VLAN Security - Clarkson University

Loading...

VLAN Security Presented By: Ronny L. Bull CS Seminar Spring 2015

Outline Introduction ● Virtual LAN concepts ● Common Attack Methods ● Overview of Attacks ● Why They Are Effective ● Mitigation Strategies ● Future Work in Virtualized Environments ● Planned Attacks ● Planned Test Scenarios ● Questions ●

Introduction Researching Layer 2 network security in virtualized environments ● Already conducted successful experiments using: ● MAC flooding ● Open vSwitch based virtual networks are vulnerable! ● Results made public at DerbyCon 4.0 ● Submitted vulnerability report to http://cert.org and [email protected] ● DHCP attacks ● Multiple scenarios evaluated on each platform ● All tested platforms were found vulnerable! ●

MAC Flooding Summary

DHCP Attack Summary

Next Step Next step: evaluate VLAN security in virtualized environments: ● All virtual switch products support the creation of VLANs ● VLANs allow service providers to logically separate and isolate multi-tenant virtual networks within their environments ● Do the current known vulnerabilities in commonly used VLAN protocols apply to virtualized networks? ● Could allow for: ● Eavesdropping of traffic on restricted VLANs ● Injection of packets onto a restricted VLAN ● DoS attacks ● Covert channels ●

Outline Introduction ● Basic VLAN concepts ● Common Attack Methods ● Overview of Attacks ● Why They Are Effective ● Mitigation Strategies ● Future Work in Virtualized Environments ● Planned Attacks ● Planned Test Scenarios ● Questions ●

Virtual LAN Concepts ●

Virtual LAN (VLAN) ● Allows for separation of physical network into multiple logical networks ● Each logical network is considered as a single broadcast domain ● Layer 2 connectivity ● Broadcast traffic reaches all logically connected nodes ● Separated by Layer 3 devices (routers) ● Broadcast domains can span multiple network segments by the use of a bridge or switch

Virtual LAN Concepts ●

Switch Ports (managed switches) ● Trunk port ● Port on switch configured to carry traffic for multiple VLANs to other connected switches ● Allows VLANs to expand beyond a single switch ● ie. between buildings ● Access port ● Port on switch configured to provide access to a single VLAN ● Tags all traffic entering port from connected devices with associated VLAN ID (ie. VLAN 102) ● No need to configure connected device with specific VLAN information

Virtual LAN Concepts ●

Types of VLANs ● Native VLAN ● Allows for the passing of un-tagged frames between devices ● Trunk connections between switches ● CDP, DTP, VTP messages between switches ● VLAN 1 traffic between devices on a network ● Typically used for management purposes ● Default VLAN on an un-configured switch ● Defaults to VLAN 1

Virtual LAN Concepts ●

Types of VLANs (cont.) ● Access VLAN ● Restricted VLAN used for client access to a logical network ● All traffic is tagged with the ID of the access VLAN ● Un-tagged traffic or traffic tagged with a different VLAN ID is prevented from accessing the logically separated broadcast domain ● Used to isolate traffic on a network ● Separate traffic from different departments ● Increase security by preventing unauthorized access to network resources

Virtual LAN Concepts ●

Standard Ethernet frames consist of the following fields: ● Destination MAC address ● Source MAC address ● Type of frame or frame length ● The data payload ● A frame check sequence Standard 802.3 Ethernet Frame Dst MAC

Src MAC

Type/Len

Data

FCS

Virtual LAN Concepts ●

Ethernet frames are modified for VLAN traffic: ● Addition of a 802.1q VLAN header ● 32 bits of extra information wedged in 4 Bytes Dst MAC

Src MAC

TPID 0x8100 2 Bytes

802.1q Type/Len VLAN Tag

TPI (3 bits)

DEI (1 bit) 2 Bytes

Data

VID (12 bits)

FCS

Virtual LAN Concepts ●

The IEEE 802.1ad standard also known as Q-in-Q allows for the addition of multiple 802.1q VLAN tags to a frame ● Useful for: ● Provider bridging ● Stacked VLANs 4 Bytes Dst MAC

Src MAC

802.1q Type/Len VLAN Tag

4 Bytes Dst MAC

Src MAC

Data

FCS

4 Bytes

802.1q 802.1q Type/Len VLAN Tag VLAN Tag

Data

FCS

Outline Introduction ● Virtual LAN concepts ● Common Attack Methods ● Overview of Attacks ● Why They Are Effective ● Mitigation Strategies ● Future Work in Virtualized Environments ● Planned Attacks ● Planned Test Scenarios ● Questions ●

VLAN Hopping VLAN Hopping ● An attack method used to gain unauthorized access to another Virtual LAN on a packet switched network ● Consists of attacker sending frames from one VLAN to another that would otherwise be inaccessible ● Two methods ● Switch Spoofing ● Double Tagging ●

Switch Spoofing

Switch Spoofing ●

CVE-2005-1942 ●



http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1942

“Cisco switches that support 802.1x security allow remote attackers to bypass port security and gain access to the VLAN via spoofed Cisco Discovery Protocol (CDP) messages.”

Switch Spoofing ●

Cisco Discovery Protocol ● Cisco proprietary Layer 2 protocol ● Allows connected Cisco devices to share information ● Operating system ● IP address ● Routing information ● Duplex settings ● VTP domain ● VLAN information

Switch Spoofing ●

CVE-1999-1129 ● http://www.cvedetails.com/cve/CVE-1999-1129/ ● “Cisco Catalyst 2900 Virtual LAN (VLAN) switches allow remote attackers to inject 802.1q frames into another VLAN by forging the VLAN identifier in the trunking tag.” ●



Combine with ... DTP: Dynamic Trunking protocol. "If a switch port were configured as DTP auto and were to receive a fake DTP packet, it might become a trunk port and it might start accepting traffic destined for any VLAN" (Cisco). ● DTP Auto is the default setting!

Switch Spoofing ●

Dynamic Trunking Protocol ● Cisco proprietary Layer 2 protocol ● Allows automatic configuration of trunk ports on Cisco switches ● Automatically configures VLAN trunking for all supported VLANs ● Provides ability to negotiate the trunking method with neighbor devices ● Pair this with CDP and your Cisco devices can pretty much configure themselves (not very securely!)

Switch Spoofing

Switch Spoofing

Switch Spoofing

Switch Spoofing

Switch Spoofing

Switch Spoofing ●

Consequences ● Attacker's system has a trunk connection to the switch ● Attacker can generate frames for any VLAN supported by the trunk connection ● Attacker can communicate with any device on any of the associated VLANs ● Two-way communication can occur between the attacker and a targeted node because the attacker can actually place themselves on the VLAN ● Also allows attacker to eavesdrop on the traffic within a target VLAN

Switch Spoofing ●

Mitigation ● Disable unused switch ports ● Disable CDP and DTP ● Or use on an as need, per port basis! ● Restrict the amount of trunk ports ● Should only be configured when connecting devices require it (ie. other switches) ● Limit VLAN access on trunk ports to only what the connected segments require ● Configure all other ports as access ports (no trunking) with no access to the native VLAN ● Don't use Cisco switches...

Double Tagging

Double Tagging ●

CVE-2005-4440 ● http://www.cvedetails.com/cve/CVE-2005-4440/ ● “The 802.1q VLAN protocol allows remote attackers to bypass network segmentation and spoof VLAN traffic via a message with two 802.1q tags, which causes the second tag to be redirected from a downstream switch after the first tag has been stripped.” ● A.K.A: “Double-Tagging VLAN jumping attack”

Double Tagging

Double Tagging

Double Tagging Dst MAC

Src MAC

Type/Len

Data

FCS

Standard 802.3 Ethernet Frame: 4 Bytes Dst MAC

Src MAC

802.1q Type/Len VLAN Tag

Data

FCS

802.3 Ethernet Frame Tagged with 4 Byte 802.1q header: 4 Bytes Dst MAC

Src MAC

4 Bytes

802.1q 802.1q Type/Len VLAN Tag VLAN Tag

Data

FCS

802.3 Ethernet Frame Tagged with multiple 4 Byte 802.1q headers – Q-in-Q:

Double Tagging

Double Tagging

Double Tagging ●

Consequences ● Attacker can send packets to a target VLAN ● Targeted system cannot respond back ● Attacking system is on the native VLAN ● Target is on an access VLAN isolated from the native VLAN broadcast domain ● Not a good attack for eavesdropping ● Excellent method for DoS attacks ● Can be used as one way covert channels

Double Tagging ●

Mitigation Techniques ● Do not assign any hosts to VLAN 1 (native VLAN) ● If necessary significantly limit access ● Disable VLAN 1 on unnecessary ports ● Change native VLAN on all trunk ports to something different than VLAN 1 ● Restrict access to switches by MAC address ● Can spoof MAC addresses to get around this ● Heart of this attack is having access to the native VLAN! ● This is the default VLAN for all ports on a switch!

Outline Introduction ● Virtual LAN concepts ● Common Attack Methods ● Overview of Attacks ● Why They Are Effective ● Mitigation Strategies ● Future Work in Virtualized Environments ● Planned Attacks ● Planned Test Scenarios ● Questions ●

Future Work What can be done in Virtualized environments? ● Switch Spoofing ● Targets vulnerability in Cisco proprietary protocols ● Would be useless on non-Cisco based vSwitches ● Testing on Cisco Nexus 1000v switches is planned ● Double Tagging ● Targets vulnerability in 802.1q standard ● 802.1ad sub-standard ● Could potentially work on any vSwitch ● Attack requires two or more switches to be successful ● Many scenarios can be explored ●

Future Work ●

Scenarios: ● Switch Spoofing ● DTP/CDP spoofing attacks ● Cisco Nexus 1000v switch (advanced and essentials editions) ● VM → vSwitch (DTP) → VM (VLAN XX) ● PC → Switch → vSwitch (DTP) → VM (VLAN XX) ● VM → vSwitch (DTP) → Switch → PC (VLAN XX)

Future Work ●

Scenarios (cont.): ● Double Tagging (requires at least 2 switches) ● PC → Switch → vSwitch → VM ● VM → vSwitch → Switch → PC ● VM → vSwitch → vSwitch → VM ● Between different environments and vSwitches ● VM → vSwitch → Switch → vSwitch → VM ● Between different environments and vSwitches

Future Work ●

Lab infrastructure upgrades and design changes are required to safely support test scenarios ● Addition of multiple physical switches that support VLANs to lab and server rack (acquired!) ● Direct 1Gb Ethernet connection from lab switch to server rack switch (waiting on approval) ● Connections currently go through multiple campus switches ● Requires facilities to install cabling between lab on 3rd floor and server room in basement. ● Isolation of lab network with router (locating hardware) ● Approval of VLAN ID usage from SUNY Poly ITS administrators (waiting on approval)

Future Work ●

Infrastructure and design changes (cont.) ● Addition of Cisco Nexus 1000v essentials & advanced vSwitches in VMWare environments ● Two Servers (locating hardware) ● Software license fees ~$5000.00 (acquired funding!) ● Academic VMWare vSphere Essentials (purchased) ● Academic VMWare vCenter (purchased) ● Cisco Nexus 1000v Advanced Edition (purchased) ● DTP/CDP Switch spoofing scenarios ● Configuration of VLAN IDs (once approved) on all physical and virtual switches ● Allocation of new target virtual machines on each of the test VLANs

Outline Introduction ● Virtual LAN concepts ● Common Attack Methods ● Overview of Attacks ● Why They Are Effective ● Mitigation Strategies ● Future Work in Virtualized Environments ● Planned Attacks ● Planned Test Scenarios ● Questions ●

References ●









Accuvant Labs. Bourne again shell (bash) remote code execution vulnerability - bash shell shock advisory. Retrieved Oct 5, 2014 from http://files.accuvant.com/web/file/ c18f38696677495085074e51178da52b/Bash%20ShellShock%20Advisory.pdf. Altunbasak, H., Krasser, S., Owen, H. L., Grimminger, J., Huth, H.-P., and Sokol, J. Securing layer 2 in local area networks. In ICN’05 Proceedings of the 4th international conference on Networking - Volume Part II (2005), pp. 699–706. Ayuso, P. N., McHardy, P., Kadlecsik, J., Leblond, E., and Westphal, F. The netfilter.org project. Retrieved Oct 21, 2014 from http://www.netfilter.org. Baker, Morris, CCNA Security 640-554 Official Cert Guide, Cisco Press. July 2012. Barjatiya, S., and Saripalli, P. Blueshield: A layer 2 appliance for enhancing isolation and security hardening among multi-tenant cloud workloads. In 2012 IEEE/ACM Fifth International Conference on Utility and Cloud Computing (2012), pp. 195–198.

© 2015 Ronny L. Bull - Clarkson University

References ●









Buhr, A., Lindskog, D., Zavarski, P., and Ruhl, R. Media access control address spoof-ing attacks against port security. In WOOT’11: Proceedings of the 5th USENIX conference on Offensive technologies (2011), pp. 1–1. Bull, R. Design and implementation of computer science virtualized lab environment. Retrieved Oct 19, 2014 from http://web.cs.sunyit.edu/~bullr/publications/bullr_ thesis.pdf. Bull, R. Exploring layer 2 network security in virtualized environments. Retrieved Oct 19,2014 from http://youtu.be/tLrNh-34sKY. Bull, R. Migrating a voice communications laboratory to a virtualized environment. In SIGITE ’13 Proceedings of the 14th annual ACM SIGITE conference on Information Technology education (2013), pp. 189–194. Cabuk, S., Dalton, C., Ramasamy, H., and Schunter, M. Towards automated provi-sioning of secure virtualized networks. In CCS ’07, Proceedings of the 14th ACM conference on Computer and communications security (2007), pp. 235–245.

© 2015 Ronny L. Bull - Clarkson University

References ●









CentOS. The centos project. Retrieved Oct 21, 2014 from http://www.centos.org. Cisco Systems, Inc. Catalyst 6500 release 12.2sx software configuration guide. Retrieved May 12, 2014 from http://www.cisco.com/c/en/us/td/docs/switches/lan/ catalyst6500/ios/12-2SX/configuration/guide/book/pref.html. Cisco Systems, Inc. Cisco nexus 1000v series switches for vmware vsphere data sheet. Retrieved November 29, 2013 from http://www.cisco.com/en/US/prod/collateral/ switches/ps9441/ps9902/data_sheet_c78-492971.html. Cisco Systems, Inc. Dynamic Trunking Protocol. Retrieved February 3rd, 2014 from http://www.cisco.com/c/en/us/tech/lan-switching/dynamic-trunking-protocol-dtp/index.html Cisco Systems, Inc. Configuring Cisco Discovery Protocol on Cisco Routers and Switches Running Cisco IOS . Retrieved February 3rd, 2014 from: http://www.cisco.com/c/en/us/support/docs/network-management/discovery-protocol-cdp/43485cdponios43485.html

© 2015 Ronny L. Bull - Clarkson University

References ●











Cisco Systems, Inc. Stacked VLAN Processing. Retrieved February 3rd, 2014 from: http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/qinq.html Cisco Systems, Inc. Understanding VLAN Trunk Protocol (VTP). Retrieved February 3 rd, 2014 from: http://www.cisco.com/c/en/us/support/docs/lan-switching/vtp/10558-21.html Clark, B., Deshane, T., Dow, E., Evanchik, S., Finlayson, M., Herne, J., and Matthews, J. N. Xen and the art of repeated research. In USENIX 2004 Proceedings of the Annual Technical Conference - FREENIX Track (2004), pp. 135–144. die.net. dhcp-options - linux man page. Retrieved Oct 5, 2014 from http://linux.die. net/man/5/dhcp-options. ELinks. Elinks full-featured text www browser. Retrieved Oct 21, 2014 from http://www. elinks.or.cz. Gentoo Bugzilla. Bug 491672 - =net-misc/openvswitch-2.0.0 - install: cannot stat ’brcom-pat.ko’: No such file or directory. Retrieved December 4, 2013 from http://bugs.gentoo.org/show_bug.cgi?id=491672/. © 2015 Ronny L. Bull - Clarkson University

References ●









Gentoo Wiki. Qemu with open vswitch network. Retrieved December 4, 2013 from http://wiki.gentoo.org/wiki/QEMU_with_Open_vSwitch_network/. Hu, W., Hicks, A., Zhang, L., Dow, E., Soni, V., Jiang, H., Bull, R., and Matthews, J. A quantitative study of virtual machine live migration. In CAC ’13, Pro-ceedings of the 2013 ACM Cloud and Autonomic Computing Conference (2013), p. Article No. 11. Information Security Stack Exchange. bash - shellshock dhcp exploitation. Retrieved Oct 19, 2014 from http://security.stackexchange.com/questions/68877/ shellshock-dhcp-exploitation. Kali Linux. The most advanced penetration testing distribution, ever. Retrieved November 29, 2013 from http://www.kali.org/. LAN MAN Standards Committee. IEEE Standards for Local and Metropolitan Area Networks: Media Access Control (MAC) Bridges. The Institute of Electrical and Electronics Engineers, Inc., New York, NY, 2004.

© 2015 Ronny L. Bull - Clarkson University

References ●









LAN MAN Standards Committee. IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks (802.1Q). The Institute of Electrical and Electronics Engineers, Inc., New York, NY, 2003. LAN MAN Standards Committee. IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks Amendment 4: Provider Bridges (802.1ad). The Institute of Electrical and Electronics Engineers, Inc., New York, NY, 2005. Lauerman, K., and King, J. Stp mitm attack and l2 mitigation techniques on the cisco catalyst 6500. Retrieved May 12, 2014 from http://www.cisco.com/c/en/us/products/ collateral/switches/catalyst-6500-series-switches/white_paper_c11_605972.pdf/. Microsoft. Hyper-v virtual switch overview. Retrieved May 18, 2014 from http://technet. microsoft.com/en-us/library/hh831823.aspx. Microsoft. What is server core? Retrieved June 4, 2014 from http://msdn. microsoft.com/en-us/library/dd184075.aspx.

© 2015 Ronny L. Bull - Clarkson University

References ●











National Vulnerability Database. Cve-2014-6271. Retrieved Oct 5, 2014 from http: //web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271. National Vulnerability Database. Cve-2014-7169. Retrieved Oct 5, 2014 from http: //web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169. National Vulnerability Database. Cve-2005-1942/ Retrieved Feb 3. 2015 from http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1942 National Vulnerability Database. Cve-1999-1129/ Retrieved Feb 3. 2015 from http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1129 Open Networking Foundation. Software-defined networking: The new norm for networks. Retrieved May 13, 2014 from http://www.opennetworking.org/images/stories/ downloads/sdn-resources/white-papers/wp-sdn-newnorm.pdf. Open vSwitch. How to install open vswitch on linux, freebsd and netbsd. Retrieved December 4, 2013 from http://git.openvswitch.org/cgi-bin/gitweb.cgi p=openvswitch;a=blob_plain;f=INSTALL;hb=HEAD/. © 2015 Ronny L. Bull - Clarkson University

References ●











Open vSwitch. Production quality, multilayer open virtual switch. Retrieved November 29, 2013 from http://openvswitch.org. Pettit, J., Gross, J., Pfaff, B., Casado, M., and Crosby, S. Virtual switching in an era of advanced edges. In ITC 22 2nd Workshop on Data Center - Converged and Virtual Ethernet Switching (DC-CAVES) (2010). Pfaff, B., Pettit, J., Koponen, T., Amidon, K., Casado, M., and Shenker, S. Extending networking into the virtualization layer. In HotNets-VIII (2009). Rouiller, S. VLAN Security: weaknesses and countermeasures - v1.4b. SANS Institute. Saripalli, P., and Walters, B. Quirc: A quantitative impact and risk assessment framework for cloud security. In 2010 IEEE 3rd International Conference on Cloud Computing (2010), pp. 280–288. Seifert, R., and Edwards, J. The All-New Switch Book. Wiley Publishing, Inc., Indianapolis, Indiana, 2008. © 2015 Ronny L. Bull - Clarkson University

References ●









thekellys.org. Dnsmasq - network services for small networks. Retrieved Oct 19, 2014 from http://www.thekelleys.org.uk/dnsmasq/doc.html. TrustedSec. Shellshock dhcp rce proof of concept. Retrieved Oct 5, 2014 from http: //www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/. VMware Inc. Vmware vsphere end user license agreement. Retrieved May 21, 2014 from http://www.vmware.com/download/eula/esxi50_eula.html. Xen Networking. Setting up open vswitch networking. Retrieved December 4, 2013 from http://wiki.xen.org/wiki/Xen_Networking#Setting_up_Open_vSwitch_networking/. Yeung, K.-H., Fung, D., and Wong, K.-Y. Tools for attacking layer 2 network infrastructure. In IMECS ’08 Proceedings of the International MultiConference of Engineers and Computer Scientists (2008), pp. 1143–1148.

© 2015 Ronny L. Bull - Clarkson University

Loading...

VLAN Security - Clarkson University

VLAN Security Presented By: Ronny L. Bull CS Seminar Spring 2015 Outline Introduction ● Virtual LAN concepts ● Common Attack Methods ● Overview of A...

388KB Sizes 3 Downloads 7 Views

Recommend Documents

Graduate School | Clarkson University
3 days ago - We offer rigorous, sought-after graduate and professional degree programs at the advanced certificate, mast

vlan security | disc0nnected.Com
VLAN's are a switching functions and as such, operate at Layer 2 of the OSI Model. Therefore, in order to route packets

VLAN security - Lynda.com
Aug 16, 2017 - Discover how VLAN Access Lists (VACLs) are utilized for hardware-based filtering of traffic within a sing

Pipe Flow Calculations - Clarkson University
Based on these, we can select the material of the pipe to be used, and once we do, the roughness ε can be specified. Th

VLAN Security Guidelines - WatchGuard LiveSecurity
Do VLANs introduce security vulnerabilities to your network? They certainly used to. Some early VLAN products were poorl

VLAN Security - NexusWP - SpiderCloud Wireless
2. 1. Background. To this day, end users still ask if VLANs (Virtual LANs) are a fundamentally secure technique for isol

VLAN Security – VLAN Access Control List's (VACL) | Brian Dwyer
Dec 9, 2014 - I've been studying to renew my CCNP as of recently, and I decided to create a refresher blog post about th

VLAN Security vs. Inter-VLAN Routing | Velocity Reviews
the computer on port 2 now knows how to get to the computer on port 3, thus > the inherent security (such as it is) in V

Fall 2017 GMAT® Prep Course - Clarkson University
The GMAT® Quantitative section measures your ability to reason quantitatively, solve quantitative problems and interpre

Graduate Education Graduate Education - Clarkson University
GMI 212. Managerial Accounting and Finance. Summer Session II - E; Staff. An introduction to the tools and techniques of