What you will learn from this tip: How to secure a VLAN from popular attacks such as the VLAN hopping attack and Address Resolution Protocol attack.
Configuring three or more switches to support a VLAN and
VLAN hopping attacks
The basic VLAN hopping attack is based on the Dynamic Trunking Protocol and, in some cases, the trunking encapsulation protocol (802.1q or ISL). The Dynamic Trunking Protocol is used for negotiating trunking on a link between two switches or devices and the type of trunking encapsulation to be used.
Trunk negotiation can be enabled on a switch interface by entering the following command at the interface level:
Switch(config-if)#switchport mode dynamic
While this feature might ease the process of configuring switches, it hides a serious weakness for your VLAN. A station can easily spoof itself as a switch using the 802.1q encapsulation, thereby creating a trunk link and becoming a member of all VLANs.
Thankfully, this vulnerability has been fixed in Cisco's newer IOSes. To avoid possible VLAN hopping attacks, do not use 'dynamic modes' at the interface level and configure the link as a trunk or access type.
Address Resolution Protocol attacks
The Address Resolution Protocol (ARP) attack is popular in the underground world. Available tools can bypass the switch security feature that creates a virtual communication channel between two nodes and prohibits the rest from 'listening' to their conversation.
With ARP attacks, the intruder obtains IP addresses and other statistics about the network he plans to attack, and then uses that information to issue the attack. The intruder floods the network switches with ARP broadcasts, telling the network switches that all, or a range, of IP addresses belong to him, thereby forcing all data packets and conversations to pass through him while he sniffs the data.
You can avoid this problem by using the 'port-security' command available to most high-end Catalyst switches such as the 4000, 4500, 5000 and 6500 series.
Once the port-security feature is enabled on a port, you are able to specify the number of MAC addresses or the specific MAC address allowed to connect through the port.
The command required to enable this security feature is:
Switch(config)#set port security port enable
Static ARP should be used for critical routers or hosts such as servers.
Lastly, intrusion-detection systems can track and report multiple ARP broadcasts resulting from such attacks.
VLAN Trunking Protocol attack
The VLAN Trunking Protocol (VTP) is a proprietary Cisco protocol designed to make life easy by automatically propagating VLAN information throughout network switches.
Its setup involves a VTP server, effectively a switch, in charge of propagating all VLAN information. All switches, minus the VTP server switch, are configured as client switches that are responsible for listening for announcements regarding any VLAN changes made from the VTP server.
The VTP attack involves a station sending VTP messages through the network, advertising that there are no VLANs on the network. Thus, all client VTP switches erase their valid VLAN information databases.
This may also occur if a switch is plugged into the network that is configured as a VTP server and contains a VTP configuration version higher than the existing VTP server. In this case, all switches overwrite their valid information with that obtained by the 'new' VTP server.
Thankfully, there are ways to protect a VLAN from this situation. Either disable VTP all together (not advised for a large network with more than five switches) or use MD5 Authentication for all VTP messages to ensure no VTP message is processed by the client switches if the password contained in the message is not correct.
The commands used to set the VTP password for your VTP Domain are:
- Users offer advice on the value of segmenting a LAN to isolate malware.
- Here are tips for setting up a secure Layer 2 switching environment.
- This tip offers a few points to remember when configuring a secure VLAN.
Chris Partsenidis is the founder and senior editor of www.Firewall.cx, a Web site dedicated to network security and protocol analysis. If you wish to read up more on VLAN technologies and their associated protocols, you can refer to www.Firewall.cx where the topic is extensively covered. Chris has a bachelor's degree in Electrical Technology and holds the following IT certifications: Cisco CCNA, Novell CNA (3,4,5), Linux LCP, D-Link Engineer, Microsoft MCP, CompTIA A+ & Network+. You can contact Chris via www.Firewall.cx.
This was first published in May 2005