Network device hardening

I just watched a YouTube video by a security researcher showing how a five line python script can be used to unilaterally configure a Cisco switch port connected to a host computer into a trunk port. It does this by forging a single virtual trunk protocol (VTP) packet. The host can then eavesdrop on broadcast traffic on all VLANs on the network, as well as prosecute man-in-the-middle of attacks:

https://youtu.be/u5cp_hcwq2c

This was a Cisco switch, and apparently the default configuration permits this. I haven’t delved into the details yet, but I’m hoping that there are straightforward configuration settings that can prevent this kind of attack. I gather, though, that it isn’t as simple as just adding a line code to IOS. It looks like what’s needed is very specific pruning of VLANs to ports for devices that are not switches, and that sounds like a big, ongoing maintenance task prone to human error.

The design clinic would be broader than this specific vulnerability though. We’ve all seen Aruba and Cisco and Juniper and the like checklists explaining how to “harden“ their specific network gear, but I just looked and didn’t see this VLAN thing discussed, for Cisco at least:

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

Clearly these checklists need to be updated in the light of more recent hacker machinations. I’d love to see a strategy for proactively designing security measures into networks works for this vulnerability and others recently discovered. Every network I’ve ever worked on, all the security stuff seem to be bolted on after the fact, rather than designed in from the beginning. You could title the clinic “Designing networks for security from the ground up“.

Sidebar