Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Security of VLAN switches  (Read 339 times)

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 5424
  • Retd sw dev; A&A; 3 7km ADSL2; IPv6; Firebrick
Security of VLAN switches
« on: May 17, 2018, 12:51:26 AM »

Say I have cables going into a VLAN-capable switch and I split the physical ports into two groups to make two VLANs. If I have an evil host on one of the attached cables within these groups and it sends a frame with the right 802.1q tag, can I break the security of the system and get access into the wrong VLAN?
Logged

shadow4dog

  • Member
  • **
  • Posts: 36
Re: Security of VLAN switches
« Reply #1 on: May 17, 2018, 10:28:29 AM »

Is this what you mean?

https://en.wikipedia.org/wiki/VLAN_hopping

So yes it's possible with a misconfigured switch!

Thanks
Tim
Logged

CarlT

  • Reg Member
  • ***
  • Posts: 835
Re: Security of VLAN switches
« Reply #2 on: May 19, 2018, 11:38:43 AM »

Say I have cables going into a VLAN-capable switch and I split the physical ports into two groups to make two VLANs. If I have an evil host on one of the attached cables within these groups and it sends a frame with the right 802.1q tag, can I break the security of the system and get access into the wrong VLAN?

Not if they're doing it right. Access ports, ports that apply and remove the tag upon ingress and egress, should only accept untagged frames and should reject anything that comes with one. Obviously if you expose trunk ports and haven't configured allowed VLANs exploitation is trivial.

There are other ways to play games with switches too. Generating a bunch of junk to fill up the switch's CAM / MAC / ARP table forces some switches to become hubs, broadcasting everything to every port. That's a fairly simple one.  ;)
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 5424
  • Retd sw dev; A&A; 3 7km ADSL2; IPv6; Firebrick
Re: Security of VLAN switches
« Reply #3 on: May 19, 2018, 11:43:14 AM »

> Not if they're doing it right. Access ports, ports that apply and remove the tag upon ingress and egress, should only accept untagged frames and should reject anything that comes with one.

That is what was worrying me. Good to hear. So much written about VLANs is waffle, not very explicit and full of jargon that is rather variable too. "i just want to know what happens to 802.1q tags in some cases and a lot of docs, manuals, videos etc don't just give you that answer - it get added / removed / replaced / blocked / allowed - straight.
Logged

aesmith

  • Reg Member
  • ***
  • Posts: 701
Re: Security of VLAN switches
« Reply #4 on: May 22, 2018, 01:37:06 PM »

For what it's worth we've not known for example PCI audits raising a concern, for example if Cardholder and non-cardholder networks are carried on separate VLANs on the same switches.

Interested in the comments above, do access ports drop tagged frames, or do they simply ignore and remove the tag?  I might try that and see. 

One possible trap when configuring from scratch might be switches or switch ports that are in an auto configure mode,  these may be acting perfectly normally as access ports but equally be prepared to act as trunks if the other end initiated.   Having said that in most production environments ports would be hard coded as access or trunk, and in many cases trunks would only allow designated VLANs.
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 5424
  • Retd sw dev; A&A; 3 7km ADSL2; IPv6; Firebrick
Re: Security of VLAN switches
« Reply #5 on: May 22, 2018, 01:46:33 PM »

This is why I don't like the jargon. It doesn't state clearly and exactly the rules about what has to happen and the details are vital it seems to me. Have people been making scary assumptions that attached normal devices never generate their own 802.q tags? I wonder.
Logged