I've been reading a lot of threads and sites about setting up VLANs and ACLs as we're looking to go towards this setup in the next few months.
I've set up a test lab scenario with a spare 2810-24 switch (in production it would be a 5406zl) that's aiming to emulate the following setup...
VLAN1 - default VLAN for switch management
VLAN100 - standard servers e.g. DHCP, DNS
VLAN200 - restricted servers
VLAN3 - standard workstations (access to all)
VLAN4 - restricted workstations (can't access VLAN200 or VLAN3)
VLAN5 - printers
VLAN6 - guest wireless, no access to any VLAN, only to get to Internet gateway
VLAN7 - internet gateway of firewall
* DHCP server is 192.168.100.250
* A10-A15 would be fiber connections to satellite cabinets
So with that in mind I've come up with this sample config...
ip access-list standard "PUBLIC_WIFI_ISOLATION"
remark "BLOCKS GUEST WIRELESS TO ALL OTHER VLANS, ALLOWS INTERNET ACCESS ONLY"
remark "ALLOW ACCESS TO DHCP SERVER 192.168.100.250"
10 permit ip 192.168.6.0 0.0.0.255 192.168.100.250 0.0.0.0
remark "ALLOW ACCESS TO FIREWALL GREEN INTERFACE"
20 permit ip 192.168.6.0 0.0.0.255 192.168.7.10 0.0.0.0
30 deny any any
ip access-list standard "RESTRICTED_SERVER_ACCESS"
remark "BLOCKS RESTRICTED MACHINES ACCESS TO RESTRICTED SERVER VLAN AND STANDARD WORKSTATION VLAN, ALLOWS ALL OTHER TRAFFIC"
10 deny ip 192.168.4.0 0.0.0.255 192.168.200.0 0.0.0.255
20 deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
20 permit any any
ip address 192.168.1.2 255.255.255.0
no untagged 1-22
The main thing I've been trying to make sure is correct is that I've understood the ACL setup correctly in terms of "in" and where the restriction is defined. It seems to be working on the test switch so hopefully all is correct...
VLAN6=Guest Wifi. I've seen (with our pupils) turn key linux ISOs that automatically probe a network for vulnerabilities. This is with their own laptops as I disable our drives.
I assume that vlan hopping would be part of those tests as I believe it's trivial for any packet smith to make one. I think all you have to do is double tag the packet, as vlans have no authentication.
this software isn't for high end hackers it a collection of buttons that says try this!
I'll never offer guest WiFi or guest lan it's to vulnerable.
I'm sure you could also hack virtual machines or even the TCP\IP layer if you're determined enough but ultimately anyone with an agenda for that would just use social engineering anyway
The idea is to segment the network away from the casual attacker, the kind of person that goes onto a PC and thinks "hmmm what can I get at from here". VLANs would serve this purpose and to the end user they wouldn't even know they were on a VLAN in the first place...
It's that or going on a flat network with no segmentation at all or sticking with separate cabling \ domains as it is now but that brings administration overhead so I guess it's weighing up risks \ rewards and making an informed choice from there...
Btw does anyone want to comment on the sample config?
Layer 2 VLANS are widely accepted as a form of logical seperation and security in the industry; ISPs, Carriers, Government etc all use VLANS. It simply isn't practical to install completely seperate physical networks. That said, I don't have any experience with HP or 3Com so my experience with this is mainly Cisco.
As for your config and ACLs in particular why don't you implement a core firewall/PIX? If you install a firewall with enough interfaces to support the seperate networks you will definately improve security and administrative overhead, ACLs are great for a first line of defence but shouldn't be relied upon for protection against your servers, especially if you Wireless LAN is going to be open. You can also tie down the specific ports that need to be accessed, i'm sure you don't want clients RDP or SSHing to you DHCP server!
Procurves have pretty good protection against VLAN hopping, so don't worry about that. Just make sure all your switches are on up to date firmware.
The only recommendation I would make security wise is to move your base network off VLAN 1, this is your biggest security threat on that setup. All switch management and communication is run on that VLAN by default, so it makes it quite easy to compromise if your default network is also on that VLAN.
VLAN's are not the answer to every problem BUT they are better than no security.
I have no experience is HP but from a Cisco view:
There are various ways to mitigate VLAN hopping. As quoted by Cisco:
Network Attack Mitigation
Mitigating VLAN hopping attacks requires several modiﬁcations to the VLAN conﬁguration. One of the more important elements is to use dedicated VLAN IDs for all trunk ports. Also, disable all unused switch ports and place them in an unused VLAN. Set all user ports to nontrunking mode by explicitly turning off DTP on those ports
In= In to the device
Out= Out the device
The general rule is to put Extended ACL's closest to the source and standard ACL's closest to the destination.
Anyway hope it helps.
Last edited by CISCODISCO; 31st January 2011 at 04:29 PM.
Reason: ADD SOURCE