Kitz Forum
Computers & Hardware => Networking => Topic started by: Weaver on May 17, 2018, 12:51:26 AM
-
Say I have cables going into a VLAN-capable switch and I split the physical ports into two groups to make two VLANs. If I have an evil host on one of the attached cables within these groups and it sends a frame with the right 802.1q tag, can I break the security of the system and get access into the wrong VLAN?
-
Is this what you mean?
https://en.wikipedia.org/wiki/VLAN_hopping (https://en.wikipedia.org/wiki/VLAN_hopping)
So yes it's possible with a misconfigured switch!
Thanks
Tim
-
Say I have cables going into a VLAN-capable switch and I split the physical ports into two groups to make two VLANs. If I have an evil host on one of the attached cables within these groups and it sends a frame with the right 802.1q tag, can I break the security of the system and get access into the wrong VLAN?
Not if they're doing it right. Access ports, ports that apply and remove the tag upon ingress and egress, should only accept untagged frames and should reject anything that comes with one. Obviously if you expose trunk ports and haven't configured allowed VLANs exploitation is trivial.
There are other ways to play games with switches too. Generating a bunch of junk to fill up the switch's CAM / MAC / ARP table forces some switches to become hubs, broadcasting everything to every port. That's a fairly simple one. ;)
-
> Not if they're doing it right. Access ports, ports that apply and remove the tag upon ingress and egress, should only accept untagged frames and should reject anything that comes with one.
That is what was worrying me. Good to hear. So much written about VLANs is waffle, not very explicit and full of jargon that is rather variable too. "i just want to know what happens to 802.1q tags in some cases and a lot of docs, manuals, videos etc don't just give you that answer - it get added / removed / replaced / blocked / allowed - straight.
-
For what it's worth we've not known for example PCI audits raising a concern, for example if Cardholder and non-cardholder networks are carried on separate VLANs on the same switches.
Interested in the comments above, do access ports drop tagged frames, or do they simply ignore and remove the tag? I might try that and see.
One possible trap when configuring from scratch might be switches or switch ports that are in an auto configure mode, these may be acting perfectly normally as access ports but equally be prepared to act as trunks if the other end initiated. Having said that in most production environments ports would be hard coded as access or trunk, and in many cases trunks would only allow designated VLANs.
-
This is why I don't like the jargon. It doesn't state clearly and exactly the rules about what has to happen and the details are vital it seems to me. Have people been making scary assumptions that attached normal devices never generate their own 802.q tags? I wonder.