Prevent Spoofing on a Private VLAN (PVLAN)

Private VLANs (PVLAN) are really great at isolating machines from one another on a network segment, very helpful on a DMZ where you want to prevent an attacker or worm from compromising other machines, if they happen to gain access to a machine on the network you are trying protect. The one thing that Private VLANs can’t prevent, and was never designed to protect against is IP address spoofing.

Here are the basics of the attack. An attacker would craft a packet that has a frame with a destination MAC address of the gateway router and source MAC address of the attacking machine, that takes care of Layer 2. At Layer 3 the attacker would place the address of the target machine as the destination address and a source address of his choosing.

Note, this type of attack is only uni-directional, the attacker can only send packets from the machine he has compromised to a target machine. The packets returning from the target machine will have the correct addressing to make the return trip, thus they will be dropped by PVLAN.

Figure 1

Here is the configuration for the PVLAN configuration for the above network segment. We have three machines, one FTP server in the ISOLATED VLAN, two Web servers in the community VLAN WEBSERVERS. First, we have to configure the VLANs we will be using with the PVLAN.

SC-CAT#config t
SC-CAT(config)#vlan database
SC-CAT(vlan)#vtp transparent
SC-CAT(vlan)#exit
SC-CAT(config)#vlan 100
SC-CAT(config-vlan)#name PRIMARY
SC-CAT(config-vlan)#private-vlan primary
! NOTE: You can have only one isolated VLAN per-PVLAN
SC-CAT(config-vlan)#vlan 200
SC-CAT(config-vlan)#name ISOLATED
SC-CAT(config-vlan)#private-vlan isolated
SC-CAT(config-vlan)#vlan 300
SC-CAT(config-vlan)#name WEBSERVERS
SC-CAT(config-vlan)#private-vlan community
SC-CAT(config-vlan)#vlan 100
SC-CAT(config-vlan)#private-vlan association 200
SC-CAT(config-vlan)#private-vlan association 300
SC-CAT(config-vlan)#exit
SC-CAT(config)#

Now that we have our VLAN configuration, we have to assign ports to them. Two ports will be associated with the WEBSERVERS VLAN, one port associated with the ISOLATED VLAN, and one promiscuous port associated with the PRIMARY VLAN for the gateway. Lets do that now.

SC-CAT(config)#interface fa 0/1
SC-CAT(config-if)#switchport mode private-vlan host
SC-CAT(config-if)#switchport mode private-vlan host-association 100 200
SC-CAT(config-if)#interface range fa 0/2 - 3
SC-CAT(config-if)#switchport mode private-vlan host
SC-CAT(config-if)#switchport private-vlan host-association 100 300
SC-CAT(config-if)#interface fa 0/0
SC-CAT(config-if)#switchport mode private-vlan promisc
SC-CAT(config-if)#switchport private-vlan mapping 100 add 200,300

With this configuration, the FTP server is in the isolated VLAN and it can only communicate to the Primary VLAN, aptly named PRIMARY, it can’t communicate with other isolated ports or community ports without going through the router, this is only partially true, as mentioned earlier. An attacker can craft a special frame/packet to obtain a uni-directional traffic flow to one of the machines that is in the community VLAN WEBSERVERS from the isolated VLAN ISOLATED.

What could an attacker do with this uni-directional traffic flow you might be asking yourself right about now? Well, if the OS had a vulnerability in the TCP/IP stack, which could be triggered with a single packet, and result in a DoS attack or remote code execution, they are rare, but they do occur. The same type problems have also been found in Application code as well. Any one these type of problems would allow the attacker to successfully mount an attack against a machine in the  VLAN WEBSERVERS.

To prevent this type of attack, we have to filter the Layer 3 addresses that have a destination address to the network that it’s originating. We can do this with an Extended ACL. Below is the ACL I would use to protect this network segment from this type of spoofing attack, given that our servers were in the subnet 10.0.0.0/24. Note: We could also prevent the FTP server from accessing the internal network.

SC(config)#ip access-list extended NoSpoof
SC(config-ext-nacl)#deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
! Use this ACE if you want to prevent the FTP server from accessing the internal network
SC(config-ext-nacl)#deny ip host ftp-ip-address internal-network internal-netmask
SC(config-ext-nacl)#permit any any
SC(config-ext-nacl)#exit
SC(config)#interface fa 0/0
SC(config-if)#ip access-group NoSpoof in

We can use the command show ip interface fa 0/0 to verify that we have correctly applied the access-list to the interface.

SC#show ip access-lists interface fastEthernet 0/0
Extended IP access list NoSpoof in
    10 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
    20 permit ip any any
SC#

The command show ip access-list NoSpoof would also give us the hit count on the ACEs, you can use this as an indicator that askew is happening on your network.

SC#show ip access-lists NoSpoof
Extended IP access list NoSpoof
    10 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255 (8 matches)
    20 permit ip any any
SC#

Now you can sleep at night, knowing that if an attacker happens to gain access to one server in the DMZ, he can’t move his way to another and again further in to the network. This is just one technology you can make use of to protect your network.

Dec 26th, 2010 • Posted in IOS, PVLAN, Security
No comments yet.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>