The Precautions for the Use of VLAN - Assignment Example

VLAN Network Security: A Review of the Literature and section number of June 18, VLAN Network Security: A Review of the Literature VLAN, or virtual LAN, is a way to logically segment ports on a switch such that each port acts as an isolated, virtual broadcast domain or network. VLANs are ideal for ensuring high availability on the network and isolating the traffic to prevent unauthorized access to data. However, many researchers agree that VLANs can be vulnerable to attacks if not configured properly, and have drawn different conclusions in addressing the following questions: 1. What are the precautions for the use of VLAN 1? 2. Why Layer 2 security is important? 3. What are the possible attacks in VLAN-based network and their mitigation? This review of literature on VLAN network security focuses on these four questions. What are the precautions for the use of VLAN 1? All ports on the switches that support VLANs are initially configured to be part of the default VLAN – this default VLAN is called VLAN 1. Although, VLAN 1 simplifies the installation process of the switch significantly, it also makes the network vulnerable to unauthorized access (Liska, 2003). To improve security on switches, Liska (2003) suggested that the default VLAN should be removed, and each port on the switch should be added to the appropriate VLAN (P.S. Empty ports should be configured with no VLAN). In case if the switch does not allow removal of the default VLAN, then the active ports on the switch should be switched to different VLAN. Liska (2003) further emphasized that the port which is connected to the upstream switch or router should be removed from the default VLAN because it is tagged with all of the VLANs, and therefore, it can provide a gateway to all the traffic on the network if an attacker is successful in determining the default VLAN for the tagged port. Why Layer 2 security is important? The OSI model is based on layered model in which the communication protocol divides its functionality into a series of layers. Each layer provides services to its subsequent, upper layer, and requires services from its preceding, lower layer. However, each layer is isolated from other layers and operates independently to perform a subset of functions. Although, the layer independence provides interoperability and interconnectivity, it also causes security risks because if any layer is compromised, then other layers remain unaware of this (Wong & Yeung, 2009). In OSI model, the Data Link Layer (Layer 2) is very crucial because all the upper layers rely on it to provide the reliable data transfer across physical link – if this layer is compromised, then the entire communication session is compromised. Therefore, it is extremely important to secure this layer and take appropriate measures to mitigate attacks on this layer (Wong & Yeung, 2009). Figure 1: OSI Model (Cisco Systems, Inc., 2006) Rufi (2007) recommended the following precautions in order to mitigate the effects of attacks on Layer 2: 1. Rather than using clear-text management protocols, such as Telnet or SNMPv1, SSH or an out-of-bound management system should be used to ensure maximum security in managing switches. 2. Access to management ports should be restricted through IP permit lists. 3. Simple Network Management Protocol (SNMP) version 1 and 2 provides adequate security for read-only access. Therefore, SNMPv3 should be used to enable the read-write access in secure mode. 4. When using SNMPv3 as a management protocol, entities on untrustworthy networks should not be allowed to gain access to management interfaces or protocols of VLAN. 5. Enable logging as reviewing them periodically helps in strengthening the security of switches. Logging can provide sequential history of events for in-depth understanding of security incidents. What are the possible attacks in VLAN-based network and their mitigation? VLAN-based networks are vulnerable to various attacks. Many of these attacks can be initiated by those with the LAN access, from outside the switch. According to Boyles (2010), VLAN attacks are usually characterized as VLAN hopping because the attacker gains access by ‘hopping’ from one VLAN to another within the switch. 1. MAC Flooding Attacks Unlike hubs, switches are capable of determining the destination MAC address in a frame, and forwarding the frame to an appropriate outgoing switch port, hence, making it difficult for sniffer programs to intercept the communication between hosts. To determine the ports of frames, switches use a Content Addressable Memory (CAM) table which stores the source MAC address, extracted from the frame transmitted on each port. However, the size of the CAM table is limited in every switch, and when this table is overflowed, the switch starts broadcasting the frames to all outgoing ports just like hub (Wong & Yeung, 2009). In the MAC flooding attack, the attacker generates frames with different bogus source MAC addresses in bulk to make the CAM table overflow so that a switch starts acting like a hub by reverting to broadcast mode, allowing sniffer programs to intercept the traffic easily as illustrated in Figure 2 where host X is the attacker (Wong & Yeung, 2009). Figure 2: MAC flooding attack (Wong & Yeung, 2009) This attack does not require lot of efforts due to the existence of tools, such as macof and dsniff, which are capable of generating thousands of MAC entries on a switch in few seconds (Wong & Yeung, 2009). Mitigation: To mitigate MAC flooding attack, the administrator shall either specify the number of MAC addresses that can be connected to a switch port, or specify the MAC addresses that can access a particular switch port. In the event of the security violation, the administrator shall either shut down or disable the corresponding port for a certain period of time. 2. ARP Spoofing On an Ethernet/IP network, a sender host can send Ethernet frames to the destination host only if a sender host knows the IP and the MAC address of the destination host. To retrieve the MAC address of the destination host, a sender host broadcasts an ARP (Address Resolution Protocol) Request packet to all the machines on the network, and only the machine with the specified IP address sends back an ARP Reply packet in unicast directly to the sender (Wong & Yeung, 2009). The resolved addresses are normally cached for a short period of time by the operating systems to reduce the number of ARP requests. A sender host checks the cache before issuing an ARP request, and if it finds required IP-MAC mapping in the cache, then it uses the corresponding MAC address without making a new ARP request. However, whenever a host receives an ARP reply, it updates the newly received IP-MAC mapping in the cache (Wong & Yeung, 2009). Whenever a host receives an ARP reply, it updates the cache even if it has not sent out an ARP request. Therefore, an attacker can easily poison ARP cache of other hosts with forged IP-MAC mappings by sending out an ARP Reply packets with wrong information, hence, causing traffic to be redirected from the correct destination to the destination set by an attacker. This process is called ARP Spoofing which helps in attacker to launch various attacks, such as, DoS, Broadcasting, and Man-in-the-middle (Wong & Yeung, 2009). As identified by Wong & Yeung (2009), this attack has some major limitations: It can only work in the same broadcast domain, and therefore, it cannot redirect traffic between hosts on different subnets. In order to sniff the traffic between two hosts, the attacker must be able to reroute the traffic in both direction to the correct destinations. Also, to reroute the traffic, the attacker must also know the IP-MAC mappings of the hosts before poisoning the cache. ARP poisoning only updates the existing record in the cache. Figure 3: ARP spoofing (Wong & Yeung, 2009) Mitigation: Wong & Yeung (2009) mentioned several ways to mitigate the effect of this attack: To prevent spoofing, the ARP cache can only store static, non-changing IP-MAC mappings, hence, enabling the host to ignore any spoofed ARP replies. There are number of tools, such as ARPWatch, which can monitor the IP-MAC mappings for the machines on the network, and can alert the administrator in case of any suspicious changes in the mappings. The host shall only accept ARP replies and update the entries in the cache when they are expired i.e. their timeout period is lapsed. Doing so will make the spoofing process difficult because the attacker has to send an ARP reply packet faster than the legitimate host do in order to poison the ARP cache. 3. STP Attacks Spanning-Tree Protocol (STP) provides continuous protection against Data Link Layer broadcast storms, and maintains a loop-free path when redundant links are utilized for high availability. The election of a root bridge – a bridge with the lowest priority – is one of the key factors of how STP works. The priority of the bridge is determined by the Bridge Protocol Data Units (BPDUs) which are exchanged with all the participating switches in the network. However, it is also possible for a network administrator to make a particular switch the root bridge through manipulating the bridge priority manually. Besides electing a root bridge, another important factor is the determination of the root port which is the port closest to the root bridge, and is determined by the lowest cost to the root bridge (Boyles, 2010). When STP is enabled, the ports first go through the listening phase in which they determine the root bridge by processing BPDUs. Once the root bridge is elected, the learning phase starts in which the switch adds frames to the switching table, and the ports are switched to either blocking mode or forwarding mode (Boyles, 2010). Figure 4 illustrates an example of a typical switch network with STP, containing a total of three interconnected switches. Assume Switch 3 is a root bridge, and the host PC, connected to Switch 2, sending traffic to the server. However, the preferred path would be through Switch 1 (Boyles, 2010). Figure 4: Typical switch network with STP (Boyles, 2010) In an STP attack, an attacker introduces a rogue switch, connected to two or more switches in the internetwork, so that when the traffic flows through the rogue switch, he/she can catch and analyze the traffic. Figure 5 illustrates an example of the attacking scenario; the attacker has connected a rogue switch (Switch 4) with Switch 2 and Switch 3, has changed the bridge priority to be lower than Switch 3, and has exchanged BPDUs with the other non-root bridges. Now the attacker can intercept the traffic destined for the server because the preferred path to the root bridge has now changed to Switch 4, instead of Switch 3 (Boyles, 2010). Figure 5: Rogue switch in the network (Boyles, 2010) Mitigation: Wong & Yeung (2009) mentioned the following ways to mitigate the effect of this attack: The BPDU Guard feature, one of the STP enhancements created by Cisco, can be enabled by administrators on one or more ports of a switch to provide defense against STP attacks. The ports with BPDU Guard enabled do not allow the hosts behind them to send BPDU, hence, restricting the hosts from affecting the active STP topology. The hosts behind the BPDU Guard ports can only receive and send normal data frames. Root Guard is another STP enhancements created by Cisco which can be enabled on ports so that these ports cannot become root ports. When the Root Guard enabled ports receive superior BPDUs, they are moved to root-inconsistent STP state and do not allow any traffic to pass through them. References Boyles, T. (2010). CCNA Security Study Guide: Exam 640-553. Indiana: John Wiley and Sons. Cisco Systems, Inc. (2006). Virtual LAN Security Best Practices. Retrieved June 13, 2010, from http://conft.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.htm Liska, A. (2003). The practice of network security: deployment strategies for production environments. New Jersey: Prentice Hall PTR. Rufi, A. W. (2007). Network Security 1 and 2 Companion Guide. India: Dorling Kindersley. Wong, A., & Yeung, A. (2009). Network Infrastructure Security. New York: Springer. Read More