vlan provisioning security guidance at-a-glance v8r1

UNCLASSIFIED

NETWORK INFRASTRUCTURE

VLAN Provisioning for Logical Separation

Version 8, Release 1

Supplement of Network Infrastructure STIG, V8R1

24 March 2010

Developed by DISA for the DoD

VLAN Provisioning for Logical Separation, V8R1 DISA Field Security Operations

24 March 2010 Developed by DISA for the DoD

UNCLASSIFIED ii

This page is intentionally blank.



UNCLASSIFIED iii

TABLE OF CONTENTS

Page

1. LOGICAL SEPARATION .................................................................................................. 9

1.1 Horizontal Wiring............................................................................................................. 9

1.2 Virtual Local Area Networks ......................................................................................... 10

1.3 Securing Management VLAN and VLAN 1 .................................................................. 10

1.4 VLAN Trunking ............................................................................................................. 11

1.5 Subnet Isolation .............................................................................................................. 12

1.5.1 Server Farm Tiers ............................................................................................. 12

1.5.2 DMZ Segmentation........................................................................................... 13

1.5.3 Printer VLANs .................................................................................................. 13

1.5.4 Network Access Control VLANs ..................................................................... 13



UNCLASSIFIED iv




UNCLASSIFIED v

SUMMARY OF CHANGES

GENERAL CHANGES:

The previous STIG release was Version 7, Release 1, dated 25 October 2007.

This White Paper concentrates on describing the following objectives and policies:

1) Provide logical separation and security guidance to protect server farms

2) Provide logical separation and security guidance to isolate domains within the DMZ

3) Provide logical separation for un-managed devices e.g. printers, copiers, scanners

4) Provided logical separation requirements for devices passing through the device

authentication process in Network Access Control architectures via Advanced AAA

Server techniques. Additional information can be found in the Network Access Control

White Paper

5) Implemented a new naming standard to identify the policies as VLAN Provisioning

policies.



UNCLASSIFIED vi

STIG ID V-Key Short Name

Description of Change, Add or Delete

in VMS

Network Security Checklist

Addition or Deletion of

vulnerability

NET-VLAN-001 V0008081 Switches & cross-connects are not in secure IDF Renamed from NET1362

Network Infrastructure

Policy

NET-VLAN-002 V0003973 Disabled ports are not kept in an unused VLAN. Renamed from NET1435 L2 and L3

NET-VLAN-003 V0003970 The management VLAN is not secured. Renamed from NET1411 L2 and L3

NET-VLAN-004 V0003971 VLAN 1 is being used as a user VLAN. Renamed from NET1412 L2 and L3

NET-VLAN-005 V0003972 VLAN 1 traffic traverses across unnecessary trunk Renamed from NET1413 L2 and L3

NET-VLAN-006 V0005628 The VLAN1 is being used for management traffic. Renamed from NET1410 L2 and L3

NET-VLAN-007 V0005623 Ensure trunking is disabled on all access ports. Renamed from NET1416 L2 and L3

NET-VLAN-008 V0005622 A dedicated VLAN is required for all trunk ports. Renamed from NET1417 L2 and L3

NET-VLAN-009 V0003984 Access ports are assigned to the trunk VLAN. Renamed from NET1418 L2 and L3

NET-VLAN-010 V0018519 Server Farm is not VLAN provisioned New V8 Policy L2 and L3

NET-VLAN-010 V0018520 Server Farm is not VLAN provisioned New V8 Policy


Policy

NET-SRVFRM-003 V0018522 VLAN ACLs do not restrict host access to servers New V8 Policy L3 and firewall

V8 VLAN Detailed Changes



UNCLASSIFIED vii

STIG ID V-Key Short Name

Description of Change, Add or Delete

in VMS

Network Security Checklist

Addition or Deletion of

vulnerability

NET-SRVFRM-004 V0018523 VLANs do not protect against compromised servers New V8 Policy L3 and firewall

NET-SRVFRM-005 V0018521 VLANs do not isolate client data in Server Farm New V8 Policy


Policy

NET-VLAN-015 V0018525 Server Farm without firewall content inspection New V8 Policy firewall

NET-VLAN-016 V0018528 Web traffic enters enclave without tier protection New V8 Policy


Policy

NET-VLAN-017 V0018529 Web services do not have an isolated DMZ VLAN New V8 Policy


Policy

NET-VLAN-018 V0018530 FTP traffic is not isolated in a DMZ VLAN New V8 Policy


Policy

NET-VLAN-019 V0018531 DNS traffic is not isolated to a VLAN in the DMZ New V8 Policy


Policy

NET-VLAN-020 V0018532 IM services in the DMZ are not isolated to a VLAN New V8 Policy


Policy

NET-VLAN-021 V0018533 VoIP and Video is not isolated in the DMZ by VLANs New V8 Policy


Policy

NET-VLAN-022 V0018534 Email and AD traffic are not isolated into VLANs New V8 Policy


Policy

NET-VLAN-023 V0018544 Printer VLAN has not been defined New V8 Policy L3

NET-VLAN-024 V0018545 Printer VLAN is not filtered for print traffic New V8 Policy L3

V8 VLAN Detailed Changes



UNCLASSIFIED viii




UNCLASSIFIED 9

1. LOGICAL SEPARATION

Designing and implementing VLANs solves some of the scalability problems of large, flat

networks by breaking the single broadcast domain into several smaller domains. The logical

separation of the physical network adds a layer of defense to the enclave and can be used to

enhance additional controls such as layer three filtering. When configured correctly, the

boundary VLANs form force host originating from a VLAN that need to communicate to a host

located on a different VLAN to pass through a routing device. At the routing device layer 3

filtering policies can be applied. In additional layer 4 and 7 polices can be implemented to

perform protocol inspection and content filtering if the routing device is a firewall.

The security guidance in this paper can assist the System Administrator (SA) to see the full

picture of the security guidance being developed by FSO to mitigate the known vulnerabilities

with the management VLAN and to secure the Server Farm and DMZ from internal and external

threats.

The FSO guidance for VLANs was introduced in version 5 of the Network STIG and was

applicable to the switch. Since the 2003 publication the industry has made VLAN technology

available to the later 3 switch and firewall devices. This guidance applies to where VLAN

technology is implemented in the enclave.

1.1 Horizontal Wiring

The TIA/EIA-568-B standard defines a hierarchical cable system architecture, in which a main

cross-connect (MCC) is connected via a star topology across backbone cabling to intermediate

cross-connects (ICC) and horizontal cross-connects (HCC). Telecommunications Rooms (TR)

house MCCs, ICCs, HCCs, and equipment.

Poor design of horizontal wiring within the physical network infrastructure can invite the

connection to the private network by an unauthorized host or even a rogue wireless access point.

The horizontal wiring extends from the work area wall plate or LAN outlet to the Intermediate

Distribution Frames (IDF)—commonly referred to as the “wiring closet”. The path of all

horizontal wiring includes the wall plate, the horizontal cable that runs from the wall plate to the

IDF, as well as any patch cables used between any cross-connect hardware (i.e., patch panel,

distribution frame) and the switch.

Since it would be virtually impossible to monitor all work area wall plates to ensure that only

authorized devices are attached, physical LAN access control and security must be maintained

within the IDF. This end of the horizontal wiring must be disconnected at the switch port or

patch panel if there is no authorized host connected to it in the work area.

Since the IDF includes all hardware required to connect horizontal wiring to the backbone

wiring, it is imperative that all switches and associated cross-connect hardware are kept in a

secured IDF or an enclosed cabinet that is kept locked. This will also prevent an attacker from



UNCLASSIFIED 10

gaining privilege mode access to the switch. Several switch products only require a reboot of the

switch in order to reset or recover the password.

1.2 Virtual Local Area Networks

Management of switching infrastructure is now as important as management of firewalls. The

use of Virtual Local Area Networks (VLANs) implements a security enforcement point closer to

the user when firewalls or packet filters manage the switching infrastructure. VLAN technology

is an efficient way of grouping users into workgroups to share the same network address space

regardless of their physical location on the network. Users can be organized into separate

VLANs according to their department, location, function, application, physical address, logical

address, or protocol. Regardless of organization method used, the goal with any VLAN is to

group users into separate communities that share the same resources; thereby, enabling the

majority of their traffic to stay within the boundaries of the VLAN.

Network nodes of the same VLAN can communicate with other nodes in the same VLAN using

layer-2 switching. In order to communicate with other VLANs, the nodes in one VLAN need to

go through a layer 3 device. Broadcast frames are switched only between nodes within the same

VLAN. This logical separation of users and traffic results in better performance management

(i.e., broadcast and bandwidth utilization control) as well as a reduction in configuration

management overhead, and enabling networks to scale at ease.

An initial security best practice for a VLAN-based network is to place all disabled ports into an

unused VLAN, thereby thwarting unauthorized VLAN access using both physical and logical

barriers.

1.3 Securing Management VLAN and VLAN 1

By default, all ports including the internal sc0 interface, are configured to be members of VLAN

1. In a VLAN-based network, switches use VLAN1 as the default VLAN for in-band

management and to transport Layer-2 control plane traffic such as the following:

- Spanning Tree Protocol (STP)

- Cisco Discovery Protocol (CDP)

- Dynamic Trunking Protocol (DTP)

- VLAN Trunking Protocol (VTP)

- Uni-Directional Link Detection (UDLD)

- Port Aggregation Protocol (PAgP)

This is all untagged traffic. As a consequence, VLAN1 may unwisely span the entire network if

not appropriately pruned. If its scope is large enough, the risk of compromise can increase

significantly. The risk is even greater if VLAN1 is also used for user VLANs or the

management VLAN. In addition, it is unwise to mix management traffic with user traffic

making the management VLAN an easier target for exploitation.



UNCLASSIFIED 11

1.4 VLAN Trunking

There can be several VLANs defined on a single switch, while on the other hand a VLAN can

span across multiple switches. VLAN spanning is enabled by trunked links connecting the

switches and frame tagging such as IEEE 802.1q or Cisco’s Inter-Switch Link (ISL) protocol.

Trunk links can carry the traffic of multiple VLANs simultaneously. Therein lies a potential

security exposure. Trunk links have a native or default VLAN that is used to negotiate trunk

status and exchange VLAN configuration information. Trunking also enables a single port to

become part of multiple VLANs—another potential security exposure. Within the switch fabric,

switches use frame tagging to direct frames to the appropriate switch and port. Frame tagging

assigns a VLAN ID to each frame prior to traversing a trunked link. Each switch the frame

traverses must identify the VLAN ID and then determine what to do with the frame based on its

filter table. Once the frame reaches the exit to the access link, the VLAN ID is removed and the

end device receives the frame. The frame tagging is another technology that can be exploited as

a result of a poor VLAN implementation design.

VLAN “hopping” occurs when a tagged frame destined for one VLAN is redirected to a different

VLAN, threatening network security. The redirection can be initiated using two methods:

“tagging attack” and “double encapsulation”. Frame tagging attacks allow a malicious user on a

VLAN to get unauthorized access to another VLAN. For example, if a switch port’s trunk mode

were configured as auto (enables a port to become a trunk if the connected switch it is

negotiating trunking with has its state set to on or desirable) and were to receive a fake DTP

packet specifying trunk on or desirable, it would become a trunk port and it could then start

accepting traffic destined for all VLANs that belong to that trunk group. The attacker could start

communicating with other VLANs through that compromised port—including the management

VLAN. Insuring that trunk mode for any non-trunking port is configured as off can prevent this

type of attack.

Double encapsulation can be initiated by an attacker who has access to a switch port belonging to

the native VLAN of the trunk port. Knowing the victim’s MAC address and with the victim

attached to a different switch belonging to the same trunk group, thereby requiring the trunk link

and frame tagging, the malicious user can begin the attack by sending frames with two sets of

tags. The outer tag that is the attacker’s VLAN ID (probably the well known and omnipresent

VLAN1) is stripped off by the switch, and the inner tag that will have the victim’s VLAN ID is

used by the switch as the next hop and sent out the trunk port. To ensure the integrity of the

trunk link and prevent unauthorized access, the native VLAN of the trunk port should be

changed from the default VLAN1 to its own unique VLAN.

In a double tagging attack, an attacking host appends two VLAN tags to packets that it transmits.

The first header (which corresponds to the VLAN that the attacker is really a member of) is

stripped off by a first switch the packet encounters, and the packet is then forwarded. The

second, false, header is then visible to the second switch that the packet encounters. This false

VLAN header indicates that the packet is destined for a host on a second, target VLAN. The

packet is then sent to the target host as though it were layer 2 traffic. By this method, the

attacking host can bypass layer 3 security measures that are used to logically isolate hosts from

one another.



UNCLASSIFIED 12

As an example of a double tagging attack, consider a secure web server on a VLAN called

VLAN1. Hosts on VLAN1 are allowed access to the web server; hosts from outside the VLAN

are blocked by layer 3 filters. An attacking host on a separate VLAN, called VLAN2, creates a

specially formed packet to attack the web server. It places a header tagging the packet as

belonging to VLAN2 on top of another header tagging the packet as belonging to VLAN1. When

the packet is sent, the switch on VLAN2 sees the VLAN2 header and removes it, and forwards

the packet. The VLAN2 switch expects that the packet will be treated as a standard TCP packet

by the switch on VLAN1. However, when the packet reaches VLAN1, the switch sees a tag

indicating that the packet is part of VLAN1, and so bypasses the layer 3 handling, treating it as a

layer 2 packet on the same logical VLAN. The packet thus arrives at the target server as though

it was sent from another host on VLAN1, ignoring any layer 3 filtering that might be in place.

1.5 Subnet Isolation

Subnet isolation using VLAN technology has traditionally been an efficient way of grouping

users into workgroups to share a specific network address space and broadcast domain regardless

of their physical location on the network. Hosts within the same VLAN can communicate with

other hosts in the same VLAN using layer-2 switching. In order to communicate with other

VLANs, traffic must go through a layer 3 device where it can be filtered and routed.

1.5.1 Server Farm Tiers

VLANs can offer significant benefits in a multi-service network by providing a convenient way

of isolating different equipment and traffic type. Network traffic with differing security policies

within the server farm should be logically grouped using multiple VLANs. Each type of device

or server such as payroll, research and development, voice over IP, wireless, etc would have

mutually exclusive VLANs. This type of architecture forces layer 3 routing and thereby enables

all the filtering capabilities of the layer 3 devices, in addition to strategically placed firewalls

inside the enclave. Each server type should have its own VLAN.

Segmentation is used to make it harder for a client that compromises a server to get access to the

information exchanged in other parts of the data center. Segmentation local to the VLAN (by

means of private VLANs) further enhances data center security by preventing a server infected

by a worm from propagating to adjacent servers.

Data Centers that rent floor space, power, and IT processing for multiple customers have

additional security responsibilities to their customers. Protecting a client’s data from other clients

is necessary and can be accomplished using VLAN provisioning, layer 3 filtering and content

filtering at the Server Farm entry point. Restricting protocol, source and destination traffic via

filters is an option; however, additional security practices such as content filtering are required.

Most current applications are deployed as a multi-tier architecture. The multi-tier model uses

separate server machines to provide the different functions of presentation, business logic, and

database. Multi-tier server farms provide added security because a compromised web server does

not provide direct access to the application itself or to the database.



UNCLASSIFIED 13

The multi-tier separation is accomplished in several architectures, by a layer 2 switch, by a layer

3 switch/router or by a firewall located at the server farm. Using the firewall implementation is

the most secure method and is the necessary architecture within DoD.

If an application cannot be tier separated, then the architecture will allow for logically moving

the entire application and host onto a separate VLAN within the DMZ to ensure that potential

compromise does not give open access to other Server Farm components. This will be

accomplished by utilizing a Virtual Route Forwarding capability in the DMZ Internal router that

will segregate traffic into a separate VLAN so that it can still maintain its current

security/availability for production support. The physical location of the processing may not

necessarily change.

1.5.2 DMZ Segmentation

A way to reduce the risk of attacks within the DMZ is creating separate broadcast domains

forming security zones for each technology requiring DMZ services. Isolating the services within

the DMZ reduces potential compromises to the broadcast domain and does not give open access

to other servers within the DMZ. This can be accomplished by utilizing a Virtual Route

Forwarding capability in the DMZ Internal router or establishing VLANs on the firewall itself

that segregates traffic into separate VLANs. The Regional Enclave DMZ supporting the Bases,

Camps, Posts, Stations and mobile locations such as ships and tactical units provides stronger

security domains by extending the protections using layer 2 provisioning for web, IM, streaming

media, FTP, email, DNS, and applications that can not use backend architectures.

Review the DMZ architectural drawings. Determine the VLAN provisioning that has been

defined off the perimeter firewall. Identify web server and applications located in the DMZ and

determine which VLANs they are associated.

1.5.3 Printer VLANs

Aspects of hardening the network wall plate may include traffic filtering or restrictions on

connectivity to enforce a device, community of interest, or user specific security policy. For

example, if a printer were plugged into a switch port, it would be prudent to ensure that only

printer traffic is allowed on that switch port. If the printer is unplugged and a substitute device

other than a printer is plugged into that switch port, the substitute device should not be able to

communicate arbitrarily with other devices because only printer traffic is allowed on that switch

port.

A firewall rule set can filter network traffic within the printer VLAN to only expected printer

protocols. The SA managing the local enclave should identify the printer port traffic within the

enclave. Ports commonly used by printers are typically tcp port 515, 631, 1782 and tcp ports

9100, 9101, 9102 but others are used throughout the industry. The SA can review RFC 1700 Port

Assignments and review printer vendor documents for the filter rule-set.

1.5.4 Network Access Control VLANs

With the addition of Network Access Control policies, the enclave network infrastructure must

be provisioned using VLAN memberships based on a user’s identity; the health and/or security



UNCLASSIFIED 14

state of the user’s device (also referred to as endpoint assessment or host posture). To accomplish

this design the network administrator will define VLANs for unauthenticated devices, policy

assessment, policy remediation, and production VLANs in Advanced AAA Servers such as

Radius.



UNCLASSIFIED 15

vlan provisioning security guidance at-a-glance v8r1

Documents