Version 4.1 - 1.4 LAN Switching Part 2
Now let's talk about trunking. The Cisco Documentation on VLANs also covers VLAN Trunks.
DTP is the dynamic trunking protocol. Remember that anything that happens on your network automatically can be used against you. All your access ports should be configured as access ports and dtp should be turned off. Your trunks should be configured as trunks and negotiation should be turned off. I doubt they will cover ISL, but dot1q trunks are going to be fair game.
The double encapsulation VLAN Hopping attack uses the way the trunk works to forward a frame to a vlan you don't think it can reach. The packet has two VLAN tags - and once it crosses a trunk link, the first VLAN tag is stripped. You probably think that means the packet is untagged. Normal traffic works that way. Attacks use this assumption against you. This is why you don't want negotiation on your ports. You think all your access ports are sending untagged frames. An attacker can attach to an access port, negotiate a trunk and send a frame with double encapsulation. If you turn off negotiation and configure them to only use mode access, you avoid this problem.
Another Layer 2 issue on a switch relates to CDP. The Cisco Discovery Protocol sends out a lot of information that may be useful to an attacker. Turn off CDP messages on any link that may be accessed by an attacker. Use CDP only where needed.
MAC Attack is another switch vulnerability. Macof is a member of the Dsniff toolset. This is a widely available tool which can generate a MAC address flood to overwhelm your switch's CAM table. When any packets enter a switchport, the MAC address is stored in the CAM table. The CAM is Content Addressable Memory. It is a finite resource. When the CAM table is overwhelmed, the switch begins acting like a hub - forwarding all incoming traffic out all ports (except the one it came in on). In addition to the poor performance, all your traffic is being sent to the attacker's port - just like a "tap" into your network. To prevent this, use port security to limit the number of MAC addresses allowed on a port.
ARP attacks use gratuitous ARP to poison the ARP cache. Gratuitous ARPs are unsolicited. Normally a host looking to send a packet to another host on the same network will send an ARP request saying "who has 10.10.21.6?" and the host with that address replies with its IP and MAC. So now imagine that instead of your DNS server making that reply, a host randomly sends out the same IP address with its own MAC in a Gratuitous ARP. Legitimate traffic is going to have a hard time reaching your DNS server in that case. If you are lucky, you will see the error message pop up about a duplicate IP address. Cisco has a really good White Paper on ARP Poisoning Attacks and their mitigation. It goes into DHCP snooping and DAI (Dynamic ARP Inspection). [Note: this is not mentioned in the Exam Guide]
In the Exam Guide, the VLAN Best Common Practices begin with a short recap of the VLAN hopping attack. Then it suggests the following best practices (which are actually good) :
* Always use a dedicated VLAN ID for all trunk ports
* Disable all unused ports and put them in an unused VLAN
* Do not use VLAN1 for anything
* Configure all user-facing ports as non-trunking (DTP off)
* Explicitly configure trunking on infrastructure ports
* Use all tagged mode for the native VLAN on trunks and drop untagged frames
* Set the default port status to "disable"
This topic really got a cursory glance from me here. But the more I thought about the topics - and sought out links for source material, the more I realized that I really know this part. And that, my friends, is the whole point of writing these posts. So I'm going to put this topic to bed and move onto Routing Protocols.