How to effectively prevent VLAN attacks?

VLAN (VirtualLocal Area Network). VLAN is a group of logical devices and users. These devices and users are not restricted by their physical location. They can be organized according to factors such as function, department, and application. The communication between them is as if they are on the same network segment. Same as in.

Compared with traditional local area network technology, VLAN technology is more flexible. It has the following advantages: the management overhead of moving, adding and modifying network equipment is reduced; broadcasting activities can be controlled; and network security can be improved.

The VLAN attack method is based on the attack method adopted by the application of VLAN technology. How to take effective preventive measures in the face of these tricky attack methods?

1. 802.1Q and ISL marking attacks:

Tagging attacks are malicious attacks. With it, users on one VLAN can illegally access another VLAN. For example, if the switch port is configured as DTP (DYNAMIC TRUNK PROTCOL) auto to receive forged DTP (DYNAMICTRUNK PROTCOL) packets, then it will become a trunk port and may receive traffic to any VLAN.

Thus, malicious users can communicate with other VLANs through controlled ports.

For this attack, you only need to set DTP (DYNAMIC TRUNK PROTCOL) on all untrusted ports to the off state.

2. Dual-encapsulation 802.1Q/nested VLAN attack:

Inside the switch, the VLAN numbers and identifiers are expressed in a special extended format. The purpose is to keep the forwarding path independent of the end-to-end VLAN without losing any information. Outside the switch, the marking rules are specified by standards such as ISL or 802.1Q. ISL is a Cisco proprietary technology. It is a compact form of the extended packet header used in the device. Each packet always gets a mark, and there is no risk of identity loss, thus improving security.

The 802.1Q IEEE committee decided that, in order to achieve backward compatibility, it is best to support native VLAN, that is, support VLANs that are not explicitly related to any tags on the 802.1Q link. This VLAN is implicitly used to receive all untagged traffic on the 802.1Q port. This feature is what users want, because with this feature, the 802.1Q port can directly talk to the old 802.3 port by sending and receiving unmarked traffic. However, in all other cases, this feature can be very harmful, because packets related to the native VLAN will lose their tags when transmitted over an 802.1Q link.

For this reason, the unused VLAN should be selected as the native VLAN for all trunks, and the VLAN cannot be used for any other purpose. Protocols such as STP, DTP, and UDLD should be the only legal users of the native VLAN, and their traffic should be completely isolated from all data packets.

3. VLAN jump attack

VLAN jumping is a type of network attack, which refers to the terminal system sending data packets to the VLAN that the administrator does not allow it to access, or receiving data packets of this VLAN. This attack is achieved by marking the attack traffic with a specific VLAN ID (VID) label, or by negotiating a Trunk link to send and receive the required VLAN traffic. Attackers can implement VLAN jump attacks by using switch spoofing or double labeling.

A VLAN jump attack is when a malicious device attempts to access a VLAN that is different from its configuration.

There are two forms of VLAN jump attacks:

One form is derived from the default configuration of Catalyst switch ports. The Auto mode link aggregation protocol is enabled by default on the ports of the CiscoCatalyst switch. Therefore, the interface becomes a trunk port after receiving the DTP frame.

The second form of VLAN jump attack can be implemented even when the link aggregation feature is turned off on the switch interface. In this type of attack, the attacker will send data frames with double-layer 802.1Q tags. This type of attack requires the client to connect to a switch other than the switch connected to the attacker.

Another requirement is that the VLAN to which the two switches are connected must be the same as the VLAN of the switch port to which the attacker is connected, or the same as the Native VLAN on the Trunk port between the switch and the attacked VLAN.

When establishing a trunk port, in order to defend against VLAN jump attacks in the network, all switch ports and parameters should be configured.

1. Set all unused ports as Access ports so that these links cannot negotiate the link aggregation protocol.

2. Set all unused ports to Shutdown state and put them in the same VLAN. This VLAN is dedicated to unused ports and therefore does not carry any user data traffic.

The above is the news sharing from the PASSHOT. I hope it can be inspired you. If you think today' s content is not too bad, you are welcome to share it with other friends. There are more latest Linux dumps, CCNA 200-301 dumps, CCNP Written dumps and CCIE Written dumps waiting for you.