to the device. Moreover, all network administrators should use all the practical security tools provided on the Cisco platform, including basic configuration of system passwords, IP Access filters, and login checks, and more advanced tools such as RADIUS, TACACS +, Kerberos, SSH, SNMPv3, and IDS (see [3] for details).

More advanced security details must be followed after all basic security rules are met. In the following sections, we will describe VLAN-related issues.

VirtualLAN

L2 switches are devices that can form virtual broadcast domains and separate virtual broadcast domains from each other. These domains are generally called virtual LAN (VLAN ).

VLAN is similar to other concepts in the network field. Traffic is identified by tags or tags. The identifier is very important to the second-level device. Only when the identifier is correct can the port be isolated and the received traffic be correctly forwarded. As will be introduced in later sections, lack of identification is sometimes the cause of security issues and therefore needs to be avoided.

If all groups in the device are closely integrated with the corresponding VLAN tags, the traffic in different domains can be reliably distinguished. This is the basic premise of the VLAN switching architecture.

It is worth noting that Cisco devices use common VLAN marking technologies such as ISL or 802.1Q on physical links (sometimes called trunk lines. Meanwhile, Cisco devices use advanced labeling technology to retain VLAN information internally and use it for traffic forwarding.

At this point, we can conclude that if the vlan id of the group cannot be modified after the packet is sent from the source node, that is, the end-to-end vlan id remains unchanged, the VLAN reliability is equivalent to physical security.

We will discuss this issue in detail below.

Control Panel

Malicious users especially want to access the Management Console of network devices, because once successful, they can easily modify the network configuration as needed.

In a VLAN-based switch, in addition to being directly connected to an out-of-band port, the management CPU can also use one or more VLANs for in-band management. In addition, it can use one or more VLANs to exchange protocol traffic with other network devices.

The basic physical security rules require that network devices be in a controllable (locked) space. The main VLAN security rules require that internal management and protocol traffic be restricted in a controllable environment. This requirement can be achieved through the following tools and best practices:

• Traffic and Protocol ACLs or filters

• QoS tags and priority levels (control protocols are differentiated by corresponding service levels or DSCP values)

• Selectively disable Layer 2 protocols on untrusted ports (for example, disabling DTP on access ports)

• Configure the in-band Management port only on the dedicated VLAN

• Avoid using VLAN 1 to transmit any data traffic

Command example:

Catalyst Operating System (CatOS) software Cisco IOS o Software

UseVLAN 1Precautions

The reason why VLAN 1 becomes a special VLAN is that it requires a layer-2 device to assign its ports, including the Management ports, to the default VLAN. In addition, many L2 protocols, such as CDP, PAgP, and VTP, need to be sent to specific VLANs on the trunk link. For these three reasons, VLAN 1 is selected.

Therefore, if the network is not properly cropped, VLAN 1 may be unwise to include the entire network. When its diameter reaches a certain degree, the risk of instability will rapidly increase. In addition, if you use a VLAN that covers almost the entire network to perform management tasks, the risk of a trusted device will be increased, making it vulnerable to entering VLAN 1 due to misconfiguration or accidental access, or use this unexpected security vulnerability to access untrusted devices of VLAN 1.

To restore the reputation of VLAN 1, a simple general security rule can be implemented: as a security rule, the network administrator should put any VLAN, in particular, VLAN 1 and all ports in this VLAN are not absolutely required to be isolated.

Therefore, for VLAN 1, the above principles can be converted into the following suggestions:

• Use another dedicated VLAN to isolate management traffic from user data and protocol traffic without using VLAN 1;

• Remove all unnecessary trunk lines and access ports (including unconnected and closed ports) in VLAN 1 ).

Likewise, the above rules apply to managing VLAN read operations:

• Do not configure management VLANs (including unconnected and closed ports) on any trunk lines or access ports that are not needed );

• To enhance security, try not to use in-band management instead of out-of-band management (for details about out-of-band management infrastructure, see [3]).

As a design criterion, traffic not required in a specific VLAN must be cut off. For example, to prevent all telnet connections from running only the SSH process, VLAN ACLs and/or IP filters are usually applied to the traffic transmitted in the management VLAN. Additionally, you can apply QoS ACLs to limit the maximum call traffic rate.

If VLAN 1 or a VLAN other than the management VLAN has security issues, use automatic or manual tailoring. Note that configuring VTP or manually tailoring VLANs in a transparent or closed manner is usually the most effective way to enhance VLAN network control.

Command example:

CatOS Cisco IOS software

"It is equally harmful to be totally trusting or not trusting everyone ."

After correct determination and implementation of VLAN 1, the next logical step is to turn attention to another common and equally important best practice in the security environment. This is a general security rule: connect untrusted devices to untrusted ports, connect trusted devices or ports, and disconnect all other ports. This criterion can be converted into the following general recommendations:

• If a port is connected to an "external" device, do not communicate with it. Otherwise, it is likely to fall into the trap of someone and cause adverse effects on itself. Disable CDP, DTP, PAgP, UDLD, and other unnecessary protocols on these ports, and enable portfast/BPDU protection. We can think of this question: why do we have to take the risk of talking to untrusted neighbors?

• Enable root protection to prevent STPS devices that are directly or indirectly connected from affecting the root bridge location.

• If you want to restrict or prevent interactions between unexpected protocols and network-level VLAN configurations, configure VTP domains or disable all VTP. This prevention measure not only limits or prevents administrator errors from being transmitted to the entire network, but also limits or prevents new vswitches with higher VTP versions from accidentally overwriting VLAN configurations of the entire domain.

• By default, only "trusted" ports can be trusted, and all other ports are set as "untrusted" ports to prevent the connected devices from modifying QoS values improperly.

• Disable unused ports and place them in unused VLANs. If you do not establish a connection with a non-VLAN, or do not add a device to a non-VLAN, you can use basic physical or logical barriers to prevent unauthorized access.

Command example:

CatOS Cisco IOS software

Why do we first worry about Layer 2 Security?

To enable independent operations at different layers (only understanding their interfaces), we have established an OSI model. OSI thought: as long as there is a standard interface between different layers, the development of a layer protocol will not affect other layers.

Unfortunately, this means that when a layer is attacked, the security of communication may be compromised because the other layers are unaware of the problem (1 ).

Figure1Structure of OSI model

In this architecture, the system security is equivalent to the security of the weakest link.

The data link layer is as fragile as other layers and may suffer various attacks. Therefore, the switch must be protected by configuration.

VLANWhat types of attacks are possible on the network?

Most attacks on the second layer will cause the device to lose the attacker's tracking capability. In this way, the attacker can perform malicious operations on the forwarding path, modify the configuration, and then attack the network.

The second-level attacks that people often talk about are listed below. They are also the types of attacks recorded by @ stake [1]:

• MAC flood attacks

• 802.1Q and ISL mark attacks

• Dual-encapsulation 802.1Q/nested VLAN attack

• ARP attacks

• Dedicated VLAN attack

• Multicast brute-force attacks

• Extended tree attack

• Random frame stress attack

The following describes these attacks in detail.

MACFlood attacks

Strictly speaking, this attack is not an attack because it only limits the working paths of all switches and bridges. They occupy limited hardware learning tables used to store the source addresses of all the receiving groups. When these tables are full, they cannot forward traffic because they cannot read the traffic, therefore, traffic flooding may occur. However, because the packet flood is limited to the initial VLAN, VLAN redirection is not allowed (as shown in the @ stake Report ).

Malicious users can use this attack to convert the vswitch they connect to into a dummy pseudo-hub, and search for and view all flood traffic. Many programs can be used to execute this task, such as macof, which is part of the dsniff suite [4]. Malicious users can exploit this vulnerability to initiate actual attacks, such as ARP damage attacks (for details, see ARP attacks).

A non-intelligent switch cannot defend against such attacks because it does not check the second-layer identity of the sender. The sender can send fake packets to impersonate devices without limit.

Cisco switches support multiple features to identify and control the identities of connected devices. The security rules of these vswitches are simple: authentication and description are critical to all untrusted devices.

It must be emphasized that port security, 802.1x, and dynamic VLAN can be used to restrict device connections based on the user's login ID and the MAC layer ID of the device.

For example, using port security to prevent MAC flood attacks can be as simple as limiting the number of MAC addresses that each port can use: the device traffic ID will be directly connected to its original port.

802.1QAndISLMark attacks

A flag attack is a malicious attack. using it, users on one VLAN can access another VLAN illegally. For example, if you configure a vswitch port to DTP auto to receive spoofed DTP groups, it becomes a trunk port and may receive traffic destined for any VLAN. Therefore, malicious users can communicate with other VLANs through controlled ports.

Sometimes, even if you only receive common groups, the switch port may violate your original intention, as the omnichannel port (for example, receiving groups from other local VLANs ). This phenomenon is often referred to as "VLAN leakage" (for more information about similar issues, see [5]).

For the first attack, you only need to set the DTP on all untrusted ports (which do not meet the trust condition) to "off" to prevent the attack. To deal with the second attack, you can follow the simple configuration steps described below (for example, the steps described in the next section), or upgrade the software. Fortunately, Cisco Catalyst 2950, Catalyst 3550, Catalyst 4000, and Catalyst 6000 series switches do not need to be upgraded, because the software and hardware running on it can implement appropriate traffic classification and isolation on all ports (as described by @ stake in [1 ).

So why does the report mention local VLAN [5]? We will provide the answer in the following chapter ......

Dual Encapsulation802.1Q/NestedVLANAttack

Although it is inside a vswitch, VLAN numbers and identifiers are expressed in Special extended formats. The purpose is to keep the forwarding path end-to-end VLAN independent without losing any information. Outside the vswitch, the labeling rules are defined by ISL, 802.1Q, and other standards.

ISL is a Cisco proprietary technology and is a compact form of the extended grouping header used in devices. As each group always gets a tag, there is no risk of Logo loss, which improves security.

On the other hand, the IEEE Committee of 802.1Q decided that to achieve downward compatibility, it is best to support local VLANs, that is, VLANs not explicitly associated with any tags on the 802.1Q link. This VLAN is implicitly used for all unlabeled traffic received on the 802.1Q port.

This function is expected by users, because the 802.1Q port can directly communicate with the old port 802.3 by sending and receiving unlabeled traffic. However, in all other cases, this function may be very harmful, because during transmission through the 802.1Q link, the group associated with the local VLAN will lose its flag, for example, its service level (802.1 p bits ).

But for these reasons-loss of identification channels and loss of classification information should avoid using local VLANs, not to mention other causes, as shown in figure 2.

Figure2Double encapsulation attack

Strip and send back

Attacker 802.1q Frame

Vlan a vlan B data includes the trunk vlan B data of local VLAN

Note:Only the local VLANs of the trunk line are the same as those of the attacker.

When a dual-encapsulation 802.1Q group switches from a device with the same VLAN as the local VLAN of the trunk line to the network, the VLAN IDs of these groups cannot be retained end to end, because the 802.1Q trunk line will always modify the group, that is, remove the external tag. After the external tag is deleted, the internal tag becomes the unique VLAN identifier of the group. Therefore, if two different tags are used for dual encapsulation of the group, the traffic can jump between different VLANs.

This situation will be considered as misconfiguration, because the 802.1Q standard does not force users to use local VLANs in such cases. In fact, the proper configuration should always be used to clear the local VLAN from all 802.1Q trunk lines (set it to 802.1q-all-tagged mode to achieve the same effect ). When the local VLAN cannot be cleared,Select unusedVLANLocal as all Trunk LinesVLANAnd cannotVLANFor any other purpose. STP, DTP, and UDLD (see [3]) protocols should be the only legal user of the local VLAN, and their traffic should be completely isolated from all data groups.

ARPAttack

ARP [6] is an old technology. When an arp rfc is generated, all users in the network are considered "friendly", so security is not considered in the ARP function. In this way, anyone can claim to be the owner of an IP address. More accurately, anyone can claim that their MAC address is related to any IP address in a subnet. This is completely feasible because ARP requests or replies contain the second-level identifier (MAC address) and third-level identifier (IP address) of the device, and there is no verification mechanism, the accuracy of these identifiers cannot be verified.

In another instance, a serious security vulnerability occurs because the device identity cannot be identified accurately and reliably. This example also shows that if the lower layers in the OSI model are attacked, the higher layers will directly affect the operations because they do not realize the problem. (ARP is a unique protocol sample that runs in Layer 2, but logically, it is located at the boundary between the data link layer and the network layer in the OSI model .)

@ Stake: the purpose of an ARP attack is to spoof a switch to forward the group to a device in another VLAN by sending an ARP group containing a forged ID. However, in all Cisco devices, VLANs are orthogonal and therefore do not rely on MAC addresses. Therefore, it is impossible to affect the communication mode between ARP and other VLAN devices by modifying the device ID in the ARP group. In fact, as stated in the report, it is impossible to perform any VLAN jump.

On the other hand, using ARP damage or ARP fraud attacks in the same VLAN [7] can effectively fool terminal sites or routers to identify forged device identifiers, this allows malicious users to launch man-in-the-middle (MiM) attacks.

In this case, a chart can provide the best description (see figure 3 ).

Figure3ARP attack

Send free information2.16.0000.000b: MyIPThe address is1.1.1.1, MyMACAddress:000: 00: 00: 00: 00: 0C

PC 1.1.1.2OfARPThe table is attacked. All outgoing traffic will passPC 1.1.1.3And then transparently forward the traffic to the vro.

The method to initiate a MiM attack is to impersonate another device (such as the default gateway) in the ARP packet sent to the attacked device because the recipient does not check these groups, therefore, its ARP table will receive counterfeit information.

There are two ways to prevent such attacks. One is to block the second layer of direct communication between the attacker and the attacked device, and the other is to embed more intelligence into the network, this allows you to check whether the ARP group ID is correct. The first method can be achieved through the Cisco Catalyst dedicated VLAN or the dedicated VLAN edge feature. The second method can be implemented using the new features called ARP checks. This feature was first introduced in CatOS 6500 on Cisco Catalyst 7.5 Supervisor Engine II, it will be provided later in Cisco IOS software of the Cisco Catalyst Switch.

DedicatedVLANAttack

"Dedicated VLAN attack" is a bit inappropriate because it does not correspond to a security vulnerability, but a certain expectation for features. Dedicated VLAN is a layer 2 feature, so traffic should be isolated only on Layer 2. On the other hand, a router belongs to a Layer 3 (L3) device. When it is connected to a dedicated VLAN hybrid port, even if the destination and the origin are in the same subnet, the layer-3 traffic received on the port should also be forwarded to the corresponding destination (@ stake calls this behavior a layer-2 proxy ).

Therefore, although two hosts in two isolated VLANs should communicate with each other through Layer 2 direct communication, they usually use routers as group relay when talking to each other.

Symptom 4 is shown above.

Figure4Layer 2 proxy

Similar to conventional route traffic, you can use the corresponding ACL configuration on the forwarding device to filter groups that use Layer 2 proxy relay.

The following is an example of the Cisco ios acl used to block relay traffic:

Deny subnet/mask

Permit any subnet/mask

Deny any

For more information about VLANs, see [8].

Multicast brute force attack

This attack attempts to launch Layer 2 multicast frame storms by exploiting the potential security vulnerability (read operation: defect) of the vswitch. @ Stake wants to test the status of the Second-layer switch when it quickly receives a large number of second-Layer Multicast frames. The correct response is to limit the traffic to the original VLAN. The incorrect response is to leak the frame to other VLANs.

@ Stake results show that this attack is not effective for Cisco Catalyst switches because all frames are included in the corresponding broadcast domain (this result is not surprising: after all, in all Catalyst switches, broadcast is only a special part of multicast ).

Spanning Tree Protocol

Another attack that attempts to use vswitch vulnerabilities (such as defects) is an STP attack. All Cisco Catalyst switches tested by @ stake support this protocol. By default, STP is enabled, and all ports on the switch can listen to STP messages. @ Stake tries to test whether Cisco PVST (Spanning Tree per VLAN) cannot open more than one VLAN in some cases. Attacks include Snoop STP frames on the line to obtain the ID of the port STP. Next, the attacker will issue STP configuration/topology change approval BPDU, announcing it as a new root bridge with a lower priority.

In this process, the tester inputs the broadcast traffic to check whether VLAN leakage exists. This shows that STP implemented on CISCO switches is very powerful.

Random frame stress attack

This type of attack has many forms, but its main feature is that it contains brute-force attacks randomly distributed in multiple grouping domains, and only keeps the source address and target address unchanged. @ Stake Multiple tests show that no group can successfully skip VLAN.

Dedicated VLANs can better isolate second-level hosts and prevent them from being attacked by unexpected malicious traffic from untrusted devices. In use, you can establish mutual trust as a host group, and divide the second-layer network into multiple subdomains, so that only friendly devices can communicate with each other. For more information about dedicated VLANs, see [8].

Conclusion

Practice has shown that the reliability of VLAN technology is much higher than the expectation of the slander. Only users with misconfiguration or misuse of features can break through its powerful functions.

The most serious mistake users may make is that they do not pay attention to the data link layer in the advanced switching network architecture, especially VLAN. Remember that the security of the OSI model is equivalent to that of the weakest link. Therefore, each layer must be equally valued to ensure the security of the entire structure.

• A method in which a device or algorithm may fail, for example, when a device misoperations and becomes vulnerable to attacks.

Any good network device based on the Cisco Catalyst Switch should include the best practices described in this article so as to effectively protect the second-level security architecture of the network from destruction.

Although some of the security concepts discussed in the previous sections are quite common, it should be noted that this article only targets networks that contain Cisco Catalyst switches. The implementation methods of other switch vendors may vary greatly, as a result, some switches may be more vulnerable to various attacks described in this article.

References

• Study Report: Security VLAN usage: @ stake Security Assessment-November August 2002

Http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/stake_wp.pdf

2. SAFE: Enterprise Security Blueprint, http://www.cisco.com/go/safe/

3. Catalyst 4500, 5000 and 6500 Series Switch configuration and management best practices, http://www.cisco.com/warp/customer/473/103.html

4. dsniff, by Dug Song, http://monkey.org /~ Dugsong/dsniff/

5. VLAN Security Test Report, July 2000, http://www.sans.org/newlook/resources/IDFAQ/vlan.htm

6. Ethernet Address Resolution Protocol, RFC 826, http://www.ietf.org/rfc/rfc0826.txt

7. ARP Spoofing Attacks:

Http://www.sans.org/newlook/resources/IDFAQ/switched_network.htm

8. White Paper: Catalyst 6500 series service supplier features (dedicated VLAN)

Http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/c65sp_wp.htm

9. @ stake, http://www.atstake.com/

Acronyms and definitions

802.1Q	IEEE specification for the standard VLAN labeling Solution
BPDU	Bridge Protocol Data Unit Information exchanged by the switch that runs the Spanning Tree Protocol
CDP	Cisco Discovery Protocol Cisco proprietary protocol used to discover a network topology composed of compatible Devices
DTP	Dynamic relay Protocol Cisco proprietary protocol used for dynamic negotiation of relay parameters (such as status and format)
IEEE	Association of electronic and electrical engineers
ISL	Inter-switch link Cisco private VLAN tag format
LocalVLAN	VLANs not explicitly associated with 802.1Q links
OSI	Open System Interconnection Network Reference Model
PAgP	Port aggregation Protocol Cisco proprietary protocol used for dynamic negotiation of channel parameters (such as the number of ports)
STP	Spanning Tree Protocol Bridge Protocol defined in IEEE 802.1D
UDLD	Unidirectional link Detection Cisco proprietary protocol used to verify the bidirectional nature of physical links
VLAN	Virtual LAN A virtual broadcast domain that contains one or more vswitch ports.
VTP	VLAN relay Protocol Cisco proprietary protocol for distributing VLAN information in a predetermined domain