Download VLAN Security - Clarkson University

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
Document related concepts

Distributed firewall wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Asynchronous Transfer Mode wikipedia , lookup

Computer network wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Point-to-Point Protocol over Ethernet wikipedia , lookup

Deep packet inspection wikipedia , lookup

IEEE 802.1aq wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Computer security wikipedia , lookup

Power over Ethernet wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Network tap wikipedia , lookup

Wireless security wikipedia , lookup

Telephone exchange wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Spanning Tree Protocol wikipedia , lookup

Virtual LAN wikipedia , lookup

Transcript 
VLAN Security
Presented By:
Ronny L. Bull
CS Seminar
Spring 2015
Outline
Introduction
● Virtual LAN concepts
● Common Attack Methods
● Overview of Attacks
● Why They Are Effective
● Mitigation Strategies
● Future Work in Virtualized Environments
● Planned Attacks
● Planned Test Scenarios
● Questions
●
Introduction
Researching Layer 2 network security in virtualized
environments
● Already conducted successful experiments using:
● MAC flooding
● Open vSwitch based virtual networks are vulnerable!
● Results made public at DerbyCon 4.0
● Submitted vulnerability report to http://cert.org and
[email protected]
● DHCP attacks
● Multiple scenarios evaluated on each platform
● All tested platforms were found vulnerable!
●
MAC Flooding Summary
DHCP Attack Summary
Next Step
Next step: evaluate VLAN security in virtualized
environments:
● All virtual switch products support the creation of VLANs
● VLANs allow service providers to logically separate and
isolate multi-tenant virtual networks within their
environments
● Do the current known vulnerabilities in commonly used
VLAN protocols apply to virtualized networks?
● Could allow for:
● Eavesdropping of traffic on restricted VLANs
● Injection of packets onto a restricted VLAN
● DoS attacks
● Covert channels
●
Outline
Introduction
● Basic VLAN concepts
● Common Attack Methods
● Overview of Attacks
● Why They Are Effective
● Mitigation Strategies
● Future Work in Virtualized Environments
● Planned Attacks
● Planned Test Scenarios
● Questions
●
Virtual LAN Concepts
●
Virtual LAN (VLAN)
● Allows for separation of physical network into multiple
logical networks
● Each logical network is considered as a single broadcast
domain
● Layer 2 connectivity
● Broadcast traffic reaches all logically connected nodes
● Separated by Layer 3 devices (routers)
● Broadcast domains can span multiple network segments
by the use of a bridge or switch
Virtual LAN Concepts
●
Switch Ports (managed switches)
● Trunk port
● Port on switch configured to carry traffic for multiple
VLANs to other connected switches
● Allows VLANs to expand beyond a single switch
● ie. between buildings
● Access port
● Port on switch configured to provide access to a single
VLAN
● Tags all traffic entering port from connected devices with
associated VLAN ID (ie. VLAN 102)
● No need to configure connected device with specific
VLAN information
Virtual LAN Concepts
●
Types of VLANs
● Native VLAN
● Allows for the passing of un-tagged frames between
devices
● Trunk connections between switches
● CDP, DTP, VTP messages between switches
● VLAN 1 traffic between devices on a network
● Typically used for management purposes
● Default VLAN on an un-configured switch
● Defaults to VLAN 1
Virtual LAN Concepts
●
Types of VLANs (cont.)
● Access VLAN
● Restricted VLAN used for client access to a logical
network
● All traffic is tagged with the ID of the access VLAN
● Un-tagged traffic or traffic tagged with a different VLAN
ID is prevented from accessing the logically separated
broadcast domain
● Used to isolate traffic on a network
● Separate traffic from different departments
● Increase security by preventing unauthorized access to
network resources
Virtual LAN Concepts
●
Standard Ethernet frames consist of the following fields:
● Destination MAC address
● Source MAC address
● Type of frame or frame length
● The data payload
● A frame check sequence
Standard 802.3 Ethernet Frame
Dst MAC
Src MAC
Type/Len
Data
FCS
Virtual LAN Concepts
●
Ethernet frames are modified for VLAN traffic:
● Addition of a 802.1q VLAN header
● 32 bits of extra information wedged in
4 Bytes
Dst MAC
Src MAC
TPID
0x8100
2 Bytes
802.1q
Type/Len
VLAN Tag
TPI
(3 bits)
DEI
(1 bit)
2 Bytes
Data
VID
(12 bits)
FCS
Virtual LAN Concepts
●
The IEEE 802.1ad standard also known as Q-in-Q allows
for the addition of multiple 802.1q VLAN tags to a frame
● Useful for:
● Provider bridging
● Stacked VLANs
4 Bytes
Dst MAC
Src MAC
802.1q
Type/Len
VLAN Tag
4 Bytes
Dst MAC
Src MAC
Data
FCS
4 Bytes
802.1q
802.1q
Type/Len
VLAN Tag VLAN Tag
Data
FCS
Outline
Introduction
● Virtual LAN concepts
● Common Attack Methods
● Overview of Attacks
● Why They Are Effective
● Mitigation Strategies
● Future Work in Virtualized Environments
● Planned Attacks
● Planned Test Scenarios
● Questions
●
VLAN Hopping
VLAN Hopping
● An attack method used to gain unauthorized access to
another Virtual LAN on a packet switched network
● Consists of attacker sending frames from one VLAN to
another that would otherwise be inaccessible
● Two methods
● Switch Spoofing
● Double Tagging
●
Switch Spoofing
Switch Spoofing
●
CVE-2005-1942
●
●
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1942
“Cisco switches that support 802.1x security allow
remote attackers to bypass port security and gain
access to the VLAN via spoofed Cisco Discovery
Protocol (CDP) messages.”
Switch Spoofing
●
Cisco Discovery Protocol
● Cisco proprietary Layer 2 protocol
● Allows connected Cisco devices to share information
● Operating system
● IP address
● Routing information
● Duplex settings
● VTP domain
● VLAN information
Switch Spoofing
●
CVE-1999-1129
● http://www.cvedetails.com/cve/CVE-1999-1129/
● “Cisco Catalyst 2900 Virtual LAN (VLAN) switches allow
remote attackers to inject 802.1q frames into another
VLAN by forging the VLAN identifier in the trunking tag.”
●
●
Combine with ...
DTP: Dynamic Trunking protocol. "If a switch port were
configured as DTP auto and were to receive a fake DTP
packet, it might become a trunk port and it might start
accepting traffic destined for any VLAN" (Cisco).
● DTP Auto is the default setting!
Switch Spoofing
●
Dynamic Trunking Protocol
● Cisco proprietary Layer 2 protocol
● Allows automatic configuration of trunk ports on Cisco
switches
● Automatically configures VLAN trunking for all
supported VLANs
● Provides ability to negotiate the trunking method with
neighbor devices
● Pair this with CDP and your Cisco devices can pretty
much configure themselves (not very securely!)
Switch Spoofing
Switch Spoofing
Switch Spoofing
Switch Spoofing
Switch Spoofing
Switch Spoofing
●
Consequences
● Attacker's system has a trunk connection to the switch
● Attacker can generate frames for any VLAN supported
by the trunk connection
● Attacker can communicate with any device on any of the
associated VLANs
● Two-way communication can occur between the attacker
and a targeted node because the attacker can actually
place themselves on the VLAN
● Also allows attacker to eavesdrop on the traffic within a
target VLAN
Switch Spoofing
●
Mitigation
● Disable unused switch ports
● Disable CDP and DTP
● Or use on an as need, per port basis!
● Restrict the amount of trunk ports
● Should only be configured when connecting devices
require it (ie. other switches)
● Limit VLAN access on trunk ports to only what the
connected segments require
● Configure all other ports as access ports (no trunking)
with no access to the native VLAN
● Don't use Cisco switches...
Double Tagging
Double Tagging
●
CVE-2005-4440
● http://www.cvedetails.com/cve/CVE-2005-4440/
● “The 802.1q VLAN protocol allows remote attackers to
bypass network segmentation and spoof VLAN traffic via
a message with two 802.1q tags, which causes the
second tag to be redirected from a downstream switch
after the first tag has been stripped.”
● A.K.A: “Double-Tagging VLAN jumping attack”
Double Tagging
Double Tagging
Double Tagging
Dst MAC
Src MAC
Type/Len
Data
FCS
Standard 802.3 Ethernet Frame:
4 Bytes
Dst MAC
Src MAC
802.1q
Type/Len
VLAN Tag
Data
FCS
802.3 Ethernet Frame Tagged with 4 Byte 802.1q header:
4 Bytes
Dst MAC
Src MAC
4 Bytes
802.1q
802.1q
Type/Len
VLAN Tag VLAN Tag
Data
FCS
802.3 Ethernet Frame Tagged with multiple 4 Byte 802.1q headers – Q-in-Q:
Double Tagging
Double Tagging
Double Tagging
●
Consequences
● Attacker can send packets to a target VLAN
● Targeted system cannot respond back
● Attacking system is on the native VLAN
● Target is on an access VLAN isolated from the native
VLAN broadcast domain
● Not a good attack for eavesdropping
● Excellent method for DoS attacks
● Can be used as one way covert channels
Double Tagging
●
Mitigation Techniques
● Do not assign any hosts to VLAN 1 (native VLAN)
● If necessary significantly limit access
● Disable VLAN 1 on unnecessary ports
● Change native VLAN on all trunk ports to something
different than VLAN 1
● Restrict access to switches by MAC address
● Can spoof MAC addresses to get around this
● Heart of this attack is having access to the native VLAN!
● This is the default VLAN for all ports on a switch!
Outline
Introduction
● Virtual LAN concepts
● Common Attack Methods
● Overview of Attacks
● Why They Are Effective
● Mitigation Strategies
● Future Work in Virtualized Environments
● Planned Attacks
● Planned Test Scenarios
● Questions
●
Future Work
What can be done in Virtualized environments?
● Switch Spoofing
● Targets vulnerability in Cisco proprietary protocols
● Would be useless on non-Cisco based vSwitches
● Testing on Cisco Nexus 1000v switches is planned
● Double Tagging
● Targets vulnerability in 802.1q standard
● 802.1ad sub-standard
● Could potentially work on any vSwitch
● Attack requires two or more switches to be successful
● Many scenarios can be explored
●
Future Work
●
Scenarios:
● Switch Spoofing
● DTP/CDP spoofing attacks
● Cisco Nexus 1000v switch (advanced and essentials
editions)
● VM → vSwitch (DTP) → VM (VLAN XX)
● PC → Switch → vSwitch (DTP) → VM (VLAN XX)
● VM → vSwitch (DTP) → Switch → PC (VLAN XX)
Future Work
●
Scenarios (cont.):
● Double Tagging (requires at least 2 switches)
● PC → Switch → vSwitch → VM
● VM → vSwitch → Switch → PC
● VM → vSwitch → vSwitch → VM
● Between different environments and vSwitches
● VM → vSwitch → Switch → vSwitch → VM
● Between different environments and vSwitches
Future Work
●
Lab infrastructure upgrades and design changes are
required to safely support test scenarios
● Addition of multiple physical switches that support VLANs
to lab and server rack (acquired!)
● Direct 1Gb Ethernet connection from lab switch to server
rack switch (waiting on approval)
● Connections currently go through multiple campus
switches
●
Requires facilities to install cabling between lab on 3rd
floor and server room in basement.
● Isolation of lab network with router (locating hardware)
● Approval of VLAN ID usage from SUNY Poly ITS
administrators (waiting on approval)
Future Work
●
Infrastructure and design changes (cont.)
● Addition of Cisco Nexus 1000v essentials & advanced
vSwitches in VMWare environments
● Two Servers (locating hardware)
● Software license fees ~$5000.00 (acquired funding!)
● Academic VMWare vSphere Essentials (purchased)
● Academic VMWare vCenter (purchased)
● Cisco Nexus 1000v Advanced Edition (purchased)
● DTP/CDP Switch spoofing scenarios
● Configuration of VLAN IDs (once approved) on all
physical and virtual switches
● Allocation of new target virtual machines on each of the
test VLANs
Outline
Introduction
● Virtual LAN concepts
● Common Attack Methods
● Overview of Attacks
● Why They Are Effective
● Mitigation Strategies
● Future Work in Virtualized Environments
● Planned Attacks
● Planned Test Scenarios
● Questions
●
References
●
●
●
●
●
Accuvant Labs. Bourne again shell (bash) remote code execution vulnerability - bash
shell shock advisory. Retrieved Oct 5, 2014 from http://files.accuvant.com/web/file/
c18f38696677495085074e51178da52b/Bash%20ShellShock%20Advisory.pdf.
Altunbasak, H., Krasser, S., Owen, H. L., Grimminger, J., Huth, H.-P., and
Sokol, J. Securing layer 2 in local area networks. In ICN’05 Proceedings of the 4th international conference on Networking - Volume Part II (2005), pp. 699–706.
Ayuso, P. N., McHardy, P., Kadlecsik, J., Leblond, E., and Westphal, F. The
netfilter.org project. Retrieved Oct 21, 2014 from http://www.netfilter.org.
Baker, Morris, CCNA Security 640-554 Official Cert Guide, Cisco Press. July 2012.
Barjatiya, S., and Saripalli, P. Blueshield: A layer 2 appliance for enhancing isolation and security hardening among multi-tenant cloud workloads. In 2012 IEEE/ACM Fifth
International Conference on Utility and Cloud Computing (2012), pp. 195–198.
© 2015 Ronny L. Bull - Clarkson University
References
●
●
●
●
●
Buhr, A., Lindskog, D., Zavarski, P., and Ruhl, R. Media access control address spoof-ing attacks
against port security. In WOOT’11: Proceedings of the 5th USENIX conference on Offensive
technologies (2011), pp. 1–1.
Bull, R. Design and implementation of computer science virtualized lab environment.
Retrieved Oct 19, 2014 from http://web.cs.sunyit.edu/~bullr/publications/bullr_
thesis.pdf.
Bull, R. Exploring layer 2 network security in virtualized environments. Retrieved Oct 19,2014
from http://youtu.be/tLrNh-34sKY.
Bull, R. Migrating a voice communications laboratory to a virtualized environment. In SIGITE ’13
Proceedings of the 14th annual ACM SIGITE conference on Information Technology education
(2013), pp. 189–194.
Cabuk, S., Dalton, C., Ramasamy, H., and Schunter, M. Towards automated provi-sioning of
secure virtualized networks. In CCS ’07, Proceedings of the 14th ACM conference on Computer
and communications security (2007), pp. 235–245.
© 2015 Ronny L. Bull - Clarkson University
References
●
●
●
●
●
CentOS. The centos project. Retrieved Oct 21, 2014 from http://www.centos.org.
Cisco Systems, Inc. Catalyst 6500 release 12.2sx software configuration guide.
Retrieved May 12, 2014 from http://www.cisco.com/c/en/us/td/docs/switches/lan/
catalyst6500/ios/12-2SX/configuration/guide/book/pref.html.
Cisco Systems, Inc. Cisco nexus 1000v series switches for vmware vsphere data
sheet. Retrieved November 29, 2013 from http://www.cisco.com/en/US/prod/collateral/
switches/ps9441/ps9902/data_sheet_c78-492971.html.
Cisco Systems, Inc. Dynamic Trunking Protocol. Retrieved February 3rd, 2014 from
http://www.cisco.com/c/en/us/tech/lan-switching/dynamic-trunking-protocol-dtp/index.html
Cisco Systems, Inc. Configuring Cisco Discovery Protocol on Cisco Routers and Switches
Running Cisco IOS . Retrieved February 3rd, 2014 from:
http://www.cisco.com/c/en/us/support/docs/network-management/discovery-protocol-cdp/43485cdponios43485.html
© 2015 Ronny L. Bull - Clarkson University
References
●
●
●
●
●
●
Cisco Systems, Inc. Stacked VLAN Processing. Retrieved February 3rd, 2014 from:
http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/qinq.html
Cisco Systems, Inc. Understanding VLAN Trunk Protocol (VTP). Retrieved February 3 rd, 2014
from: http://www.cisco.com/c/en/us/support/docs/lan-switching/vtp/10558-21.html
Clark, B., Deshane, T., Dow, E., Evanchik, S., Finlayson, M., Herne, J., and
Matthews, J. N. Xen and the art of repeated research. In USENIX 2004 Proceedings of the
Annual Technical Conference - FREENIX Track (2004), pp. 135–144.
die.net. dhcp-options - linux man page. Retrieved Oct 5, 2014 from http://linux.die.
net/man/5/dhcp-options.
ELinks. Elinks full-featured text www browser. Retrieved Oct 21, 2014 from http://www.
elinks.or.cz.
Gentoo Bugzilla. Bug 491672 - =net-misc/openvswitch-2.0.0 - install: cannot stat ’brcom-pat.ko’:
No such file or directory. Retrieved December 4, 2013 from
https://bugs.gentoo.org/show_bug.cgi?id=491672/.
© 2015 Ronny L. Bull - Clarkson University
References
●
●
●
●
●
Gentoo Wiki. Qemu with open vswitch network. Retrieved December 4, 2013 from
http://wiki.gentoo.org/wiki/QEMU_with_Open_vSwitch_network/.
Hu, W., Hicks, A., Zhang, L., Dow, E., Soni, V., Jiang, H., Bull, R., and Matthews, J. A quantitative
study of virtual machine live migration. In CAC ’13, Pro-ceedings of the 2013 ACM Cloud and
Autonomic Computing Conference (2013), p. Article No. 11.
Information Security Stack Exchange. bash - shellshock dhcp exploitation.
Retrieved Oct 19, 2014 from http://security.stackexchange.com/questions/68877/
shellshock-dhcp-exploitation.
Kali Linux. The most advanced penetration testing distribution, ever. Retrieved November 29,
2013 from http://www.kali.org/.
LAN MAN Standards Committee. IEEE Standards for Local and Metropolitan Area Networks:
Media Access Control (MAC) Bridges. The Institute of Electrical and Electronics Engineers, Inc.,
New York, NY, 2004.
© 2015 Ronny L. Bull - Clarkson University
References
●
●
●
●
●
LAN MAN Standards Committee. IEEE Standards for Local and Metropolitan Area Networks:
Virtual Bridged Local Area Networks (802.1Q). The Institute of Electrical and Electronics
Engineers, Inc., New York, NY, 2003.
LAN MAN Standards Committee. IEEE Standards for Local and Metropolitan Area Networks:
Virtual Bridged Local Area Networks Amendment 4: Provider Bridges (802.1ad). The Institute of
Electrical and Electronics Engineers, Inc., New York, NY, 2005.
Lauerman, K., and King, J. Stp mitm attack and l2 mitigation techniques on the cisco
catalyst 6500. Retrieved May 12, 2014 from http://www.cisco.com/c/en/us/products/
collateral/switches/catalyst-6500-series-switches/white_paper_c11_605972.pdf/.
Microsoft. Hyper-v virtual switch overview. Retrieved May 18, 2014 from http://technet.
microsoft.com/en-us/library/hh831823.aspx.
Microsoft. What is server core? Retrieved June 4, 2014 from http://msdn.
microsoft.com/en-us/library/dd184075.aspx.
© 2015 Ronny L. Bull - Clarkson University
References
●
●
●
●
●
●
National Vulnerability Database. Cve-2014-6271. Retrieved Oct 5, 2014 from http:
//web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271.
National Vulnerability Database. Cve-2014-7169. Retrieved Oct 5, 2014 from http:
//web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169.
National Vulnerability Database. Cve-2005-1942/ Retrieved Feb 3. 2015 from
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1942
National Vulnerability Database. Cve-1999-1129/ Retrieved Feb 3. 2015 from
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1129
Open Networking Foundation. Software-defined networking: The new norm for networks. Retrieved May 13, 2014 from https://www.opennetworking.org/images/stories/
downloads/sdn-resources/white-papers/wp-sdn-newnorm.pdf.
Open vSwitch. How to install open vswitch on linux, freebsd and netbsd. Retrieved December 4,
2013 from http://git.openvswitch.org/cgi-bin/gitweb.cgi
p=openvswitch;a=blob_plain;f=INSTALL;hb=HEAD/.
© 2015 Ronny L. Bull - Clarkson University
References
●
●
●
●
●
●
Open vSwitch. Production quality, multilayer open virtual switch. Retrieved November 29, 2013
from http://openvswitch.org.
Pettit, J., Gross, J., Pfaff, B., Casado, M., and Crosby, S. Virtual switching in
an era of advanced edges. In ITC 22 2nd Workshop on Data Center - Converged and Virtual
Ethernet Switching (DC-CAVES) (2010).
Pfaff, B., Pettit, J., Koponen, T., Amidon, K., Casado, M., and Shenker, S. Extending networking
into the virtualization layer. In HotNets-VIII (2009).
Rouiller, S. VLAN Security: weaknesses and countermeasures - v1.4b. SANS Institute.
Saripalli, P., and Walters, B. Quirc: A quantitative impact and risk assessment framework for cloud security. In 2010 IEEE 3rd International Conference on Cloud Computing (2010),
pp. 280–288.
Seifert, R., and Edwards, J. The All-New Switch Book. Wiley Publishing, Inc., Indianapolis, Indiana, 2008.
© 2015 Ronny L. Bull - Clarkson University
References
●
●
●
●
●
thekellys.org. Dnsmasq - network services for small networks. Retrieved Oct 19, 2014 from
http://www.thekelleys.org.uk/dnsmasq/doc.html.
TrustedSec. Shellshock dhcp rce proof of concept. Retrieved Oct 5, 2014 from https:
//www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/.
VMware Inc. Vmware vsphere end user license agreement. Retrieved May 21, 2014 from
http://www.vmware.com/download/eula/esxi50_eula.html.
Xen Networking. Setting up open vswitch networking. Retrieved December 4, 2013 from
http://wiki.xen.org/wiki/Xen_Networking#Setting_up_Open_vSwitch_networking/.
Yeung, K.-H., Fung, D., and Wong, K.-Y. Tools for attacking layer 2 network infrastructure. In IMECS ’08 Proceedings of the International MultiConference of Engineers and
Computer Scientists (2008), pp. 1143–1148.
© 2015 Ronny L. Bull - Clarkson University
Related documents
cisco systems
cisco systems
Review Questions of Switching Networks
Review Questions of Switching Networks
Document 8758227
Document 8758227
Securing Network
Securing Network
Router/Switch Security
Router/Switch Security
Basic Configuration of WAP4410N
Basic Configuration of WAP4410N
What are the Advantages and Disadvantages of a Policy
What are the Advantages and Disadvantages of a Policy
Release notes_1.3
Release notes_1.3
Westermo Group
Westermo Group
Ethernet Link SMS-800
Ethernet Link SMS-800
If your staff need to upgrade or re
If your staff need to upgrade or re
Network Devices
Network Devices
The Virtual Local Area Network (VLAN) Technology
The Virtual Local Area Network (VLAN) Technology