A vswitch is not designed as a security device, but is still designed to improve network performance. If you want to add a vswitch to the security mechanism, make sure that you configure the vswitch correctly, second, the switch manufacturer must fully understand and fully implement the basic standards of the switch software. If you have strict requirements on network security and do not use shared switches, you should use dedicated switches to Ensure network security. If a vswitch must be shared between untrusted networks and trusted users, only security disasters can be caused.
VLAN does make it possible to isolate network services. These services share the same switch or even a group of switches. However, when the vswitch designer adds this isolation feature to the product, it is not a security issue. VLAN is used to restrict and filter broadcast business traffic. Unfortunately, VLAN relies on software and configuration mechanisms rather than hardware to complete this task.
In recent years, some firewalls have become VLAN devices, which means that packet label-based rules can be developed to transfer a packet to a specific VLAN. However, the firewall, as a VLAN device, also adds a lot of flexible rules for website hosting. In this way, the labels on which the firewall depends are not designed based on security. Devices outside the vswitch can also generate tags that can be easily attached to packets to fool the firewall.
How does a VLAN work? What security advantages does a VLAN have? How can we avoid VLAN vulnerabilities to the maximum extent if we decide to use VLAN as part of the security system?
Partition Function
The term "Switch" was first used to describe such a device, which exchanges network services between network interfaces called "ports. Recently, a LAN switch was called a bridge ". Now, even the IEEE standards related to switches inevitably use the term "bridge.
The bridge is used to connect different segments on the same LAN. The LAN here refers to a local network that does not need to be routed. The bridge software detects the MAC address contained in the received packet to determine which port is connected to which network device. Initially, the bridge sends all received data packets to each port. After a period of time, the bridge learns how to send data packets to the correct network interface by establishing a spanning tree and table. These spanning trees and tables map MAC addresses to ports by selecting correct network interfaces and avoiding loop algorithms. By sending data packets to the correct network interface, the bridge reduces network business traffic. The bridge can be considered as a highway connecting two different roads, and only the necessary traffic between the two roads can be used on the highway.
Although the bridge reduces network service traffic, the network can run more efficiently. The bridge still needs to send broadcast data packets to all ports. In any LAN, a message broadcast is sent to all systems in the LAN. ARP Address Resolution Protocol) is an example of broadcast information.
As the number of ports and the number of additional management software increases, the functionality of the bridge device becomes stronger and stronger. A new function is introduced: the bridge has the partition function and can be divided into multiple virtual bridges. When Partitioning in this way, the broadcast information will be restricted to those ports with the virtual bridge and the corresponding VLAN, rather than being sent to all ports.
Limiting broadcast in a VLAN does not prevent the system in a VLAN from accessing the system connected to the same bridge and belongs to a different VLAN. However, remember that ARP broadcasts are used to obtain the MAC address corresponding to a specific IP address. Without a MAC address, machines in the same network cannot communicate with each other.
The Cisco website describes two scenarios where packets can be transmitted in a VLAN connected to the same vswitch. In the first case, the system establishes a TCP/IP connection in the same VLAN, and then the switch is reset so that the port of one switch belongs to another VLAN. The communication will continue because both parties have the MAC address of the other side in their ARP buffer, so that the bridge will know which port the target MAC address directs. In the second case, someone wants to manually configure a VLAN to create a static ARP entry for the system to be accessed. This requires him to know the MAC address of the target system. He may need to directly access the target system physically.
The problems described in both cases can be improved by using vswitch software, which is used to eliminate the information required for data packets during transmission. In a Cisco high-end switch, the Spanning Tree of each VLAN is separated. Other switches either have similar characteristics or can be set to filter the bridging information of members in each VLAN.
Link Aggregation
Multiple vswitches can share the same VLAN through the configuration mechanism and the labels for exchanging data packets between vswitches. You can set a vswitch to make one of the ports a link and transmit packets to any VLAN on the link. When a data packet is transmitted between switches, each data packet is tagged Based on the 802.1Q protocol. 802.1Q protocol is an IEEE standard for data packets transmitted between bridges. The receiving switch removes the packet label, sends the packet to the correct port, or sends the packet to the correct VLAN when the packet is a broadcast packet.
These four-byte long 802.1Q are appended to the Ethernet packet header, followed by the source address. The first two bytes contain 81 00, which is an 802.1Q tag protocol type. The last two bytes contain a possible priority, a flag, and a 12-bit VIDVLAN Identifier ). The VID value ranges from 0 to 4095, and both 0 and 4095 are reserved. The default value of VID is 1, which is also the default value of the unspecified port of the switch configured for the VLAN.
According to the default configuration of the Cisco switch, link aggregation is recommended. If one port finds that another switch is connected to this port, this port can negotiate the link aggregation. The default link port belongs to vlan1. this VLAN is called the local VLAN of this port. The administrator can specify the link port to any VLAN.
You can set the link port to prevent packet transmission between VLANs. You can set the local vlan of the link port to a VID different from any other VLAN. Remember that the default local vlan of the link port is VID 1. You can set the local vlan of the link port to 1001, or the value that any switch allows and is not used by any other VLAN.
Firewall and VLAN
After knowing how a vswitch shares VLAN information, you can more accurately evaluate the firewall that supports VLAN. Firewalls that support VLANs obtain packets with 802.1Q tags from switches that support VLANs. These tags are expanded by firewalls for security rule detection. Although we have only discussed Ethernet so far, 802.1Q labels are also applicable to other types of networks, such as ATM and FDDI.
802.1Q tags do not provide authentication. They are just a way for a switch to mark a specific packet from a specific VLAN. VLAN tags can also be forged, just as people have forged IP addresses for many years. The latest Linux operating system provides support for working in VLAN switch mode, which can generate any VLAN tags that can be selected by the local system administrator.
The key to using the 802.1Q label for security is to design such a network: The switch link is connected to the firewall interface, and the VLAN label-based security detection is performed on the firewall interface. If there are other lines that can reach the firewall interface, the possibility of forgery of VLAN tags will increase. The vswitch itself must be correctly configured. link ports for Link aggregation must be specially configured and then added to non-default vids.
In any discussion about vswitches, the conclusion that the management permission for vswitch devices is always the same. Vswitches can be managed in the same way as other network devices: Telnet, HTTP, and SNMP. Disable unused management channels and add access control to the management channels used. When an attacker comes from outside the network, the firewall can control his access to the switch. When the attacker is from inside the network or the attacker is authorized to access the internal system to initiate an attack, the firewall is powerless.
Related Articles]
- Cisco IOS exposed VLAN relay Protocol Security Vulnerability
- Virtual LAN technology, VLAN management and Testing
- Layer-3 switching and VLAN settings improve data Efficiency