🔒

Understanding VLANs and Network Security Risks

Apr 23, 2025

Lecture on VLANs and Network Security

Introduction to VLANs

  • VLANs (Virtual Local Area Networks) are used to separate network traffic within switches.
  • Common in both home and office environments.
  • Separate different parts of a network: e.g., Marketing, Accounting, Shipping & Receiving in organizations; normal traffic, IoT devices, and security cameras at home.

Advantages of VLANs

  • Segregation: Devices are grouped into distinct networks that can't communicate with each other without a router.
  • Enhanced security: Prevents unauthorized access between different network segments.

VLAN Hopping Techniques

VLAN hopping involves methods to traverse between VLANs without a router.

1. Switch Spoofing

  • Concept: Exploits switch configurations that automatically configure interfaces as device or switch interfaces.
  • Mechanism: Pretends to be a switch to create a trunk connection, allowing VLAN hopping.
  • Security Risk: Allows data to be sent across VLANs without proper routing.
  • Prevention:
    • Disable trunk negotiation to prevent unauthorized VLAN access.
    • Manually configure trunk interfaces.
    • Specify which VLANs can pass between switches.

2. Double Tagging

  • Concept: Utilizes VLAN tag manipulation to communicate between VLANs.
  • Mechanism:
    • Adds extra VLAN tags to a network frame.
    • Relies on native VLAN configurations.
    • The first switch removes the first tag and forwards the frame to the intended VLAN.
    • The second switch removes the second tag, further forwarding the frame.
  • Impact: Enables data injection into VLANs, potentially for Denial of Service (DoS).
  • Prevention:
    • Avoid using the native VLAN for user traffic.
    • Change default native VLAN ID (commonly ID 1) to another number.
    • Force tagging of all native VLAN traffic.

Example Scenario

  • Setup: Two switches, attacker on VLAN 10 (green VLAN), victim on VLAN 20 (red VLAN).
  • Process:
    1. Attacker sends a double-tagged frame (tags for VLAN 10 and VLAN 20).
    2. First switch processes VLAN 10 tag, sends to VLAN 10.
    3. Second tag (for VLAN 20) remains, allowing the frame to be received by a device on VLAN 20.

Conclusion

  • VLANs are essential for network organization and security.
  • Awareness of potential vulnerabilities like switch spoofing and double tagging is crucial.
  • Proper configuration and preventive measures can mitigate risks associated with VLAN hopping.

Full transcript