Virtual Local Area Networks (VLANs) Good Practice Guideline

Transcription

1 Programme NPFIT Document Record ID Key Sub-Prog / Project Infrastructure Security NPFIT-FNT-TO-IG-GPG Prog. Director Mark Ferrar Status Approved Owner James Wood Version 2.0 Author Mike Farrell Version Date 19/03/2009 Virtual Local Area Networks (VLANs) Good Practice Guideline Crown Copyright 2009

2 Amendment History: Version Date Amendment History /10/2005 First draft for comment /01/2006 Second Draft for Comment (In light of RFC2119) /02/2006 Technical Author /03/2006 Approved /02/2009 Document re-written and updated to latest template /03/2009 Incorporating changes suggested by CfH Infrastructure Security Team /03/2009 Incorporating changes suggested by CfH Infrastructure Security Team /03/2009 Incorporating changes suggested by Head of IT Security. Approved for release Forecast Changes: Anticipated Change When Annual Review March 2010 Reviewers: This document must be reviewed by the following: Name Signature Title / Responsibility Date Version Infrastructure Security Team James Wood Head of IT Security Approvals: This document must be approved by the following: Name Signature Title / Responsibility Date Version James Wood Head of IT Security 2.0 Distribution: NHS Connecting for Health Information Governance Website Document Status: This is a controlled document. Whilst this document may be printed, the electronic version maintained in FileCM is the controlled copy. Any printed copies of the document are not controlled. Crown Copyright 2009 Page 2 of 17

3 Related Documents: These documents will provide additional information. Ref no Doc Reference Number Title Version 1 NPFIT-SHR-QMS-PRP-0015 Glossary of Terms Consolidated.doc Latest 2 NPFIT-FNT-TO-IG-GPG-0033 Glossary of Security Terms ( rasec/gpg) Latest Glossary of Terms: List any new terms created in this document. Mail the NPO Quality Manager to have these included in the master glossary above [1]. Term Acronym Definition Crown Copyright 2009 Page 3 of 17

4 Contents 1 About this Document Purpose Audience Content Disclaimer Introduction Background Networks Local Area Networks VLANs Types of VLANs: Port, MAC Address and Protocol Based Port Based VLANs Media Access Control (MAC) Address based VLANs Protocol Based VLANs The Main Advantages of VLANs The Secure Deployment of VLANs Physical Security Network Monitoring VLAN Trunking Restrictions Private VLANs (PVLANs) VLAN Access Control Lists (VACLs) Dynamic VLANs Some Common Attacks/Vulnerabilities of VLANs MAC Flooding Attack Q and ISL Tagging Attack Double Encapsulated 802.1Q/Nested VLAN Attack Address Resolution Protocol (ARP) Attacks Private VLAN Attack Multicast Brute Force Attack Spanning-tree Attack Random Frame Stress Attack VTP Domain Configuration VTP Mode VTP security Crown Copyright 2009 Page 4 of 17

5 1 About this Document 1.1 Purpose The purpose of this document is to offer advice and guidance relating to the successful deployment of Virtual Local Area Networks (VLANs) in NHS or other healthcare environments. Detailed technical knowledge of the techniques presented is not required. Guidance includes: - The types of VLANS available and their various advantages. How to secure and defend a VLAN from attacks and other vulnerabilities. 1.2 Audience This document has been written for readers within any NHS or healthcare provider organisation, who have a general familiarity with IT applications and infrastructure issues. 1.3 Content This document comprises the following sections / topics: - Introduction Networks particularly Local Area Networks Types of VLANs The Main Advantages of VLANs The Secure Deployment of VLANs Some Common Attacks/Vulnerabilities of VLANs VTP Domain Configuration Crown Copyright 2009 Page 5 of 17

6 1.4 Disclaimer Reference to any specific commercial product, process or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by NHS Connecting for Health. The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes. Any party relying on or using any information contained in this document and/or relying on or using any system implemented based upon information contained in this document should do so only after performing a risk assessment. It is important to note that a risk assessment is a prerequisite for the design of effective security countermeasures. A correctly completed risk assessment enables an NHS organisation to demonstrate that a methodical process has been undertaken which can adequately describe the rationale behind any decisions made. Risk assessments should include the potential impact to live services of implementing changes. This means that changes implemented following this guidance are done so at the implementers risk. Misuse or inappropriate use of this information can only be the responsibility of the implementer. Crown Copyright 2009 Page 6 of 17

7 2 Introduction The following information provides a knowledge-based framework that will help maintain good practice values within an organisation. The guidance within this document is written to reflect good practice, and, by following it, some of the consequences of non-compliance should be avoided. After reading this document the reader should understand: - The basics of VLANs, the various types of VLANs and their advantages, as well as any shortcomings in terms of security. Good practice for any NHS or healthcare provider organisation implementing VLANS within its network. This document will concern itself with Ethernet, as it is the most common type of LAN. 2.1 Background N3 is a private Wide Area Network (WAN) and access is therefore strictly limited to authorised endpoints. Any organisation wishing to connect to N3 is responsible for ensuring that their N3 connection does not compromise the security measures already in place within the WAN. N3 is a private network accommodating thousands of PCs, servers, printers and other items of equipment all acting as the nodes or endpoints within the network. The confidentiality of sensitive information transmitted unencrypted within N3 is not assured. However all National Applications encrypt data using Transport Layer Security (TLS) or an equivalent security standard. It is therefore advisable that the appropriate measures are taken with Existing Systems to ensure that sensitive data is secure before connecting to N3. N3 faces numerous potential threats to security, possibly from inadequately protected partner networks, or connections to uncontrolled external networks such as the Internet. These threats are continually evolving in both strength and frequency. Therefore ongoing vigilance against these threats, and the maintenance of strict security standards, are essential to the continuing success of N3. Crown Copyright 2009 Page 7 of 17

8 3 Networks A local network in its basic form is a collection of computers, printers, servers and other devices all communicating with each other over a shared system. There are various types of wired network, broadly grouped into the following three main categories: - Local Area Network (LAN). Metropolitan Area Network (MAN). Wide Area Network (WAN). This document is concerned with Local Area Networks (LANs). 3.1 Local Area Networks A Local Area Network (LAN) is a network of computers and other components located relatively close together in a limited area. LANs operate at layer-2 of the Open Systems Interconnect (OSI) model, and can vary widely in size. They can consist of only two computers in a home office or small business, or include hundreds of computers in a large corporate or healthcare environment. A small home business or a small office environment could use a small Ethernet LAN to connect two or more computers, and to connect the computers to one or more shared peripheral devices, such as a printer. A large corporate or healthcare site could use multiple LANs to accommodate hundreds (if not thousands) of computers and shared peripheral devices within a location. A shared LAN comprises a single broadcast domain, where stations connect to each other by means of a hub or repeater. It is also a single collision domain, as data frames transmitted on the LAN are received by all stations. As the amount of traffic increases so does the number of collisions, which severely limits the efficiency of this type of legacy LAN. With the advent of Ethernet LAN switches each station can be connected to a single port, which is itself a single collision domain. However a flat LAN comprising a LAN switch (or inter-connected multiple LAN switches) is still a single broadcast domain, which is invariably an inefficient method of networking users within a large site. Crown Copyright 2009 Page 8 of 17

9 4 VLANs Large corporate environments, and for that matter healthcare sites, comprise multiple departments which can be segmented into separate layer-2 LANs. An efficient and cost effective means of accomplishing this is through the use of interconnected Virtual Local Area Networks (VLANs). A VLAN comprises a single broadcast domain and is a logical segmentation of stations, independent of the physical connections. This allows LAN switch ports within a building or campus to be logically assigned to a particular layer-2 VLAN, with individual VLANs inter-connected at layer-3 by one or more routers. VLANs address issues such as scalability, security and network management. Routers in VLAN topologies provide broadcast filtering, security, address summarisation, and traffic flow management. By using VLANs, one can control traffic patterns and react quickly to relocations. They provide the flexibility to adapt to changes in network requirements and allow for simplified administration. NB: It should be noted however that, although VLAN s have their place, it is good practice to utilise physical LANs for more risky environments such as firewall Demilitarized Zones (DMZs). Crown Copyright 2009 Page 9 of 17

10 5 Types of VLANs: Port, MAC Address and Protocol Based 5.1 Port Based VLANs In a port based VLAN a particular VLAN is assigned individual ports of a LAN switch (or inter-connected multiple switches). This makes troubleshooting of port based VLANs easier, as the assignment of VLANs to particular physical ports is known. A station can be moved from one VLAN to another by simply being moved to a different switch port 5.2 Media Access Control (MAC) Address based VLANs Using this method LAN switches maintain tables of Media Access Control (MAC) addresses, and their VLAN membership. With this form of membership stations on a shared segment can be assigned to different VLANs. This layer-2 VLAN definition has the advantage of portability, as whenever a station is plugged into the LAN the switches will recognise that it is a member of a particular LAN The disadvantage of MAC address based solutions is the requirement that all stations must be initially configured to be in at least one VLAN. The automatic VLAN grouping of users is only possible after this initial manual configuration. The disadvantage of having to configure VLAN membership becomes apparent in very large local networks where hundreds (and possibly thousands) of users and shared resources must be explicitly assigned to a particular VLAN. The major security issue with this type of VLAN is that a malicious user can reconfigure his/her system with a different MAC address, and therefore access another VLAN. 5.3 Protocol Based VLANs Sometimes called Layer-3 Based VLANs. With this method computers are assigned to VLANs by using the protocol that is in use, and the Layer-3 address. For example, this solution enables an Internetwork Packet Exchange (IPX) network or a particular Internet Protocol (IP) subnet to have its own VLAN. It is also possible to define VLANs based on applications, service or any other combination. For example, File Transfer Protocol (FTP) applications could execute on one VLAN and other applications on another. Crown Copyright 2009 Page 10 of 17

11 There are several advantages to defining VLANs at layer-3: - It enables partitioning by protocol type, which may be an attractive option to network managers who are dedicated to a service or application based VLAN strategy. A user can physically move his/her computer without having to reconfigure its network address. A benefit primarily for Transmission Control Protocol/Internet Protocol (TCP/IP) users. Defining VLANs at layer-3 can eliminate the need for frame tagging in order to communicate VLAN membership between LAN switches, reducing transport overhead. One of the disadvantages of Protocol Based VLANs (versus MAC or Port Based VLANs) can be performance. Inspecting layer-3 addresses in packets is more processor intensive than looking at MAC addresses in frames. Therefore switches that use layer-3 information for VLAN definition are generally slower than those that use layer-2 information. 6 The Main Advantages of VLANs By grouping users into VLANs, broadcast traffic is confined to each VLAN. This frees up resources which otherwise would have to process this traffic. It is easy to change or modify logical groups because they are independent of physical constraints. It is easy to manage large networks because configurations can be undertaken centrally. It is easy to configure or modify the network according to business needs. E.g. creating separate VLANs for each department within an organisation. The streamlining of network resources, like IP subnets and servers, makes the network easy to manage and more elegant. Applying policies/changes to VLANs, and VLAN based resources, also helps to improve the daily operation of the network, and reduces the network administrator s workload. As VLANs put end users into logical domains, it is easier to apply security policies to these groups as a whole. This helps to improve the overall security of the network. However it is extremely inadvisable for a network administrator to rely on VLANs as the only security safeguard. Crown Copyright 2009 Page 11 of 17

12 7 The Secure Deployment of VLANs The primary downfall with VLAN security is incorrect configuration. Due to the nature of VLAN s there are vast configuration options, each with the ability to increase the networks susceptibility to data theft or network subversion. Simple measures, such as configuring hosts to be in a VLAN separate to the native VLAN, circumvent the vulnerability to major attacks. 7.1 Physical Security With physical access to the console port of a LAN switch, an unauthorised party could potentially reconfigure the switch and gain access to sensitive data. It is therefore recommended that LAN switches are housed in secure environments. I.e. inside a locked cabinet, within a secure comms room if possible 7.2 Network Monitoring A correctly monitored network can give warning of a number of network security violations, including a physical security breach. A dual approach should be taken, utilising alerts from the device and details polled from the management console. Simple Network Management Protocol (SNMP) traps should notify the management console of any configuration updates, whilst continual polling and verification of the VLAN databases ensure that no hosts end up on the wrong network. Also polling the MAC-address table, on a per VLAN/switch basis, can be used as a final check that all hosts are on the correct network. 7.3 VLAN Trunking Restrictions One method of minimising the risk of incorrect VLAN association is to restrict the VLAN IDs that are trunked to edge devices. For example, a VLAN carrying sensitive data should not be trunked around a local network, unnecessarily traversing switches where none of its hosts are connected. Crown Copyright 2009 Page 12 of 17

13 7.4 Private VLANs (PVLANs) A VLAN is a broadcast domain where all hosts assigned to it can talk with other hosts on the same VLAN. Private VLANs allow segmentation of traffic at the data link layer (layer-2) of the Open Systems Interconnect (OSI) model. This limits the size of the broadcast domain. There are three different modes for configuring ports in a Private VLAN: - Promiscuous Mode: Ports in this mode can talk to any port. Isolated Mode: Ports in this mode can talk only to promiscuous ports. PVLANs block all traffic to isolated ports except from promiscuous ports. Community Mode: Ports in this mode can talk between themselves and with promiscuous ports. In PVLANs promiscuous ports are termed primary VLANs, and the community and isolated ports are the secondary VLANs. A PVLAN has one primary VLAN but may have more than one secondary VLAN. PVLANs are usually deployed in the Demilitarized Zone (DMZ), where the servers usually need to talk to external connections, as well as internal ones, but hardly ever need to communicate with other servers on the DMZ. It therefore acts as an effective security method of segregating servers within a VLAN. 7.5 VLAN Access Control Lists (VACLs) VLAN Access Control Lists (VACLs) provide access control for all packets that are bridged within a VLAN, or that are routed into and out of the VLAN. Enforcement takes place at wire speed hence there is no performance penalty. VACLs can be mapped separately to primary or secondary VLANs. 7.6 Dynamic VLANs By using the MAC address of the device connected to the port of a LAN switch, and by deploying a VLAN Membership Policy Server (VMPS), LAN switch ports can be dynamically assigned to VLANs. When a host moves from one port on a LAN switch to another in the network, VMPS helps to assign the new port to the proper VLAN. Crown Copyright 2009 Page 13 of 17

14 8 Some Common Attacks/Vulnerabilities of VLANs 8.1 MAC Flooding Attack LAN switches have a limit on the number of MAC address to physical port assignments that they can store in their tables. By flooding such a switch and exploiting this limit, the attack can cause the switch to enter failopen mode, allowing all incoming packets to be broadcasted to all the ports. This helps the attacker to sniff all traffic and to perform attacks like Address Resolution Protocol (ARP) poisoning. The use of LAN switch port security, dynamic VLANs and 802.1x can help prevent these attacks Q and ISL Tagging Attack These attacks allow a user within a VLAN unauthorised access to another VLAN, by altering the Inter-Switch Link (ISL) 1 or 802.1Q tag. Tagging attacks are one of the most dangerous attacks within a switching security infrastructure. It is also one of the most easy to miss when configuring a switch. Leaving a port with default configuration and not shut down opens up all VLANs that are trunked to/through the switch to unauthorised access. An attacker is able to send Dynamic Trunking Protocol (DTP) traffic to the switch to trick the port into thinking that it is talking to another switch or dot1q device. The attacker can then craft their packets to whichever VLAN they want. In effect it is giving them complete access to any VLAN. 2 Setting Dynamic Trunking Protocol (DTP) to the off state, on all nontrusted ports, should provide protection from this kind of attack. Also unused ports should always be shut down 1 Cisco proprietary 2 VLAN Security in the LAN and MAN Environment. Chris Hoffmann. 27 April 2003 Crown Copyright 2009 Page 14 of 17

15 8.3 Double Encapsulated 802.1Q/Nested VLAN Attack If possible, using the native VLAN should be avoided, because the identification and classification are lost during processing over 802.1Q trunks. By using double-encapsulated 802.1Q packets through the native VLAN of a trunk, the outer tag of the VLAN is stripped during processing. This makes the internal tag the permanent VLAN identifier, which in turn allows the packet to hop across VLANs. This method of VLAN Hopping can be easily defended against by never having the native trunk VLAN configured on a port. In a switch spoofing attack, an attacking host imitates a trunking switch by mimicing the VLAN tagging and trunking protocols used. Traffic for multiple VLANs is then accessible to the attacking host. Good practice against this type of attack or misconfiguration is to clear the native VLAN from all 802.1Q trunks. If clearing the native VLAN is not possible then an unused VLAN should be utilised as the native VLAN. 8.4 Address Resolution Protocol (ARP) Attacks Address Resolution Protocol (ARP) tables map IP addresses to MAC addresses. Unfortunately a problem with ARP is that it introduces a potential security risk resulting from ARP spoofing. For example, an attacker can fool a station by sending a fictitious ARP response from a rogue network device that includes the IP address of a legitimate network device, and the MAC address of the rogue device. This causes all legitimate stations on the network to automatically update their ARP tables with the false mapping. Of course these stations will then send future packets to the rogue device rather than the legitimate access point or router. This is a classic man-in-the-middle attack, which enables an attacker to manipulate user sessions. As a result the attacker could potentially obtain passwords, capture sensitive data, and even interface with corporate servers as if they were the legitimate user. The use of LAN switch port security can help prevent these attacks, by allowing only one MAC address for each physical port on the switch. This feature prevents attackers from changing the MAC address of their machine, or from trying to map more than one MAC address to their machine Crown Copyright 2009 Page 15 of 17

16 8.5 Private VLAN Attack Private VLANs only isolate traffic at Layer-2. However if a router is attached to a PVLAN promiscuous port, it forwards all Layer-3 traffic received on that port to whatever destination it is meant for. This effectively enables two hosts in an isolated VLAN (which cannot communicate directly at Layer-2) to talk to each other using the Layer-3 packet relay provided by the router. Cisco will argue that this is not a vulnerability, but rather the expected behaviour of the feature 8.6 Multicast Brute Force Attack In this type of attack Layer-2 multicast frames are flooded to the LAN switch, in an attempt to exploit the potential vulnerabilities in the switch to leak frames from one VLAN to other VLANs. 3 Cisco report 3 their tests show that this type of attack has proved ineffective against their Catalyst switches, because all frames were correctly contained within their appropriate broadcast domain. 8.7 Spanning-tree Attack In this type of attack the attacker tries to exploit bugs in the spanning-tree protocol (STP), by sniffing ports to ascertain the ID of the port STP is transmitting on. An attacker can then try to send out packets announcing that he is the new root bridge, with a much lower priority Cisco report 3 that their tests failed to discover any possible VLAN leaks in their switches. 8.8 Random Frame Stress Attack In this type of attack the source and destination address are kept constant, and other fields of the packet are randomly varied to see if VLANs can be hopped. PVLANs provide protection from these types of attacks by containing traffic. Cisco report 3 that their tests showed no packets were found to have successfully hopped VLANs 3.. shtml#wp39271 Crown Copyright 2009 Page 16 of 17

17 9 VTP Domain Configuration VLAN Trunking Protocol (VTP) is a Cisco proprietary Layer 2 messaging protocol that is used to keep VLAN information consistent across the entire switching architecture. If you add a VLAN to one switch VTP will make sure that the VLAN details are correctly propagated to all switches in the VTP Domain. 9.1 VTP Mode One switch within the Cisco local network needs to be defined as the VTP server. All other switches in the local network then need to be configured as clients. By default a switch acts as a VTP server. 9.2 VTP security It is recommended that a VTP password is configured for the VTP domain to prevent the possibility of spoofed VTP packets adding/deleting VLAN information. Within the Cisco local network an MD5 hashed password can be set for the VTP domain to provide authentication of VTP packets. VTP pruning can be configured within the Cisco local network to prune unneeded VLANs from trunk links. This enables a more efficient use of trunk bandwidth, and can also be considered as a good security feature. However, these features should not conceal the fact that it is very risky to use VTP in sensitive environments. Crown Copyright 2009 Page 17 of 17