Knowing the enemy with VLAN technology defense hacker attacks (1)

Why use a VLAN? The implementation of VLAN is a logical division of users, so that users in different VLANs can not communicate directly. This technology facilitates implementation and saves money. However, with the application of VLAN more and more wide, and VLAN-related security management problems are more and more serious. The application of VLAN technology provides a strategy method based on management mode for network security, we can choose different VLAN partition methods according to the characteristics of enterprise network management. Although the network security to some extent has been a certain degree of protection, but the security is often coexisting with the danger, in the face of these guise attack means, how to take effective preventive measures? In this article, we will introduce the hacker's attack means and the defensive means we can take for the network that is managed by VLAN technology. I. Common VLAN attack the current common VLAN attacks are as follows: 1.802.1Q and ISL Tagged attack tag attack is a malicious attack, which allows users on one VLAN to illegally access another VLAN. For example, if you configure the switch port as a DTP (dynamic TRUNK protcol) Auto to receive a forged DTP (dynamic TRUNK protcol) grouping, it becomes a trunk port and is likely to receive traffic to any VLAN. As a result, a malicious user can communicate with other VLANs through a controlled port. Sometimes, even if you just receive a normal group, the switch port may be in violation of your own intent, as is the case with an all-purpose trunk port (for example, to receive packets from a VLAN other than locally), which is often referred to as "VLAN leakage." For this attack, you can prevent this attack by simply setting the DTP (DYNAMIC TRUNK protcol) on all untrusted ports (not conforming to the trust conditions) to "off". Software and hardware running on Cisco Catalyst 2950, Catalyst 3550, Catalyst 4000, and Catalyst 6000 series switches can also implement appropriate traffic classification and isolation on all ports. 2. Dual package 802.1q/nested VLAN attack within the switch, VLAN digits and identities are represented in a special extended format to allow the forwarding path to remain end-to-end and without losing any information. Outside the switch, the tagging rules are defined by such standards as ISL or 802.1Q. ISL, which belongs to Cisco proprietary technology, is a compact form of extended packet headers used in the device, and each group gets a tag that does not identify the risk of loss and thus improves security. On the other hand, the 802.1Q IEEE Committee decided that, for the realization of backward compatibility, the bestSupport for the intrinsic VLAN, that is, to support any markup on the 802.1Q link is explicitly unrelated to the VLAN. This VLAN is implicitly used to receive all unmarked traffic on the 802.1Q port. This functionality is what users want, because by using this feature, 802.1Q ports can be directly connected to the old 802.3 port by sending and receiving unmarked traffic. However, in all other cases, this functionality can be very harmful because the local VLAN-related groupings will lose their markup, such as losing their service level (802.1p bit), when transmitted over a 802.1Q link. But for these reasons-loss of identification and loss of classified information-you should avoid using the intrinsic VLAN, not to mention other reasons, as shown in Figure 1. 498) this.width=498 ' OnMouseWheel = ' javascript:return big (This) ' alt= ' src= "/files/uploadimg/20080122/0952080.jpg" > Fig. 1 Dual Package attack first Peel, then return the attacker 802.1q frame, vlan A, VLAN b data contains the main road VLAN A of the VLAN B data Note: Only the trunk roads are in the same intrinsic VLAN as the attackers, it will take effect. When a dual-package 802.1Q packet happens to be from the same device on the VLAN as the trunk of the main road into the network, the VLAN identities of these groupings will not be preserved end-to-end, because the 802.1Q trunk roads always modify the grouping to strip out their external tags. After you delete an external tag, the inner tag becomes the only VLAN identifier that is grouped. Therefore, if you use two different tags on the packet for a dual package, traffic can jump between different VLANs. This situation will be considered a misconfigured, because the 802.1Q standard does not force users to use the intrinsic VLAN in these situations. In fact, the appropriate configuration that should always be used is to clear the local VLAN from all 802.1Q trunk roads (setting it to 802.1q-all-tagged mode to achieve the exact same effect). When a local VLAN cannot be purged, the unused VLAN should be selected as the local VLAN for all trunk roads, and the VLAN cannot be used for any other purpose. Protocols such as STP, DTP (DYNAMIC TRUNK protcol) and UDLD should be the only legitimate users of the local VLAN, and their traffic should be completely isolated from all data groupings. 3.VLAN Jump attack Virtual local Area network (VLAN) is a method of segmenting broadcast domain. VLANs are also often used to provide additional security for the network because a VLAThe computer on n cannot talk to users on another VLAN with no explicit access. However, the VLAN itself is not enough to protect the environment, malicious hackers through the VLAN jump attack, even unauthorized, can jump from one VLAN to another VLAN. VLAN jump attacks (VLAN hopping) rely on Dynamic relay protocol (DTP (Dynamic TRUNK protcol)). If there are two interconnected switches, the DTP (DYNAMIC TRUNK protcol) can negotiate the two to determine whether they want to be 802.1Q relays, and the negotiation process is done by checking the configuration state of the ports. VLAN jump attacks make the most of the DTP (Dynamic TRUNK protcol), in which the hacker can spoof the computer, posing as another switch to send a false DTP (dynamic TRUNK protcol) negotiation message, declaring it to be a relay ; The real switch receives this DTP (DYNAMIC TRUNK protcol) message and thinks it should enable 802.1Q relaying, and once the relay function is enabled, the flow of information through all VLANs is sent to the hacker's computer. After the relay is established, the hacker can continue to probe the flow of information, and can also specify which VLAN to send the attack traffic to by adding a 802.1Q message to the frame. The 4.VTP Attack VLAN Relay Protocol (Vtp,vlan Trunk Kyoto) is a management protocol that reduces the number of configurations in an Exchange environment. For VTP, switches can be VTP servers, VTP clients, or VTP transparent switches, which focus on VTP servers and VTP clients. Each time a user configures changes to a switch working in VTP server mode, either adding, modifying, or removing the VLAN,VTP configuration version number increases 1,VTP the client automatically synchronizes with the VTP server after seeing that the configuration version number is larger than the current version number. A malicious hacker can use VTP to remove all the VLANs on the network (except the default VLAN) so that he can go to the same VLAN as every other user. However, the user may still be on different network segments, so a malicious hacker needs to change his IP address to get into the same segment as the host he wants to attack. A malicious hacker can make the most of VTP by connecting to the switch and building a relay between its own computer and the switch. Hackers can send VTP messages to a configuration version number higher than the current VTP server, which causes all switches to sync with a malicious hacker's computer, removing all Non-default VLANs from the VLAN database. With so many attacks, it can be seen how fragile our VLAN is.However, we are fortunate that if the switch is configured incorrectly or improperly, it can cause unexpected behavior or security problems. So here's what we'll tell you about the key points to be aware of when configuring a switch. 1 2 3 4 next page >> view full-text navigation page 1th: Common VLAN attacks page 2nd: Security for Trunk Interface 3rd: Security of the VTP protocol 4th page: VLAN Security Configuration Case Original: The enemy with VLAN technology Defense hacker Attack (1) return Network Security Home