minimizing service loss and data theft
DESCRIPTION
Protecting Against VLAN Attacks. Minimizing Service Loss and Data Theft. Explaining VLAN Hopping. An attacking system spoofs itself as a legitimate trunk negotiating device. A trunk link is negotiated dynamically. An attacking device gains access on all VLANs carried by the trunk. - PowerPoint PPT PresentationTRANSCRIPT
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1
Minimizing Service Loss and Data Theft
Protecting Against VLAN Attacks
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-2
Explaining VLAN Hopping
An attacking system spoofs itself as a legitimate trunk negotiating device.
A trunk link is negotiated dynamically.
An attacking device gains access on all VLANs carried by the trunk
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-3
VLAN Hopping with Double Tagging
Double tagging allows a frame to be forwarded to a destination VLAN other than the VLAN of the source.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-4
Mitigating VLAN Hopping
Unused ports Shut down all unused ports. Configure all unused ports to access mode. Configure an access VLAN on all unused ports to an unused
VLAN. Configure a native trunk VLAN on all unused ports to an unused
VLAN.
Trunk ports Configure a trunk port with trunk mode on, and disable trunk
negotiation. Configure a native trunk VLAN on trunk ports to an unused VLAN. Configure the allowed VLANs on the trunk ports, and do not allow
a native VLAN.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-5
Types of ACLs
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-6
Configuring VACLs
Create an access list. Configure an access map. Create a VLAN filter. Example: Drop all traffic from network 10.1.9.0/24 on VLAN 10
and 20, and drop all traffic to backup server 0000.1111.4444.
switch(config)# access-list 100 permit ip 10.1.9.0 0.0.0.255 anySwitch(config)# mac access-list extended BACKUP_SERVERSwitch(config-ext-mac)# permit any host 0000.1111.4444 switch(config)# vlan access-map XYZ 10switch(config-map)# match ip address 100switch(config-map)# action dropswitch(config-map)# vlan access-map XYZ 20switch(config-map)# match mac address BACKUP_SERVERSwitch(config-map)# action dropswitch(config-map)# vlan access-map XYZ 30switch(config-map)# action forwardswitch(config)# vlan filter XYZ vlan-list 10,20
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-7
Summary
VLAN hopping can allow Layer 2 unauthorized access to another VLAN.
VLAN hopping can be mitigated by:
– Properly configuring 802.1Q trunks
– Turning off trunk negotiation Access lists can be applied to VLANs to limit Layer 2 access. VACLs can be configured on Cisco Catalyst switches.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-8