+ Post New Thread
Results 1 to 8 of 8
Wireless Networks Thread, VLAN Config (ProCurve) in Technical; I've been reading a lot of threads and sites about setting up VLANs and ACLs as we're looking to go ...
  1. #1
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,702
    Thank Post
    172
    Thanked 224 Times in 207 Posts
    Rep Power
    68

    VLAN Config (ProCurve)

    I've been reading a lot of threads and sites about setting up VLANs and ACLs as we're looking to go towards this setup in the next few months.

    I've set up a test lab scenario with a spare 2810-24 switch (in production it would be a 5406zl) that's aiming to emulate the following setup...

    VLAN1 - default VLAN for switch management
    VLAN100 - standard servers e.g. DHCP, DNS
    VLAN200 - restricted servers
    VLAN3 - standard workstations (access to all)
    VLAN4 - restricted workstations (can't access VLAN200 or VLAN3)
    VLAN5 - printers
    VLAN6 - guest wireless, no access to any VLAN, only to get to Internet gateway
    VLAN7 - internet gateway of firewall

    * DHCP server is 192.168.100.250
    * A10-A15 would be fiber connections to satellite cabinets

    So with that in mind I've come up with this sample config...



    ip access-list standard "PUBLIC_WIFI_ISOLATION"

    remark "BLOCKS GUEST WIRELESS TO ALL OTHER VLANS, ALLOWS INTERNET ACCESS ONLY"

    remark "ALLOW ACCESS TO DHCP SERVER 192.168.100.250"
    10 permit ip 192.168.6.0 0.0.0.255 192.168.100.250 0.0.0.0
    remark "ALLOW ACCESS TO FIREWALL GREEN INTERFACE"
    20 permit ip 192.168.6.0 0.0.0.255 192.168.7.10 0.0.0.0
    30 deny any any



    ip access-list standard "RESTRICTED_SERVER_ACCESS"

    remark "BLOCKS RESTRICTED MACHINES ACCESS TO RESTRICTED SERVER VLAN AND STANDARD WORKSTATION VLAN, ALLOWS ALL OTHER TRAFFIC"

    10 deny ip 192.168.4.0 0.0.0.255 192.168.200.0 0.0.0.255
    20 deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
    20 permit any any




    CORE SWITCH CONFIGURATION
    =========================

    hostname "CORE"

    dhcp-relay
    ip routing
    ip route 0.0.0.0 0.0.0.0 192.168.7.10

    vlan 1
    name "DEFAULT_VLAN"
    no untagged A11-A20
    tagged A10-A15
    ip address 192.168.1.254 255.255.255.0
    exit

    vlan 100
    name "SVR_STANDARD"
    untagged A1-A10
    ip address 192.168.100.254 255.255.255.0

    vlan 200
    name "SVR_RESTRICT"
    untagged A11-A19
    tagged A10-A15
    ip address 192.168.200.254 255.255.255.0
    exit

    vlan 3
    name "STANDARD_WKS"
    tagged A10-A15
    ip helper-address 192.168.100.250
    ip address 192.168.3.254 255.255.255.0
    exit

    vlan 4
    name "RESTRICT_WKS"
    tagged A10-A15
    ip helper-address 192.168.100.250
    ip address 192.168.4.254 255.255.255.0
    vlan 4 ip access-group "RESTRICTED_SERVER_ACCESS" in
    exit

    vlan 5
    name "PRINT"
    tagged A10-A15 (fiber trunk ports to edge switches)
    ip helper-address 192.168.100.250
    ip address 192.168.5.254 255.255.255.0
    exit

    vlan 6
    name "WLAN_GUEST"
    tagged A10-A15
    ip address 192.168.6.254 255.255.255.0
    vlan 6 ip access-group "PUBLIC_WIFI_ISOLATION" in
    exit

    vlan 7
    name "FIREWALL_GREEN"
    untagged A20
    tagged A10-A15
    ip address 192.168.7.254 255.255.255.0
    exit


    EDGE SWITCH CONFIGURATION
    =========================

    hostname "CAB_A_SW01"

    vlan1
    name "DEFAULT_VLAN"
    ip address 192.168.1.2 255.255.255.0
    no untagged 1-22
    tagged 24
    exit

    vlan 3
    name "STANDARD_WKS"
    untagged 1-10
    tagged 24
    exit

    vlan 4
    name "RESTRICT_WKS"
    untagged 11-20
    tagged 24
    exit

    vlan 5
    name "PRINT"
    untagged 21
    tagged 24
    exit

    vlan 7
    name "WLAN_GUEST"
    untagged 22
    tagged 24
    exit



    The main thing I've been trying to make sure is correct is that I've understood the ACL setup correctly in terms of "in" and where the restriction is defined. It seems to be working on the test switch so hopefully all is correct...

  2. #2

    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,822
    Thank Post
    217
    Thanked 268 Times in 217 Posts
    Rep Power
    68
    I'm told that vlans should only be used to segregate broadcast traffic and never used as a security measure.

    I know of a hacking technique called Vlan hopping.

    I'm still using a flat network at the moment but was going to use subnets to limit brodcasts. (LTTD)

  3. #3

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,142
    Thank Post
    522
    Thanked 2,550 Times in 1,979 Posts
    Blog Entries
    24
    Rep Power
    877
    Quote Originally Posted by chazzy2501 View Post
    I'm told that vlans should only be used to segregate broadcast traffic and never used as a security measure.

    I know of a hacking technique called Vlan hopping.

    I'm still using a flat network at the moment but was going to use subnets to limit brodcasts. (LTTD)
    Highly unlikely to be a problem in a school. VLANs are used widely as security measures in business, government and education.

  4. #4

    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,822
    Thank Post
    217
    Thanked 268 Times in 217 Posts
    Rep Power
    68
    VLAN6=Guest Wifi. I've seen (with our pupils) turn key linux ISOs that automatically probe a network for vulnerabilities. This is with their own laptops as I disable our drives.

    I assume that vlan hopping would be part of those tests as I believe it's trivial for any packet smith to make one. I think all you have to do is double tag the packet, as vlans have no authentication.

    this software isn't for high end hackers it a collection of buttons that says try this!

    I'll never offer guest WiFi or guest lan it's to vulnerable.

  5. #5
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,702
    Thank Post
    172
    Thanked 224 Times in 207 Posts
    Rep Power
    68
    I'm sure you could also hack virtual machines or even the TCP\IP layer if you're determined enough but ultimately anyone with an agenda for that would just use social engineering anyway

    The idea is to segment the network away from the casual attacker, the kind of person that goes onto a PC and thinks "hmmm what can I get at from here". VLANs would serve this purpose and to the end user they wouldn't even know they were on a VLAN in the first place...

    It's that or going on a flat network with no segmentation at all or sticking with separate cabling \ domains as it is now but that brings administration overhead so I guess it's weighing up risks \ rewards and making an informed choice from there...

    Btw does anyone want to comment on the sample config?

  6. #6
    Lazzaman123's Avatar
    Join Date
    Jun 2008
    Location
    Rochester, Kent
    Posts
    12
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Layer 2 VLANS are widely accepted as a form of logical seperation and security in the industry; ISPs, Carriers, Government etc all use VLANS. It simply isn't practical to install completely seperate physical networks. That said, I don't have any experience with HP or 3Com so my experience with this is mainly Cisco.

    As for your config and ACLs in particular why don't you implement a core firewall/PIX? If you install a firewall with enough interfaces to support the seperate networks you will definately improve security and administrative overhead, ACLs are great for a first line of defence but shouldn't be relied upon for protection against your servers, especially if you Wireless LAN is going to be open. You can also tie down the specific ports that need to be accessed, i'm sure you don't want clients RDP or SSHing to you DHCP server!

  7. #7

    teejay's Avatar
    Join Date
    Apr 2008
    Posts
    3,207
    Thank Post
    286
    Thanked 777 Times in 587 Posts
    Rep Power
    336
    Procurves have pretty good protection against VLAN hopping, so don't worry about that. Just make sure all your switches are on up to date firmware.
    The only recommendation I would make security wise is to move your base network off VLAN 1, this is your biggest security threat on that setup. All switch management and communication is run on that VLAN by default, so it makes it quite easy to compromise if your default network is also on that VLAN.

  8. #8

    Join Date
    Jan 2011
    Posts
    14
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    VLAN SECURITY

    VLAN's are not the answer to every problem BUT they are better than no security.

    I have no experience is HP but from a Cisco view:

    There are various ways to mitigate VLAN hopping. As quoted by Cisco:

    Network Attack Mitigation

    Mitigating VLAN hopping attacks requires several modifications to the VLAN configuration. One of the more important elements is to use dedicated VLAN IDs for all trunk ports. Also, disable all unused switch ports and place them in an unused VLAN. Set all user ports to nontrunking mode by explicitly turning off DTP on those ports
    (source:http://www.cisco.com/warp/public/cc/...r/sfblu_wp.pdf)


    In= In to the device
    Out= Out the device
    The general rule is to put Extended ACL's closest to the source and standard ACL's closest to the destination.

    Anyway hope it helps.
    Last edited by CISCODISCO; 31st January 2011 at 04:29 PM. Reason: ADD SOURCE

SHARE:
+ Post New Thread

Similar Threads

  1. VLAN design (Procurve)
    By gshaw in forum Wireless Networks
    Replies: 20
    Last Post: 26th May 2011, 05:31 PM
  2. Vlan issue on Procurve
    By sassine in forum Wireless Networks
    Replies: 7
    Last Post: 16th November 2009, 01:39 PM
  3. Procurve vlan dhcp problem
    By maark in forum Wireless Networks
    Replies: 4
    Last Post: 5th June 2009, 09:36 AM
  4. Procurve VLAN help
    By meastaugh1 in forum Wireless Networks
    Replies: 8
    Last Post: 4th September 2008, 08:29 PM
  5. Adding vLAN not working on HP Procurve
    By mrforgetful in forum Wireless Networks
    Replies: 21
    Last Post: 2nd March 2007, 11:53 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •