1 / 8

Minimizing Service Loss and Data Theft

Protecting Against VLAN Attacks. Minimizing Service Loss and Data Theft. Explaining VLAN Hopping. An attacking system spoofs itself as a legitimate trunk negotiating device. A trunk link is negotiated dynamically. An attacking device gains access on all VLANs carried by the trunk.

nola-gilliam
Download Presentation

Minimizing Service Loss and Data Theft

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protecting Against VLAN Attacks Minimizing Service Loss and Data Theft

  2. Explaining VLAN Hopping • An attacking system spoofs itself as a legitimate trunk negotiating device. • A trunk link is negotiated dynamically. • An attacking device gains access on all VLANs carried by the trunk

  3. VLAN Hopping with Double Tagging • Double tagging allows a frame to be forwarded to a destination VLAN other than the VLAN of the source.

  4. Mitigating VLAN Hopping • Unused ports • Shut down all unused ports. • Configure all unused ports to access mode. • Configure an access VLAN on all unused ports to an unused VLAN. • Configure a native trunk VLAN on all unused ports to an unused VLAN. • Trunk ports • Configure a trunk port with trunk mode on, and disable trunk negotiation. • Configure a native trunk VLAN on trunk ports to an unused VLAN. • Configure the allowed VLANs on the trunk ports, and do not allow a native VLAN.

  5. Types of ACLs

  6. Configuring VACLs • Create an access list. • Configure an access map. • Create a VLAN filter. • Example: Drop all traffic from network 10.1.9.0/24 on VLAN 10 and 20, and drop all traffic to backup server 0000.1111.4444. switch(config)# access-list 100 permit ip 10.1.9.0 0.0.0.255 any Switch(config)# mac access-list extended BACKUP_SERVER Switch(config-ext-mac)# permit any host 0000.1111.4444 switch(config)# vlan access-map XYZ 10 switch(config-map)# match ip address 100 switch(config-map)# action drop switch(config-map)# vlan access-map XYZ 20 switch(config-map)# match mac address BACKUP_SERVER Switch(config-map)# action drop switch(config-map)# vlan access-map XYZ 30 switch(config-map)# action forward switch(config)# vlan filter XYZ vlan-list 10,20

  7. Summary • VLAN hopping can allow Layer 2 unauthorized access to another VLAN. • VLAN hopping can be mitigated by: • Properly configuring 802.1Q trunks • Turning off trunk negotiation • Access lists can be applied to VLANs to limit Layer 2 access. • VACLs can be configured on Cisco Catalyst switches.

More Related