CCIE Must Know:Overview of VLAN attacks
The Chinese name of VLAN (Virtual Local Area Network) is “Virtual Local Area Network”. A virtual local area network (VLAN) is a group of logical devices and users. These devices and users are not restricted by physical locations. They can be organized according to factors such as functions, departments, and applications. The communication between them is as if they are in It is the same in the same network segment, hence the name virtual local area network. Compared with the traditional local area network technology, VLAN technology is more flexible, it has the following advantages: the management overhead of network equipment movement, addition and modification is reduced; broadcast activities can be controlled; network security can be improved.
The VLAN attack method is an attack method based on the application of the VLAN technology. How to take effective preventive measures in the face of these retrofitted attack methods?
1. 802.1Q and ISL marking attacks:
A tag attack is a malicious attack. With it, users on one VLAN can illegally access another VLAN. For example, if the switch port is configured as DTP (DYNAMIC TRUNK PROTCOL) auto for receiving fake DTP (DYNAMIC TRUNK PROTCOL) packets, it will become a trunk port and may receive traffic to any VLAN. As a result, malicious users can communicate with other VLANs through controlled ports.
For this kind of attack, just set DTP (DYNAMIC TRUNK PROTCOL) on all untrusted ports to off.
2. Dual-encapsulation 802.1Q/nested VLAN attack:
Inside the switch, VLAN numbers and identifications are expressed in a special extended format, with the purpose of keeping the forwarding path independent of the end-to-end VLAN without losing any information. Outside the switch, the marking rules are specified by standards such as ISL or 802.1Q. ISL belongs to Cisco proprietary technology and is a compact form of the extended packet header used in the device. Each packet always gets a mark without the risk of logo loss, thus improving security.
The 802.1Q IEEE committee decided that for backward compatibility, it is best to support intrinsic VLANs, that is, VLANs that are not explicitly related to any tags on the 802.1Q link. This VLAN is used implicitly to receive all untagged traffic on the 802.1Q port. This feature is what users want, because with this feature, the 802.1Q port can directly talk to the old 802.3 port by sending and receiving unmarked traffic. However, in all other cases, this feature can be very harmful because when transmitted over an 802.1Q link, packets related to the native VLAN will lose their tags.
For this reason, the unused VLAN should be selected as the local VLAN of all trunk roads, and the VLAN cannot be used for any other purpose. Protocols such as STP, DTP, and UDLD should be the only legitimate users of the local VLAN, and their traffic should be completely isolated from all data packets.
3. VLAN Jump Attack
VLAN hopping is a network attack method, which refers to the end system sending data packets to the VLAN that the administrator does not allow it to access, or receiving data packets of this VLAN. The implementation method of this kind of attack is to mark the attack traffic with a specific VLAN ID (VID), or to negotiate the trunk link to send and receive the required VLAN traffic. Attackers can use switch spoofing or double tagging to implement VLAN hopping attacks.
A VLAN jump attack refers to a malicious device trying to access a VLAN that is different from its configuration. There are two forms of VLAN jump attacks.
One form is derived from the default configuration of Catalyst switch ports. The link aggregation protocol of Auto mode is enabled by default on the ports of Cisco Catalyst switches. Therefore, the interface will become a trunk port after receiving the DTP frame.
The second form of VLAN hopping attack can be implemented even when the link aggregation feature is turned off on the switch interface. In this type of attack, the attacker sends a data frame with double 802.1Q tags. This type of attack requires the client to be connected to a switch other than the switch to which the attacker is connected. Another requirement is that the VLAN connected to the two switches must be the same as the VLAN of the switch port to which the attacker is connected, or the same as the Native VLAN on the trunk port between the switch and the attacked VLAN.
When establishing a trunk port, in order to prevent VLAN hopping attacks in the network, all switch ports and parameters should be configured.
1. Set all unused ports as Access ports so that these links cannot negotiate the link aggregation protocol.
2. Set all unused ports to the Shutdown state and put them in the same VLAN. This VLAN is used exclusively for unused ports and therefore does not carry any user data traffic.