15 - Campus Security - VLAN and Spoofing Attacks
remember every port by default is set to "switchport mode dynamic desirable"
if switch sees another trunk then dynamic desirable will become trunk, but from intruders perspective it is not good, well for him it is, but for us it is not! as he has now trunked with our switch and he can see all VLANs and move himself into our VoIP VLAN and start a packet sniffer etc.
SO simple but effect, hard-code them access ports!
SO what are PVLANS?
There are vlans with vlans
You have a primary vlan - defines the subnet and is a vlan
with vlan 5 we can add sub vlans
so we can now isolate these sub vlans betweem themselves.
3 types of sub vlans/ports
Lets look at the below scenario:
FTP server as an isolated port (port that is in the vlan but cannot speak to anyone else in the vlan, so how does it reach the DG etc, well we configure the route port as a promiscous port (can be reach by anything within the private vlan - sub vlans)
community port
so www and sql can be in this in this port, which is truly a subvlan, can reach over things within the community and reach the promiscuous port (DG)
So if the FTP gets comprimised it cannot reach any other hosts/clients/servers
So going back to the original diagram (with Jeremy and his cable modem) we can make each port an isolated port and the router out (DG) will be a promiscuous port - very powerful stuff
So PVLANS provide isolation and segmentation within 1 VLAN
Right lets lab this:
The FTP will be isolated from the Community ports but can talk to the Prom port,
the Community ports can talk to the Prom port but not the Isolated port.
1 primary/parent VLAN which in our case will be vlan200
a vlan = subnet
pvlans will be part of the primary/subnet
Can only have 1 isolated VLAN per Primary, but you can have many ports in that isolated vlan
(so you could have loads of servers in the isolated vlan, which cannot talk to each other)
*note to self 3950 does not support pvlans*
PVLANS can only be configured on VTP transparent mode
CONFIGURATION
vtp mode transparent
vlan 200
private-vlan primary
vlan 205
private-vlan community
vlan 210
private-vlan isolated
So now i need to associate these vlans with the primary
vlan 200
private-vlan association 205,210
Next part will be assigning ports:
inter fa4/24
switchport mode private-vlan host
switchport mode private-vlan host-association <primary vlan> <secondary vlan/sub vlan>
so in our case
switchport mode private-vlan host-association 200 205
int fa4/25
switchport mode private-vlan host
switchport mode private-vlan host-association 200 205
int fa4/26
switchport mode private-vlan host
switchport mode private-vlan host-association 200
Now lets setup the Promiscuous port, we need to configure the private-vlan mappings, so we need to
tell the port which of the ports it will be talking to, first we define the primary vlan then the sub vlans.
int fa4/26
switchport mode private-vlan promiscuous
switchport private-vlan mapping 200 205,210
lets confirm:
So if this is the first time that the client and the server have spoken, an ARP asking for the server MAC will be sent out, the attacker can then reply back with the MAC of his PC, the attacker can then forward off the traffic to the server .... so no one is none the wiser.
dhcp snooping also helps protect from ARP attacks (DAI) - as covered in the CCNA-S (so brief notes as covered before)
enable via
ip dhcp snooping
configure the trusted ports with
ip dhcp snooping trust
this database can then track IP bindings (the DHCP requests/replies)
it will build a database that the DAI feature can use.
it can be seen via
show ip dhcp snooping binding
port can then be shutdown if a violation occurs.
3750 etc have ip source guard (which is one step up from DAI) it watches the dhcp reply and then creates
an access list for that port that only allows that IP/MAC coming in on that port.
however if you have alot of clients your switch can take a performance hit and it might end of switching over to software switching ....
go under the port:
ip verify source vlan dhcp snoopingport-security
