Can private Vlans be used to prevent man in the middle attacks ?

Answered Question
Jul 29th, 2009
User Badges:

Hi,


We have a mixture of Cisco 2950 / 2960 switches at our access layer. A recent network penetration test highlighted the need for protection against man in the middle attacks using gratuitous arp / or arp poisoning.


This can be circumvented by implementing DHCP Snooping and Dynamic ARP Inspection. However DAI isn't supported on the 2950.


We have been looking at implementing Private VLANs as a separate piece of work and I was wondering if this would perform the same level of protection on a Cisco 2950 without the need for DAI ?


Thanks in advance.


Correct Answer by Peter Paluch about 7 years 9 months ago

Hello,


Exactly as you suggested, the problems with ARP Poisoning are best remedied using Dynamic ARP Inspection, however, the 2950 series does not support it (the 2960 do support it since IOS 12.2(50)SE if I am not mistaken).


The problem with the Private VLAN is that, again, neither 2950 nor 2960 support the full Private VLAN function. They only support what is called a Private VLAN Edge which is basically a "switchport protected" port.


Moreover, I am afraid that even the full Private VLAN support would not be helpful here. Private VLANs might prevent one station from polluting the ARP cache of a second station if they are members of an isolated PVLAN or in two different community PVLANs. The problem here is that PVLANs do not protect the routers or other devices connected to unprotected (promiscuous) ports. The spoofed ARP packets from individual stations will flow through such ports without limitations. While an attacking station won't be able to resend the frame to its correct recipient because of the isolation, it will be at least able to cause denial-of-service.


Best regards,

Peter


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Peter Paluch Wed, 07/29/2009 - 02:38
User Badges:
  • Cisco Employee,

Hello,


Exactly as you suggested, the problems with ARP Poisoning are best remedied using Dynamic ARP Inspection, however, the 2950 series does not support it (the 2960 do support it since IOS 12.2(50)SE if I am not mistaken).


The problem with the Private VLAN is that, again, neither 2950 nor 2960 support the full Private VLAN function. They only support what is called a Private VLAN Edge which is basically a "switchport protected" port.


Moreover, I am afraid that even the full Private VLAN support would not be helpful here. Private VLANs might prevent one station from polluting the ARP cache of a second station if they are members of an isolated PVLAN or in two different community PVLANs. The problem here is that PVLANs do not protect the routers or other devices connected to unprotected (promiscuous) ports. The spoofed ARP packets from individual stations will flow through such ports without limitations. While an attacking station won't be able to resend the frame to its correct recipient because of the isolation, it will be at least able to cause denial-of-service.


Best regards,

Peter


cbeswick Wed, 07/29/2009 - 03:05
User Badges:

Many thanks for your response.


It looks like its going to be an upgrade on the existing 2960's, and raise it as a known risk on the 2950s.

Actions

This Discussion