In the last article, I described how trunks work. Automatically, trunk ports may use all VLANs and pass traffic for multiple VLANs over the same physical outcomes of switches. The VLAN simplifies network administration and maintenance.
Contents show
Additionally, it increases the performance from the network, however it has some backhaul for online hackers that is essential to understand. So within this lesson, we’ll discuss VLAN attacks, backhaul and exactly how should we safeguard VLANs from VLAN Attacks.
Switch Spoofing VLAN Attacks
Switch spoofing is VLAN attack, benefiting from an incorrectly configured trunk port. VLAN hopping enables traffic in one VLAN to appear by another VLAN.
The attacker tack benefit of the default switchport mode that is dynamic auto. They configure a method to spoof itself like a switch. The attacker methods a switch into believing that another switch is trying to form a trunk, thus an assailant will get use of all of the VLANs permitted around the trunk port. The figure below illustrates the switch spoofing/VLAN hopping attack.
How you can Safeguard Spoofing Attack
We are able to avoid a switch spoofing attack by switching off trunking on all ports, except those that particularly require trunking. It’s also essential to disable DTP, and by hand enable trunking.
Following would be the steps for safeguarding a switch from the spoofing attacks. Configure all switches within the network like below. Configure all access ports being an access port and disable DTP everywhere.
Switch1#configure terminal
Switch1(config)#interface range fastethernet / – 20
Switch1(config-if-range)#switchport mode access
Switch1(config-if-range)#switchport nonegotiate
Switch1(config-if-range)#exit
Switch1(config)#exit
Switch1#
Configure all of the trunk ports like a trunk port and disable DTP on trunk ports.
Switch1#configure terminal
Switch1(config)#interface range gigabitethernet /20 – 23
Switch1(config-if-range)#switchport mode trunk
Switch1(config-if-range)#switchport nonegotiate
Switch1(config-if-range)#exit
Switch1(config)#exit
Switch1#
Double-Tagging VLAN Attacks
The double-tagging VLAN attacks can also be known as double-encapsulated VLAN hopping attacks. In this kind of attack, the attacker uses the hardware method of operation.
The Double tagging attack is just possible when the attacker has physical connectivity for an interface that is one of the native VLAN from the trunk port. A dual tagging attack is really a uni-directional attack. Thwarting this kind of attack isn’t as simple as stopping fundamental hopping VLAN attacks.
Many switches make one degree of 802.1Q tagging and untagging. In this kind of attack, an assailant changes the initial frame to include two VLAN tags. The outer tag that is their own VLAN tag and also the inner hidden tag from the victim’s VLAN tag and also the attacker’s PC must fit in with the native VLAN from the network.
An essential feature from the double-tagging VLAN hopping attack is it works even when trunk ports aren’t configured just because a host typically transmits a frame on the segment that isn’t a trunk link. The figure below illustrates the double-tagging VLAN hopping attack.
The attacker transmits a dual-tagged 802.1Q frame to switch1. The frame has two tags, the outer tag may be the attacker’s tag, which is equivalent to the native VLAN from the trunk port within this example VLAN1.
The switch received this frame in the attacker as though it were on the trunk port or perhaps a port having a voice VLAN just because a switch shouldn’t get a tagged Ethernet frame with an access port. The interior tag may be the victim VLAN within this example, VLAN 10.
Once the switch1 received the frame, it’ll browse the first 4-byte 802.1Q tag and ensure the frame is perfect for VLAN1, the native VLAN. The switch transmits the frame on all VLAN 1 ports after taking out the outer tag of VLAN1.
A corner can also be negligence native VLAN, therefore the switch may also send the frame on the trunk port without re-tagging and also the VLAN 10 tag remains the area of the packet and switch1 hasn’t checked this frame.
The switch0 compares the 802.1Q tag at the moment the tag is definitely an inner tag of VLAN-10 the attacker sent the frame for VLAN 10, the prospective VLAN. The switch0 take away the VLAN-10 tag and transmits the frame to the victim port or floods it, with respect to the existing MAC address table entry.
The very best practice to lower double-tagging VLAN attacks the native VLAN from the trunk ports differs from the VLAN associated with a user ports. Also, make use of a fixed VLAN that’s outside of all user VLANs within the switched network because the native VLAN for those 802.1Q trunks.
PVLAN Edge
The idea of Private VLAN is applying in layer2 security. The non-public VLAN is a technique to group hosts and control traffic in the single broadcast domain. For instance, some applications need no communication at Layer 2 between ports on a single switch to ensure that a number doesn’t begin to see the traffic generated by another neighbouring host. The ports configured in PVLAN also referred to as protected ports.
The PVLAN restricts the direct layer2 communications between any two devices attached to the same switch. So, the attack on PVLANs is extremely difficult however, they’ll only do that in layer2.
PVLANs aren’t intended or made to safeguard against a layer3 attack. Forwarding conduct from a protected port along with a nonprotected port is common as always. The figure below shows a switch PVLAN Edge configured around the first 20 ports. Consequently PC’s linked to these ports cannot talk to one another.
Configuration of PVLAN
The Protected ports needed manual configuration. To configure the PVLAN Edge feature stick to the below steps.
The host ports Configuration
Switch>enable
Switch#configure terminal
Switch(config)#spanning-tree portfast default
Switch(config)#interface range fa0/1 – 22
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport protected
The Resource and servers ports configuration
Switch(config)#interface range fa0/22 – 24
Switch(config-if-range)#switchport mode access
Verifying the Configuration
We are able to verify the configuration using show running-config so we may also make use of a show interface switchport command which will show if interfaces have set as protected thus showing their PVLAN Edge status.
CAM Table Overflow/Media Access Control (MAC) Attack
The CAM table store information of MAC address on physical port combined with the configured VLAN. In CAB table overflow attack the attackers concentrate on CAM table only. Because of the fixed size the CAM table attacker target it.
The attacker connects on the physical port and generates a large number of MAC records. Once the CAM table fills and there’s no space for additional MAC records, the switch left the CAB table and sent traffic with no CAM entry sent on all ports from the VLAN under consideration.
The host Traffic having a CAM entry isn’t affected. However the adjacent switches traffic can have the issue. We are able to decrease this kind of attack by indicating the permitted MAC address and restricting the amount of MAC addresses per port. When the invalid MAC address is located, the mac address may either be blocked or even the port shut lower.
Address Resolution Protocol (ARP) attack
ARP attack is also referred to as ARP Spoofing. It is a kind of cyber attack transported out more than a Lan (LAN). The ARP protocol is employed by efficiency, not for security, therefore ARP attack is simply too easy. The attacker transmits false ARP messages more than a lan. This leads to the binding of the attacker’s MAC address using the Ip of the legitimate server or perhaps a host.
When the MAC address from the attacker is linked to a geniune Ip, then your attacker begins receiving data that’s destined for your Ip. ARP attack enables attackers to intercept, change or stop data-in-transit. ARP spoofing VLAN attacks are only able to occur on neighborhood systems which use the Address Resolution Protocol.
VLAN Management Policy Server (VMPS)/ VLAN Query Protocol (VQP) attack
This kind of attack uses VMPS. The VMPS is really a network switch which has a mapping of device information to VLAN. The VMPS assigns VLAN for network management in line with the MAC address from the host and stores these relationships inside a database.
This database is often the area of the VMPS and that is queried by VLAN Query Protocol (VQP), VTP is definitely an unauthenticated protocol what uses UDP (User Datagram Protocol), which make manipulation super easy to have an attacker.
Consequently, by utilizing VQP, the hacker effortlessly hacks the hosts due to no authentication and also the hacker easily join the VLAN that she or he isn’t approved to gain access to. The reduce the attack chances it’s needed to watch the network for miss conduct, send VQP queries out-of-band in order to disable it the protocol.
‘cisco’ Discovery Protocol (CDP) Attack
MUst ‘cisco’ routers and switches have CDP enabled within the default configuration, as they are. CDP details are submitted periodic broadcasts which are updated in your area in every device’s CDP database. The CDP is really a Layer 2 protocol, therefore, the routers don’t propagate it.
CDP is really a ‘cisco’ proprietary protocol which enabled automatically in many of ‘cisco’ switches. Additionally, it enables ‘cisco’ devices to switch information and configure the network to operate easily together. CDP details are submitted periodic broadcasts which updated each device’s CDP database.
The CDP is really a Layer 2 protocol, therefore, a router doesn’t propagate CDP. All of the CDP details are sent more than a network in cleartext. Therefore any attackers can intercept and find out the network information. However, to lower the likelihood of hacking disable the CDP where possible.
An assailant can certainly sniff information delivering the CDP using Wireshark along with other networking analyzer software. However, the CDP is helpful and, if it may be isolated by not allowing it on user ports, then it can benefit result in the network run more easily.
