SWITCH10S07L02.pptx

Download Report

Transcript SWITCH10S07L02.pptx 

Protecting Against
VLAN Attacks
Minimizing Service Loss and Data Theft
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—7-1
Explaining VLAN Hopping
 An attacking system spoofs
itself as a legitimate trunk
negotiating device.
 A trunk link is negotiated
dynamically.
 An attacking device gains
access on all VLANs carried
by the trunk
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—7-2
VLAN Hopping with Double Tagging
Double tagging allows a frame to be forwarded to a
destination VLAN other than the VLAN of the source.
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—7-3
Mitigating VLAN Hopping
Unused ports
 Shut down all unused ports.
 Configure all unused ports to access mode.
 Configure an access VLAN on all unused ports to an unused
VLAN.
 Configure a native trunk VLAN on all unused ports to an unused
VLAN.
Trunk ports
 Configure a trunk port with trunk mode on, and disable trunk
negotiation.
 Configure a native trunk VLAN on trunk ports to an unused VLAN.
 Configure the allowed VLANs on the trunk ports, and do not allow
a native VLAN.
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—7-4
Types of ACLs
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—7-5
Configuring VACLs
 Create an access list.
 Configure an access map.
 Create a VLAN filter.
 Example: Drop all traffic from network 10.1.9.0/24 on VLAN 10
and 20, and drop all traffic to backup server 0000.1111.4444.
switch(config)# access-list 100 permit ip 10.1.9.0 0.0.0.255 any
Switch(config)# mac access-list extended BACKUP_SERVER
Switch(config-ext-mac)# permit any host 0000.1111.4444
switch(config)# vlan access-map XYZ 10
switch(config-map)# match ip address 100
switch(config-map)# action drop
switch(config-map)# vlan access-map XYZ 20
switch(config-map)# match mac address BACKUP_SERVER
Switch(config-map)# action drop
switch(config-map)# vlan access-map XYZ 30
switch(config-map)# action forward
switch(config)# vlan filter XYZ vlan-list 10,20
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—7-6
Summary
 VLAN hopping can allow Layer 2 unauthorized access to another
VLAN.
 VLAN hopping can be mitigated by:
– Properly configuring 802.1Q trunks
– Turning off trunk negotiation
 Access lists can be applied to VLANs to limit Layer 2 access.
 VACLs can be configured on Cisco Catalyst switches.
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—7-7
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—7-8