Network Security

Mohamed Sabt

Univ Rennes, CNRS, IRISA

Wednesday, September 16th, 2019

Villain VLANs &Cutting Down the (Spanning) Trees

Layer 2 Attack Landscape

Lower Networks layers affect higher levels.• Layering principle.

• If one layer is hacked, communications are compromised without the other layers being aware of the problem.

Security is only as strong as the weakest link.

When it comes to networking, layer 2 can be a very weak link.

Most of Layer 2 protocols were designed under the assumption that only trusted people are connected to the LAN.

2

Part I

Virtual LANs

Reminders

LAN:• Includes all devices in the same broadcast domain.

Broadcast Domain:• When any of the devices sends a broadcast frame, all other devices get a copy

of the frame.

• You just can think of a LAN and a broadcast domain as being basically the same thing.

4

First Overview of a VLAN

VLANs allow us to put some devices

into one broadcast domain and some

into another; thereby creating multiple

broadcast domains.

These individual broadcast domains

are called virtual LANS.

5

Why VLANs

Better performance• To create more flexible designs.

• To reduce overhead caused to each host.

• To reduce the workload for LAN related protocols (e.g. STP).

More security:• To keep hosts that work with sensitive data on a separate VLAN.

• To isolate the traffic coming from untrusted parts from the network.

6

VLANs Interconnection

The same VLAN can be connected to different switches.

7

VLANs Tagging

Switches need to tag the VLAN frames.

8

VLAN Trunking

The need:• The switches need to use VLAN trunking in the segment between switches.

Advantage:• The use of trunking allows switches to pass frames from multiple VLANs over

a single physical connection.

How:• VLAN trunking causes the switches to use a process called VLAN tagging, by

which the sending switch adds another header to the frame before sending it over a trunck.

9

IEEE 802.1Q

The IEEE standardizes the trunking protocol.• 802.1Q does not encapsulate the original frame into another

Instead, it just inserts an extra 4-byte VLAN header into the original frame’s Ethernet header.

10

4

Native VLAN

No VLAN:• 802.1Q does not add an 802.1Q header to frames in the native VLAN.

Processing:• When a switch receives a frame that does not have an 802.1Q header, it

decides that the frame is part of the native VLAN.

11

VLAN Trunking Protocol (VTP)

VTP allows switches to exchange VLAN configuration information.• VTP advertises about the existence of each VLAN based on its VLAN ID and

the VLAN name.

Synchronization:• Periodic VTP messages.• VTP messages as soon as their VLAN configuration have been changed.

Three modes:• Server: to set the VLAN configurations.• Client: to receive/send VTP messages• Transparent: to ignore the received VTP messages.

12

VTP Update Process

13

The complete process by which a serverchanges VLAN configuration, resulting in allSwitches knowing the same VLAN IDs andnames, is called synchronization.

VTP Update Steps

Someone configures a new VLAN from the command-line interface (CLI) of a VTP server.

The VTP server updates its VLAN database revision number.

The server sends VTP update messages out its trunk interfaces, stating the new revision number.

The VTP clients/servers notice that the updates list a higher revision number than their current revision number.

The switches update their VLAN databases based on the new VTP updates.

14

Part II

Security ofVirtual LANs

Dynamic Trunking Protocol (DTP)

DTP is a Cisco proprietary protocol that negotiates trunking parameters between switches.• Operates on a point-to-point basis only between network devices.

• Designed to make interconnecting switches with VLANs easier.

16

Basic Trunk Port Defined

Trunk ports have access to all VLANs by default.

Used to route traffic for multiple VLANs across the same physical link (generally between switches).

17

DTP and Security

DTP is important from a security perspective.• The default DTP state of many switches is auto.

• Switches will happily trunk (pass traffic on multiple VLANs) with anyone who notifies them that they would like to do so.

18

Basic VLAN Hopping Attack

An end station can behave as a switch.

The station is then a member of all VLANs.

19

Basic Hopping Attack

This attack can be achieved in one of two ways:• Spoof the DTP messages from the attacking host to cause the switch to enter

trunking mode. From here, the attacker can send traffic tagged with the target VLAN, and the switch will happily deliver the packets to the destination.

• Introduce a rogue switch and turn trunking on. The attacker can then access all the VLANs on the victim switch from the rogue switch.

To mitigate these attacks, do not activate DTP on any port that does not need trunking.

20

Creative VLAN Hopping Attack

Send 802.1q double encapsulated frames.

Switch performs only one level of decapsulation.

Works even if trunk ports are set to off.

21

Double Hopping AttackThe attacker sends a double-tagged 802.1q frame to the switch.

• The outer header has the VLAN attacker tag and the inner one has the victim’s.• For the purposes of this attack, let's assume that the outer tag is VLAN 10 and the

inner tag is VLAN 20.

The frame arrives on the switch, which looks at the first 4-byte 802.1q tag.• The switch sees that the frame is destined for VLAN 10 and sends it out on all VLAN

10 ports (including the trunk) if there is no CAM table entry.• Remember that, at this point, the second VLAN tag is still intact and was never

inspected by the first switch.

The frame arrives at the second switch. • It has no knowledge that it was supposed to be for VLAN 10. • Remember, native VLAN traffic is not tagged.

The second switch looks at only the 802.1q tag.• It sees that the frame is destined for VLAN 20 (the victim one).• It sends the frame to the victim host.

22

Mitigation of the Double Hopping Attack

Always use a dedicated VLAN ID for all trunk ports.• Never use the Native VLANs for anything.

• Use all tagged mode for the Native VLAN on trunks.

For switches to prevent this attack, they must look further into the packet to determine whether more than one VLAN tag is attached to a given frame.

23

Best Practices for VLANs and Trunking

Always use a dedicated VLAN ID for all trunk ports.• Never use the Native VLANs for anything.

• Use all tagged mode for the Native VLAN on trunks.

Unused interfaces:• Administratively disable the unused interface.

• Assign them to unused VLAN, called the parking lot VLAN.

Prevent trunking from being negotiated.Explicitly configure trunking on infrastructure ports.

Explicitly permit only the specific VLANs that need to be allowed on the trunk.

24

Exercise

Guess some attacks related to VTP.

How these attacks can be mitigated ?

25

Part III

Spanning TreeProtocol (STP)

Redundant Links

Redundant links allow the LAN to recover in case a failure occurs to one of the networks links.

27

Broadcast Storm I

Switches send broadcast frames out all interfaces in the same VLAN, except the interface in which the frame arrived.

28

Broadcast Storm II

The broadcast frames start the loop.

29

Broadcast Storm III

Broadcasts storms cause broadcast frames to lo loop around a LAN indefinitely.

30

Broadcast Storm Problems

Resource Saturation:• The forwarding of a frame repeatedly on the same links, consuming

significant parts of the links capacity.

MAC Table instability:• The continual updating of a switch MAC address table with incorrect entries,

resulting in frames being sent to the wrong locations.

Multiple frame transmission• Multiple copies of the same frame are delivered to the intended host, thereby

confusing the host.

31

The Need for Spanning Tree Protocol

The STP allow switches to automatically block the ports causing the broadcast storm.

32

How STP Works

The STP creates a spanning tree of interfaces forwarding frames.• The tree structure creates a single path to and from each Ethernet segment.

• Any interface not choosing by the STP is placed in Blocking State.

STP uses 3 criteria to choose whether to put an interface in the Forwarding State:• STP elects a root switch. All associated interfaces are in the Forwarding State.

• Each nonroot switch considers one of its port and makes it Forwarding.

• The lowest-cost switch on each segment is placed on Forwarding State.

33

Exercise STP

Supposing that Switch C is the root, describe the constructed ST.

34

Cost = 4 Cost = 5

Root

Reacting to Changes in the Network

The steady-state operation:• The root creates and sends a Hello STP message, with a cost 0, out all its

working interfaces.

• The nonroot switches receive the Hello on their root ports. The switch forwards the Hello out all designated ports after changing the sender ID.

When a switch ceases to receive the Hellos, something has failed, so the switch reacts and starts the process of changing the spanning-tree topology.

35

STP Timers

Hello:• 2 sec.

• The time period between Hellos created by the root.

Max Age:• 10 times Hello.

• How long any switch should wait, after ceasing to hear Hellos, before trying to change the STP topology.

Forward Delay:• 15 sec.

• Delay that affects the process that occurs when an interface changes from Blocking State to Forwarding State. A port stays in an interim Listening State, and then an interim Learning State.

36

Part IV

STP Security

Security Considerations

STP has no provisions for authentication as switches exchange STP information.• These STP messages could easily be sent from an unauthorized device that

could have any number of undesirable effects.

• If the attacker can cause a failure, it generally takes 30 to 45 seconds for STP to reconverge the topology.

Root hijacking:• The attacker could end up forwarding a lot of traffic in the LAN.

• The most obvious resulting attacks are man-in-the-middle, sniffing traffic, and creating a Denial of Service attacks.

38

STP Root Hijacking

The attacker becomes the root.

39

BPDU Guard

BPDU Guard Features• It disables a port of any STP message is received on the port.

• User ports have no reason to receive STP messages.

Advantages:• Particularly useful for ports that should

only be used as an access port and never

connected to another switch.

• prevent attackers from sending STP

messages from their computers.

40

Root GuardRoot Guard Features

• It disables any port that would have become the root switch as a result of the STP messages.

• When enabled, the Root Guard reacts if the switch receives any superior STP message from the neighboring switch.

• In this case, the Root Guard ignores thesuperior STP message. In addition, theswitch disables the interface, not sendingor receiving frames, as long as the superiorSTP message keep arriving.

Advantages:• It prevents a rogue switch from being theroot switch.• Less restrictive than BPDU Guard.

41