Lecture: VLAN Security and Attacks

VLAN Configuration in Enterprise Networks

• Multiple VLANs configured in enterprise networks
• VLANs organized by different parts of the business
  • Example: Network engineering VLAN, security communication VLAN
• VLANs segment the network to restrict access between different VLANs

Attacker Methods to Circumvent VLANs

1. Switch Spoofing

• Attackers use switch spoofing to bypass VLAN segmentation
• Network interfaces on switches configured as access ports or trunked interfaces
• Automatic configuration on switches can be exploited
  • No authentication required
  • Attacker’s laptop can be interpreted as a switch
  • Allows traffic across multiple VLANs
• Best practice: Disable automatic configuration and manually set access or trunk interfaces

2. Double Tagging

• Double tagging method for unauthorized VLAN access
• Traffic frames tagged with multiple VLAN tags
• Native VLAN feature exploited
  • Native VLAN doesn’t require a tag
  • First tag removed, second tag used to reroute traffic
• Primarily a one-way attack
  • Suitable for denial of service (DoS) or one-way applications
• Preventing double tagging
  • Change the native VLAN ID
  • Force tagging of all traffic, even on native VLAN

Example of Double Tagging Attack

• Attacker on VLAN 10 wants to reach victim on VLAN 20
• Trunk between VLAN 10 and VLAN 20 with native VLAN set to 10
• Specially crafted frame with two 802.1q tags (VLAN 10 and VLAN 20)
  • Frame sent to first switch
  • VLAN 10 tag removed, VLAN 20 tag remains
  • Frame forwarded to switch managing VLAN 20
  • Frame reaches victim on VLAN 20
• Victim cannot respond back to attacker due to VLAN segmentation
• Attacker can send unlimited traffic to the victim