Consolidate networks with a list of private VLAN and VLAN access control (1)

Preface

One of the key elements of a successful network security design is to identify and enforce an appropriate trust model. The proper trust mode defines who needs to talk with whom and what data streams need to be exchanged; other data streams should be rejected. Once the appropriate trust mode is identified, the security designer should decide how to enforce the model. Because important resources are globally available and new performances of Network Attacks change, the network security infrastructure tends to become more complex and more products are available. Firewalls, routers, LAN switches, intrusion detection systems, AAA servers, and VPNs are some technologies and products that help enforce models. Of course, each of these products and technologies plays a specific role within the overall security implementation and understand how designers can configure these elements.

Components used

This document is not limited to specific software and hardware versions.

Background information

Identifying and enforcing an appropriate trust model seems to be a very basic task, but after several years of supported security implementation, our experience shows that security events are often related to poor security design. Usually these design flaws are a direct consequence of not forcing an appropriate trust model, sometimes because of what is fair and necessary, the other time was due to insufficient understanding or misuse of the techniques involved.

This article explains in detail how two features are available on our Catalyst Switch, dedicated VLAN (PVLANs) and VLAN access control table (VACLs ), the trusted service helps to ensure proper trust in the model enterprise and service provider environment.

The importance of forcible execution in a trusted Mode

An immediate consequence of not enforcing an appropriate trust model is that the overall security implementation is less immune to malicious activities. A non-sensitive region (DMZs) is typically implemented without forcing the right system to implement a potential intruder activity. This section analyzes how DMZs is often implemented and the consequences of poor design. We will explain in the future how to mitigate, or avoid these consequences in the best case.

Generally, the DMZ server should only process inbound requests from the Internet and eventually connect to some backend servers for the first time or other DMZ segments, such as database servers. At the same time, DMZ servers should not talk to each other or be connected to the outside world for the first time. This clearly defines the necessary data streams in a simple trusted model; however, we often see that the model is not enough to be enforced.

Designers usually prefer to use a shared segment to implement DMZs for all servers without any control over data streams. For example, all servers are in common VLANs. Because all data streams are not controlled within the same VLAN, if one server is attacked and then the same server source can be used to attack any server or host in the same segment. This clearly realizes the activity of a potential hacker who expands port redirection or application layer attacks.

Generally, it is only used for the firewall and the information packet filter to control inbound connections. However, no connection is initiated from the DMZ limit. Some time ago, there was a known weakness in the cgi-bi script that allowed intruders to start the X terminal simulation program session by sending an HTTP stream; this is the data flow that should be allowed by the firewall. If the intruder is lucky enough, he or she can use another kind of hospitality to get root tips, typically buffering overflow attacks. This type of problem can be avoided in most times by forcing an appropriate trust model. First, the servers should not talk to each other, and they should not initiate a connection to the outside world.

The same remark applies to many other solutions, from all segments that are normally untrusted to small servers standing on the application service provider.

PVLANs and VACLs can help ensure an appropriate trust mode on the Catalyst switch. PVLANs will help in a shared segment by limiting the data streams between the master, while VACLs will contribute to a specific segment by providing further control over all the data streams that are generated or destined. These functions can be discussed in the following sections.

Dedicated VLAN

PVLANs are available for running CatcOs 5.4 or later, on the Catalyst 4000 Catalyst 6000,2980G, 2980G-A, running CatcOs 6.2 or later 2948G and 4912G.

From our perspective, PVLANs is a tool (L2) that allows separating data streams from broadcast segments to a non-broadcast multi-access-like segment. Trade all ports from a chaotic port on the vswitch (that is, the ports that can forward the Primary and Secondary VLANs) to the ports that belong to the same primary VLAN. Transaction (it can be a two-way attribute VLAN mapped to the secondary VLAN, or to the switch's self-port) can be forwarded to a chaotic port or port belonging to the same attribute VLAN. Multiple port ing pairs cannot exchange any data streams in the same isolated VLAN.

The following image display concepts.

Figure 1: dedicated VLAN

The primary VLAN is displayed in blue, and the secondary VLAN is displayed in red and yellow. Host-1 is connected to the port of the secondary VLAN red switch. Host-2 is connected to the port of the yellow switch of the secondary VLAN.

When the host transmits data, the data stream Carries the auxiliary VLAN. For example, during Host-2 transmission, the data stream goes yellow in the VLAN. When those hosts accept the data, the data flow comes from VLAN blue, which is the main VLAN.

The ports connected between the router and the firewall are chaotic because the ing can forward data streams from the ports defined by each auxiliary VLAN and the primary VLAN. Each host can only transmit data streams from the active VLAN and the secondary VLAN.

The picture indicates that a dedicated VLAN is used as a different channel connecting the router and the Host: all the other channels in the package are the main VLAN (blue) and the data flow in the VLAN blue from the router to the host. The main VLAN is the auxiliary VLAN inside the MPs queue, and the data flow in the MPs queue is from the host to the router.

When the image shows, the primary VLAN can package one or more secondary VLANs.

As early as this article said, PVLANs helps enforce the appropriate trust mode by simply ensuring the isolation of hosts within a shared segment. Now that we know more dedicated VLANs, let's see how this can be achieved in our initial DMZ solution. Servers should not talk to each other, but they still need to talk to the firewalls or routers they are connected. In this case, when the router and firewall ports are attached, connect the server to the isolated port. By executing this command, if one server is attacked, intruders will not be able to use the same server Source to attack another server in the same segment. The switch will drop all information packets at the wire speed, without any impact on performance.

Another note is that this control can only be implemented on L2 devices because all the disconnections belong to the same subnet. There is nothing that every firewall or router can do because the cut will try to communicate directly. Another option is to invest a firewall port on each server, but this may be too costly, difficult to implement and not scalable.

Later, we will describe in detail some other typical solutions that you can use this function.

VLAN access control list

VACLs are available in the Catalyst 5.3 Series Running CatcOs 6000 or later.

VACLs can be configured on a Catalyst 6500 in L2 without the need for a router (you only need Policy Feature Card (PFC )). They are forced to execute VACLs in the configuration so there is no impact on performance in the Catalyst 6500. Because VACLs lookup is performed on the hardware, regardless of the size of the access control column table, the forwarding rate remains unchanged.

VACLs can be mapped to the primary or secondary VLAN separately. The VACL configured in the secondary VLAN allows you to filter data streams generated by the host without involving data streams generated by the router or firewall.

By combining VACLs with a dedicated VLAN, it is possible to filter traffic based on the traffic direction. For example, if two routers connect to a segment and some hosts (such as servers ), VACLs can be configured in the auxiliary VLAN so that only data streams generated by the host are filtered when the data streams are exchanged between routers.

VACLs can be easily configured to enforce the appropriate trust mode. Analyze our DMZ case. In DMZ, servers should serve inbound connections only, and they are not expected to connect to the outside world for the first time. VACL can be used for their secondary VLAN to control the data flow from these servers. Note that it is critical that VACLs is used at the time, and the data stream is reduced in hardware, there is no impact on the CPU of the router and no switch. In this case, a server in a distributed denial of service (DDos) attack involves as a source, the switch will reduce all illegal data streams to a line rate without any impact on performance. Similar filters can be applied to routers or firewalls where servers are connected, but this usually shows serious performance.

Known limitations of VACLs and PVLANs

When VACLs is used for configuration filtering, you should be careful about fragment processing in the PFC, according to the hardware specifications, and the configuration is adjusted.

Given the hardware design of the PFC of the Catalyst 6500 Supervisor 1, it is clear that the icmp segment is the best. The reason is that the Internet Control Information Protocol (ICMP) segment and ECHO reply are considered by the hardware as the same, by default, and the hardware is programmed to explicitly allow the segment. In this case, if you want to terminate the response packet from the server, you must use the line-by-line deny icmp any fragment to explicitly configure this. This configuration is taken into consideration in this article.

There is a named Security Restriction on PVLANs, which is the possibility that the router forwards data streams from the same subnet to cancel. The router can send data streams across isolated PVLANs ports. This restriction is due to the fact that PVLANs is a tool that provides isolation in L2, not in the third layer (L3 ).

Fixed this problem by using the VACLs configured in the master VLAN. Case Analysis provides that the master VLAN needs to be configured to the falling data stream to generate VACLs from the same subnet and route back to the same subnet.

In some line cards, PVLAN ing/the Step-by-port configuration is subject to several PVLAN ING which must belong to different port dedicated IC limitations (ASIC) for configuration. Those limitations are removed from the new port ASIC Coil3. See these details in the latest Catalyst Switch documentation for software configuration.

Sample Analysis

The following section describes the three case studies. We believe that most of the implementation Representatives will provide detailed information related to the secure deployment of PVLANs and VACLs.

These solutions are:

Transfer DMZ

External DMZ

VPN concentrator in parallel with the Firewall

Transfer DMZ

This is one of the most common configuration schemes. In this example, DMZ implements a conversion area between two firewall routers, as shown in.

Figure 2: transferring DMZ

In this example, the DMZ server should be external and internal users, but they do not need to contact each other. In some cases, the DMZ server must be connected to an internal host. At the same time, internal clients should have no restrictions on accessing the Internet. A good example is that the database with a network server in DMZ needs to contact the database server in the internal network and access the Internet with an internal client.

Configure the External Firewall to Allow inbound connections to the server to be located in DMZ, but the filters or restrictions are usually not applied to the outbound data streams and the special data streams initiated by DMZ. As we discussed earlier in this article, there are two possible reasons for achieving an attacker's activity: first, when one DMZ host is compromised, other DMZ hosts are shown; second, attackers can easily exploit external connections.

Because DMZ server does not need to talk to each other, we recommend that you confirm that they are located in L2. The ports connected to the two firewalls will be defined as messy, and the server port will be defined as the PVLANs isolated port. This is achieved when the primary VLAN is defined as the firewall and the secondary VLAN is the DMZ server.

Use VACLs to control the data stream initiated by DMZ. This will prevent an attacker from opening illegal external connections. Remember that DMZ servers not only need to reply data streams with client sessions, but they also need some other services, such as Domain Name System (DNS) and the maximum transmission unit (MTU) path discovery. In this case, the ACL should allow all services required by the DMZ server.