This week, I wanted to address VLAN security, which like Ethernet, is a mystery to most people. That may sound like a strange statement, since I'm sure everyone reading this has been using Ethernet for years, but seriously, how many network engineers do you know who could explain Manchester bit encoding or how Fast Link Pulses work? Not very many, of course, and why should they? After all, Ethernet is one of those protocols that "just...
works." Network administrators don't understand it for the very simple reason that they never have to troubleshoot it.
VLANs are pretty much the same way. Sure, the configuration of a few more advanced topics like VTP and VLAN pruning can give you a mental workout, and of course, nobody likes Spanning-Tree Protocol, but really, when was the last time you really needed to know how your switches implemented VLANs? For the most part, you define a VLAN, and assign ports to it, and define trunk ports and configure which VLANs can cross it... and it just works... simple as that.
But it's precisely this simplicity that can lull you into leaving open a raft of security vulnerabilities.
So as I was checking a few quick facts for this tip, I ran across an @Stake white paper so concise and illuminating, despite being 2 years old, that I decided to just link you to it and offer a quick summary.
The reason I like this article is because it explains at a high level, several ways your network can be attacked at Layer 2. Many of these aren't nearly as intuitively obvious as the higher-level attacks we witness daily, so many administrators think that it's impossible to attack VLANs, which is of course, absurd.
So here are a few key points to remember when configuring your network:
VLAN 1 (on Catalyst switches) is the default for both ports and the "Native" VLAN on 802.1Q trunks, which is precisely why you should NEVER use it.
Don't allow dynamic protocols to talk to untrusted devices. Many administrators don't realize there are a lot of these operating around Layer 2, such as VTP, PAgP, CDP, DTP, UDLD and of course STP.
If at all possible, authenticate all hosts and/or limit their connectivity. Port Security, 802.1x and Dynamic VLANs are three methods mentioned in this article you can use.
Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.