Popular VLAN attacks and how to avoid them

Configuring three or more switches to support a VLAN and partition a network is a fairly simple and straight-forward process; however, ensuring a VLAN can withstand an attack is a different story! In order to secure a VLAN, you need to know what to protect it from. Here are a few of the most popular attacks against VLANs, ways you can fight them, and in some cases, minimize their effect.

VLAN hopping attacks

The basic VLAN hopping attack is based on the Dynamic Trunking Protocol and, in some cases, the trunking encapsulation protocol (802.1q or ISL). The Dynamic Trunking Protocol is used for negotiating trunking on a link between two switches or devices and the type of trunking encapsulation to be used.

Trunk negotiation can be enabled on a switch interface by entering the following command at the interface level:

Switch(config-if)#switchport mode dynamic

While this feature might ease the process of configuring switches, it hides a serious weakness for your VLAN. A station can easily spoof itself as a switch using the 802.1q encapsulation, thereby creating a trunk link and becoming a member of all VLANs.

Thankfully, this vulnerability has been fixed in Cisco's newer IOSes. To avoid possible VLAN hopping attacks, do not use 'dynamic modes' at the interface level and configure the link as a trunk or access type.

Address Resolution Protocol attacks

The Address Resolution Protocol (ARP) attack is popular in the underground world. Available tools can bypass the switch security feature that creates a virtual communication channel between...

With ARP attacks, the intruder obtains IP addresses and other statistics about the network he plans to attack, and then uses that information to issue the attack. The intruder floods the network switches with ARP broadcasts, telling the network switches that all, or a range, of IP addresses belong to him, thereby forcing all data packets and conversations to pass through him while he sniffs the data.

You can avoid this problem by using the 'port-security' command available to most high-end Catalyst switches such as the 4000, 4500, 5000 and 6500 series.

Once the port-security feature is enabled on a port, you are able to specify the number of MAC addresses or the specific MAC address allowed to connect through the port.

The command required to enable this security feature is:
Switch(config)#set port security port enable

Static ARP should be used for critical routers or hosts such as servers.

Lastly, intrusion-detection systems can track and report multiple ARP broadcasts resulting from such attacks.

VLAN Trunking Protocol attack

The VLAN Trunking Protocol (VTP) is a proprietary Cisco protocol designed to make life easy by automatically propagating VLAN information throughout network switches.

Its setup involves a VTP server, effectively a switch, in charge of propagating all VLAN information. All switches, minus the VTP server switch, are configured as client switches that are responsible for listening for announcements regarding any VLAN changes made from the VTP server.

The VTP attack involves a station sending VTP messages through the network, advertising that there are no VLANs on the network. Thus, all client VTP switches erase their valid VLAN information databases.

This may also occur if a switch is plugged into the network that is configured as a VTP server and contains a VTP configuration version higher than the existing VTP server. In this case, all switches overwrite their valid information with that obtained by the 'new' VTP server.

Thankfully, there are ways to protect a VLAN from this situation. Either disable VTP all together (not advised for a large network with more than five switches) or use MD5 Authentication for all VTP messages to ensure no VTP message is processed by the client switches if the password contained in the message is not correct.

The commands used to set the VTP password for your VTP Domain are:

• Users offer advice on the value of segmenting a LAN to isolate malware.
• Here are tips for setting up a secure Layer 2 switching environment.
• This tip offers a few points to remember when configuring a secure VLAN.

Chris Partsenidis is the founder and senior editor of www.Firewall.cx, a Web site dedicated to network security and protocol analysis. If you wish to read up more on VLAN technologies and their associated protocols, you can refer to www.Firewall.cx where the topic is extensively covered. Chris has a bachelor's degree in Electrical Technology and holds the following IT certifications: Cisco CCNA, Novell CNA (3,4,5), Linux LCP, D-Link Engineer, Microsoft MCP, CompTIA A+ & Network+. You can contact Chris via www.Firewall.cx.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   VLAN Security Management,   NAC and Endpoint Security Management,   Enterprise Network Security,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Preventing SQL injection attacks: A network admin's perspective Screencast: How to launch an OpenVAS scan Wireless network guidelines for PCI DSS compliance Aligning network security with business priorities Scanning with N-Stalker offers basic Web application security assessment Lifecycle of a network security vulnerability Screencast: BackTrack 4 offers an arsenal of penetration testing tools Network access control technology: Over-hyped or underused? Screencast: Smoothwall offers firewall defense in lean times Screencast: Samurai offers pen-testing nirvana VLAN Security Management How to securely connect a LAN POS to a remote point-of-sale device How to compartmentalize WiFi traffic with a VLAN Cloud, virtualization servers pose challenges for PCI compliance How should service providers address VoIP security issues and threats? How to build security into a virtualized server environment Server considerations for internal network application setup Microsoft NAP-TNC compatibility won't speed adoption, users say Hackers have knack for beating NAC systems NAC helps aerospace firm's network blast off Network Access Control Learning Guide RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary VLAN hopping  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.