Security Issues faced by a VLAN（VLAN所面临的安全问题）

Introduction

In Virtual LAN or VLAN is a group of hosts communicate witheach other, even thoughthey are in different physical location. Virtual LANprovides location independence to the users, able to save the bandwidth, managethe device, cost effective for the organization are some of the facilitiesprovided by the Virtual LAN.

VLAN is based on Layer 2 “Data link” of the OSI Model. TheOSI layers are independent of each other and they communicate with each other.If any one of the layer gets compromised the other layers also fail. The VLANis on the Data Link layer, which is as vulnerable to attacks as any other layeron the OSI model.

Security Issues faced by a VLAN

When it comes to VLAN, it is best suited for Trafficmanagement and definitely not for security. Some of thesecurity issues faced by VLAN are given below.

ARP Attack

ARP is an Address Resolution Protocol which is designed for afriendly environment. ARP works by associating IP address of Layer 3 with MACaddress of Layer 2.

ARP lacks very much when it comes to security, a malicioususer is able to use a forged IP address of Layer 3 and MAC address of Layer 2,there is no way to verify those forged details in ARP. The malicious useridentifies him as a legitimate user and starts to use resources available on thenetwork. It’s even possible to transmit ARP packets to a device in a differentVLAN using those forged details.

It even allows the malicious user to perform a Man-in-the-middle( MiM )attack. A MiM attack is performed when a network device identifiesitself as another network device such as default gateway, there is no way toverify those credentials.

Then the attacker starts to send the ARP packets to thetargeted victim, those ARP packets cannot be verified by the receiver. Thereceiver ARP table is filled with the forged details of the ARP packets sent bythe attacker. The attacker is then able to gather all the information about thereceiver and even tries to resemble as the receiver to other devices in thenetwork. At the end of the attack, the attacker corrects the ARP tables and thenetwork comes back to normal.

Tool which can be used for performing ARP spoofing areArpspoof, Arpoison, Cain and Abel, and Ettercap, Trapper which was inspiredfrom the famous tool called Cain.

An effective countermeasureto ARP attacks is Dynamic ARP inspection (DAI). DAI is a security feature whichvalidates all the ARP packets in a network. It discards the ARP packets withinvalid IP and MAC address.

Toenable DAI on a VLAN(DHCP Environment on CISCO)

Entersinto the Global Configuration command

Router# configureterminal

Enables DAI on VLAN by using iparp inspection Vlan{vlan_id|vlan_range} from the global configuration table

Router(config)# iparp inspectionvlan {vlan_ID |vlan_range}

Finally, Verifies the Configuration

Router(config-if)# do show iparp inspectionvlan {vlan_ID |vlan_range} | begin Vlan

MAC Flooding Attack

MAC flooding attack is one of the common attacks on a VLAN.In a MAC flooding attack, the switch is flooded with packets of different MACaddress therefore consuming memory on the switch. During the MAC floodingattack, switch starts to behave like a “hub” where it starts to share the datawith all the ports. Thus a malicious user is able to use a Packet sniffer toextract the sensitive data’s.

For example, there are 3 workstations WA, WB and WC. WhenWA tries to send a data to WB it is not viewed by the WC because of switch.Now, a malicious user consider WC, starts a MAC flooding attack on switch withdifferent MAC Address, the memory of switch is filled. Now, the switch startsto behave like a HUB, thus when next time WA tries to send a data to WB, itwill be easily viewed by the WC.

The best way to secure VLAN from MAC flooding attack isthrough Static Secure MAC address. They need to be manually configured usingthe command“switchport port-securitymac-address mac-address interface “.The other wayto secure MAC Flooding is to limit the amount of MAC address received by theport.

DHCP Attack

DHCP is Dynamic host configuration protocol which enables aserver to automatically assign IP address to a host with other information suchas subnet mask and default gateway. There are two types of DHCP attack on VLAN;they are DHCP starvation Attack and DHCP rogue attack.

In DHCP starvation attack, a malicious user sends numerousDHCP request with spoofed MAC address. This causes a Denial of Service at DHCPserver, thus not allowing an authentic user from using the network. It can beavoided by limiting the number of MAC address.

In DHCP rouge attack, a malicious user acts as if he is aDHCP server and provides a reliable user with Wrong gateway, Wrong DNS andWrong IP. The user will experience numerous problems ranging from connectionproblem to communication problems with other host. This can be avoided by usinga multilayer switch which got a capability to drop the packets.

One of the tools which can be used for these kind of attack is Yersinia whichis a network tool designed to take advantage of some weakness in differentnetwork protocols. This can be also used for spanning-tree protocol attack.

Spanning-Tree Protocol Attack

When a malicious usersends a STP message with a priority zero value thus making a new root bridgethus compromising the entire network is known as Spanning-Tree Protocol attack.It can be avoided by disabling spanning -tree function to the entire userinterface. This can also be done by enabling root guard on CISCO equipment orBPDU guard on user’s port to disable Priority Zero value thus the malicioususer won’t be able to gain the root bridge

To enable Root Guard on CatOS

vega> (enable) set spantree guard root 1/1Rootguard on port 1/1 is enabled. Warning!! Enabling rootguard may result in atopology change. vega> (enable)

To enable BPDU guard on CatOS

Console> (enable) set spantreeportfastbpdu-guard enable

Spantreeportfastbpdu-guard enabled on this switch.

Console> (enable)

Multicast Brute Force Attack

The multicast brute force attack proceeds when a switchreceives a number of multicast frames in rapid succession. This causes theframes to leak into other VLAN instead of containing it on original VLAN. Thismight also cause a scenario similar to denial of service.

The multicast brute force attack can be stopped by awell-equipped switch which prevents the frames from leaking into other VLAN andtherefore containing them in the original VLAN.

Private VLAN Attack

A Private VLAN is a feature in Layer 2 which is used toisolate the traffic only at layer2. When a layer 3,device such as a router isconnected to a Private VLAN, it supposed to forward all the traffic received bythe router to whatever destination it’s meant for. Sometimes a malicious usermight use it for his advantage.

This can be prevented by configuring the VLAN access list.

Todefine a VLAN access map

# vlan access-mapmap_name [0-65535]

Todelete a map sequence from VLAN access map

# no vlanaccess-mapmap_name 0-65535

Todelete the VLAN access map

# no vlanaccess-mapmap_name

VMPS/VQP Attack:

This kind of attack normally happens on Dynamic VLAN AccessPorts. This VMPS uses VQP protocol. The disadvantage of VMPS is that it doesn’tuse authentication for assigning Vlans based on the MAC address and also it isover UDP which further makes it more vulnerable for the attack.

Normally a DOS attack happens in order to join theunauthenticated VLAN.

VLAN Hopping Attack

VLAN hopping works by sending packets to a port whichshould not be accessible. Basically, in VLAN hopping attack there are two types

• Switch Spoofing
• Double Tagging

Switch Spoofing

Switch spoofing happens when a malicious user tries toconfigure a system to spoof itself as a switch by matching itself to 802.1q orISL. The malicious user is able to spoof the switch with help of (Dynamic TrunkProtocol) DTP signaling.

Double Tagging

Double tagging is a method involves tagging transmittedframes with two 802.1q headers, one of the headers is used for Victim switchand another is used for the attacker’s switch.

The simplest way to prevent a VLAN Hopping attack is bydisabling Dynamic Trunk protocol (DTP) on all untrusted ports.

For example:

ciscoswitch# conf t

ciscoswitc(config)# int gi1/10

ciscoswitch(config-if)# switchportnonegotiate
From the example “switchportnonegotiate” disables the DTP.

Double-Encapsulated 802.1Q

IEEE 802.1Q helps to create smaller network out of largenetworks. A large network is very slow and consumes lot of bandwidth whereas asmaller network is easier to manage and consumes less bandwidth. So, it’sdesirable to have a smaller network than a large complex network. IEEE802.1Qwas developed as a part of IEEE802.

To use IEEE802.1Q, it’s must that we implement Trunk.Suppose Trunk is enabled in IEEE802.1Q, a certain type of attack is performedon 802.1Q. This attack is called Double Encapsulation attack. It adds two tagsto the original frame. In IEEE 802.1Q trunk always modify the frame by eliminatingthe outer tag but the inner tag remains permanently and it becomes thedestination.

To prevent Double-Encapsulation in 802.1Q, the native VLANshould not be assigned to any port. We must force traffic on trunk to alwayscarry a tag. To make the trunk to carry a tag, we can use the command “Switch(config)#vlan dot1q tag native”. It is a global command to tag the native VLAN.

Random Frame Stress Attack

Random frame stress attack got many types but it’sgenerally a brute force attack performed on several fields. In this type ofbrute force attack the source address and destination address are keptconstant. They are primarily performed to test the switch ability when itencounters abnormalities in inputs and calculations.

Random frame stress attack can be prevented when a PrivateVLAN or PVLAN is used to separate the host from receiving those unwantedinputs.

Using of Shodan for gathering information:

This is just to find out the online devices usingShodan (http://www.shodanhq.com). Shodan stands for Sentient Hyper-OptimizedData Access Network which is almost similar to a normal search engine exceptfor its results. Shodan grabs the banner of the devices and gives a detailinformation, thus helping the user while pen testing.

The usage of shodan is simple and easy and also has shodansyntax for making the results more filtered. For example, to find a device orservice running in the target, then the syntax would be“service name” hostname:target.com.Similarly we can discover more devices and makingthe analysis of the target easier and also reducing the time.

Another example would be finding the L2 devices like forexample Netgear GSM7212 L2 switch from a particular country. The image showsthe Netgear switch from the country US. Similarly, we can find differentdevices for information gathering phase.

Conclusion:

I hope this helps understand various VLAN attacksand makes the concept simpler. On other hand, attacking a Vlan is tough. Andnever forget to change the default settings of your devices.

A few points for the administrators would be:

• Manage switches in as secure a manner
• The native VLAN ID should not be used for trunking. Always use a dedicated VLAN ID for all trunk ports.
• Set all user ports to non trunking
• Do configure port-security feature in the switch for more protection. (Note: be careful about configuring the port-security feature.)
• Avoid using VLAN 1
• Deploy port-security where possible for user ports
• Enable BPDU Guard for STP attack mitigation
• Use private VLAN where appropriate to further divide L2 networks
• If VTP is used, use MD5 authentication.
• Unused ports can be disabled.

介绍

VLAN（虚拟局域网）是一群尽管所处物理位置不同，却相互保持通信的主机。VLAN可向用户提供独立的网段，在节省带宽的同时也有利于设备的管理，而且通过VLAN所提供的一些功能还可以帮助企业节省成本。

VLAN建立在OSI的第二层数据链路层上，尽管OSI的每一层是独立的，但是他们之间是相互关联的。如果某一层出现问题，也必将会影响到其它层的数据传递，VLAN建立在数据链路层上，同其它层一样易于受到攻击。

VLAN所面临的安全问题

虽然VLAN适于流量管理但也并非特别安全。下面就列出了一系列VLAN所面临的安全威胁。

ARP攻击

ARP（地址解析协议）的工作原理实际是将第三层的IP地址转换成第二层的MAC地址的过程。

一个恶意用户可以伪造IP地址和MAC地址，然而在ARP协议中却无法核实这些细节，ARP的这种缺陷就造成了安全问题。利用这些伪造的信息，恶意用户就会被误认为是一个合法的用户，他们不仅可以随意使用网络中的资源，甚至可以在VLAN的设备中发送ARP数据包。

更有甚者，恶意攻击者可以通过此缺陷制造中间人攻击。当一个网络设备被标示成另一个网络设备，例如默认网关之类，中间人攻击就可能会发生了，在这种情况下我们也是无法核实这些细节信息的。

当攻击者发送ARP数据包给目标受害者，这些ARP报文不能被接收器验证，这是因为接收的ARP表其实已经是经过攻击者伪造的信息了。这个时候，攻击者就可以接收到这个返回消息的设备的有关信息了，甚至还可以试图接收到其他网络设备的信息。最后，攻击者会将ARP表和网络设备恢复正常。

像Arpspoof，Arpoison，Cain and Abel，和Ettercap，Trapper（这个工具的创作灵感不少都来自于著名的Cain）这些工具都可以执行ARP欺骗。

对付ARP攻击的一个有效策略就是动态ARP监测（DAI）。DAI是一种验证网络中所有ARP数据包的安全功能，它可将ARP数据中的IP地址和MAC地址都丢掉。

VLAN中的DAI状态（CISCO中的DHCP环境）

进入全局配置指令

Router# configure terminal

通过使用iparp检查Vlan{vlan_id|vlan_range} ，在全局配置中允许在VLAN中使用DAI

Router(config)# iparp inspection vlan {vlan_ID|vlan_range}

最后，验证配置

Router(config-if)# do show iparp inspection vlan {vlan_ID|vlan_range} | begin Vlan

MAC泛洪攻击

MAC泛洪攻击是VLAN攻击中常见的一种。在MAC泛洪攻击中，交换机内充斥的不同的MAC地址，这些地址信息消耗了交换机中大多数内存空间。在这种情况下，交换机就变成了"hub"开始与大家分享所有端口的数据了。所以，通过这种方法，攻击者就可以用数据嗅探器搜集敏感数据了。

举个例子，比如有3三个工作站，分别是WA,WB和WC。当我们试图用WA给WB发送一条数据，因为交换机的缘故WC是看不见这条信息的。现在，把攻击者看作是WC，它开始在交换机内用不同的MAC地址来制造MAC泛洪攻击，交换机的内容被耗光了，然后交换机就像HUB一样开始收发信息了，当WA再次向WB发送数据时，WC能很容易地看到它们之间传送的信息了。

在VLAN中，MAC泛洪攻击防范的最佳方法是配置静态安全MAC地址。这个需要进行手动配置，具体操作方法是使用命令"switchport port-security mac-address mac-addressinterface"。另一种防范MAC泛洪攻击的方法便是限制端口接受MAC地址的数量。

DHCP攻击

DHCP（动态主机设置协议）可以是服务器自动分配IP地址、子网掩码、默认网关等信息给主机。在VLAN中有两种类型的DHCP攻击，一种是DHCP耗竭攻击（DHCP starvation Attack），另一种是DHCP欺骗攻击（DHCP rogue attack）。

DHCP耗竭攻击：攻击者使用伪造的MAC地址发送大量的DHCP请求。这会导致DHCP服务器发生拒绝服务的情况，这样，正常的用户就无法使用网络了。通过限制MAC地址的数量可以避免这个情况的发生。

DHCP欺骗攻击：攻击者可以伪装成一个DHCP服务器，然后向正常用户提供错误的网关、错误的DNS和错误的IP，那么用户就会遇到许多问题，比如连接问题和与其它主机通信的问题。通过使用有选择性丢包功能的多层交换机，可以防范此攻击。

 

可以实现这类攻击的工具是Yersinia。它是一种网络工具，可以发现许多协议的漏洞，同时它也可以用来进行生成树协议攻击。

生成树协议攻击

攻击者使用零优先级发送一条STP（Spanning-Tree Protocol，生成树协议）消息，创建一个新的根桥接，从而破坏整个网络，这就是著名的生成树协议攻击。在用户界面上禁用生成树功能可以避免这个攻击，也可以在思科设备上进行Root Guard配置或在用户端口上设置DPDU Guard功能，禁止使用零优先级值，这样攻击者也就不能获得根桥接了。

在操作系统中使用Root Guard

vega> (enable) set spantree guard root 1/1 Rootguardon port 1/1 is enabled.

Warning!! Enabling rootguard may result in a topologychange. vega> (enable)

在操作系统中使用DPDU guard

Console> (enable) set spantreeportfastbpdu-guardenablev
Spantreeportfastbpdu-guard enabled on this switch.（在交换机上激活Spantreeportfastbpdu-guard）
Console> (enable)

组播暴力攻击

组播暴力攻击的实现依赖于交换机在非常短的时间内轮番接收到一连串的组播帧，这将导致这些帧会泄漏到其它VLAN中，而不是保留于原有的VLAN中。这可能也会引发拒绝服务现象。

一台高品质的交换机可以保证帧不会从原本的VLAN中泄漏到其它VLAN里，从而防止这类攻击的发生。

PVLAN攻击（专用VLAN攻击）

PVLAN是第二层的功能，用于第二层的通信隔离。当一台三层设备--例如路由器--连接到某个专用VLAN中，那么该路由器所接收到的所有流量有可能会向任何一处不可知的目的地传输。在某些情况下这种特性会成为攻击者实现个人目的的有效手段。

通过配置VLAN的访问列表可以预防上述情况的发生。

定义VLAN访问映射
# vlan access-mapmap_name [0-65535]

删除VLAN访问映射图序列
# no vlan access-mapmap_name 0-65535

删除VLAN访问映射
# no vlan access-mapmap_name

VMPS/VQP攻击

这类攻击通常发生在动态VLAN访问端口。VMPS（VLAN管理策略服务器）使用VQP（VLAN查询）协议。VMPS有一个缺陷，它并不使用基于MAC地址的指定Vlans身份认证，而且UDP让它在被攻击中更加脆弱。

通常DoS攻击都发生在未经验证的VLAN中。

VLAN跨越攻击

VLAN跨越指的是数据包被传送到不正确的端口上。基本上VLAN跨越攻击有如下两个类型。

◆交换机欺骗

◆双标签

交换机欺骗

交换机欺骗：攻击者试图通过配置802.1Q或者ISL把自己伪装成一个交换机，通过DTP（动态中继协议）信号可以帮助攻击者完成欺骗。

双标签

双标签是包括2个802.1Q头的传输帧标签，一个头用于（受害者）用户的交换机，另一个用于攻击者的交换机。防止VLAN跨越攻击的最简单的方法就是在所有来历不明的端口上禁止DTP协议。

举例：

ciscoswitch# conf t
ciscoswitc(config)# int gi1/10
ciscoswitch(config-if)# switchportnonegotiate
From the example "switchportnonegotiate" disables the DTP.

双封装802.1Q

IEEE802.1Q有助于在大型网络之外创建小规模网络。大型网络速度慢而且非常消耗带宽，然而小型网络却更利于管理，占用的带宽也少。所以，相比大而复杂的网络来说，有时候我们更需要一个小型网络，因此在IEEE802的基础上研发了IEEE802.1Q。

我们必须在启用了Trunk（端口汇聚）功能下使用IEEE802.1Q，假设主干中启用了IEEE802.1Q，那么就可以执行一个特殊的攻击。这个攻击被称作双封装攻击，它在原始帧中增加了两个标签，在IEEE802.1Q中，对帧的修改基本上要通过消除外部标签完成，然而剩下的原始内部标签就成为了攻击的目标。

（TIPs：当双封装 802.1Q 分组从 VLAN 恰巧与干线的本地 VLAN 相同的设备进入网络时，这些分组的 VLAN 标识将无法端到端保留，因为 802.1Q 干线总会对分组进行修改，即剥离掉其外部标记。删除外部标记之后，内部标记将成为分组的惟一 VLAN 标识符。因此，如果用两个不同的标记对分组进行双封装，流量就可以在不同VLAN 之间跳转。

这种情况将被视为误配置，因为 802.1Q 标准并不逼迫用户在这些情况下使用本地 VLAN 。事实上，应一贯使用的适当配置是从所有 802.1Q 干线清除本地 VLAN （将其设置为 802.1q-all-tagged 模式能够达到完全相同的效果）。在无法清除本地VLAN 时， 应选择未使用的 VLAN 作为所有干线的本地VLAN ，而且不能将该 VLAN 用于任何其它目的 。STP 、 DTP 和 UDLD 等协议应为本地 VLAN 的唯一合法用户，而且其流量应该与所有数据分组完全隔离开。）

为了防止802.1Q中的双封装，本地VLAN应该不被放配到任何端口。我们必须使主干中的流量都携带着标签，而为了实现这一点，我们可以使用命令"Switch(config)# vlan dot1q tag native"。它是一个标记本地VLAN的全局命令。

随机帧重压攻击（Random Frame Stress Attack）

随机帧重压攻击的表现形式有很多，但通常只存在于几个领域中。在这种暴力攻击下，会让源地址和目标地址保持不变。当遇到异常的输入和计算时，它们主要是对交换机进行测试。

这种攻击是可以预防的，可以让专用VLAN隔离第二层的主机，免受恶意流量的侵害。（Tips：使用时，可以建立互信任主机组，将第二层网络分成多个子域，只让友好设备相互交流。）

在收集信息段的使用：

这是刚刚发现的在线设备使用撒旦（HTTP：/ / www.shodanhq。com）。撒旦代表众生超优化数据访问网络，几乎是类似于一个正常的搜索引擎除了它的结果。撒旦抓住设备的旗帜，给予详细的信息，从而帮助用户在笔测试。

撒旦使用简单方便，也使结果更加过滤段的语法。例如，找到一个设备或服务在目标运行，那么语法将“服务名称”主机名：Target.com。同样，我们可以发现更多的设备，使目标的分析更容易，也减少了时间。

另一个例子是找到L2设备比如网件gsm7212 L2切换从一个特定的国家。图像显示了来自美国的网件交换机。同样，我们可以为信息收集阶段找到不同的设备。

结论：

我希望以上内容能够帮助大家了解VLAN的一些攻击方式，并能够让概念简单化。另外，想要对VLAN进行攻击并不容易的，但是请大家不要忘记更改设备的默认设置。最后为各位管理员总结以下几点：

◆以安全的方式管理交换机

◆本地VLAN ID 不应用于中继。使用专用LVAN ID作为中继端口。

◆所有用户端口设置为非中继

◆多做一些交换机端口安全配置，但需要小心。

◆避免使用VLAN 1

◆为用户端口尽可能设置安全功能

◆为了缓解STP攻击启用BPDU保护

◆使用专用VLAN并且进一步划分L2网络

◆如果使用VTP，请用MD5验证。

◆禁用未使用的端口

原文链接：http://resources.infosecinstitute.com/vlan-hacking/

译文链接：http://netsecurity.51cto.com/art/201112/310130.htm