VLAN hopping

Last updated

VLAN hopping is a computer security exploit, a method of attacking networked resources on a virtual LAN (VLAN). The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible. There are two primary methods of VLAN hopping: switch spoofing and double tagging. Both attack vectors can be mitigated with proper switch port configuration.

Contents

Switch spoofing

In a switch spoofing attack, an attacking host imitates a trunking switch [1] by speaking the tagging and trunking protocols (e.g. Multiple VLAN Registration Protocol, IEEE 802.1Q, Dynamic Trunking Protocol) used in maintaining a VLAN. Traffic for multiple VLANs is then accessible to the attacking host.


Mitigation

Switch spoofing can only be exploited when interfaces are set to negotiate a trunk. To prevent this attack on Cisco IOS, use one of the following methods: [2] :163

1. Ensure that ports are not set to negotiate trunks automatically by disabling DTP:

Switch (config-if)# switchport nonegotiate

2. Ensure that ports that are not meant to be trunks are explicitly configured as access ports 

Switch (config-if)# switchport mode access

Double tagging

In a double tagging attack, an attacker connected to an 802.1Q-enabled port prepends two VLAN tags to a frame that it transmits. The frame (externally tagged with VLAN ID that the attacker's port is really a member of) is forwarded without the first tag because it is the native VLAN of a trunk interface. The second tag is then visible to the second switch that the frame encounters. This second VLAN tag indicates that the frame is destined for a target host on a second switch. The frame is then sent to the target host as though it originated on the target VLAN, effectively bypassing the network mechanisms that logically isolate VLANs from one another. [3] However, possible replies are not forwarded to the attacking host (unidirectional flow).

Mitigation

Double tagging can only be exploited on switch ports configured to use native VLANs. [2] :162 Trunk ports configured with a native VLAN don't apply a VLAN tag when sending these frames. This allows an attacker's fake VLAN tag to be read by the next switch. [4]

Double tagging can be mitigated by any of the following actions (incl. IOS example):

Example

As an example of a double tagging attack, consider a secure web server on a VLAN called VLAN2. Hosts on VLAN2 are allowed access to the web server; hosts from outside VLAN2 are blocked by layer 3 filters. An attacking host on a separate VLAN, called VLAN1(Native), creates a specially formed packet to attack the web server. It places a header tagging the packet as belonging to VLAN2 under the header tagging the packet as belonging to VLAN1. When the packet is sent, the switch sees the default VLAN1 header and removes it and forwards the packet. The next switch sees the VLAN2 header and puts the packet in VLAN2. The packet thus arrives at the target server as though it were sent from another host on VLAN2, ignoring any layer 3 filtering that might be in place. [5]

See also

Related Research Articles

In computer networking, the maximum transmission unit (MTU) is the size of the largest protocol data unit (PDU) that can be communicated in a single network layer transaction. The MTU relates to, but is not identical to the maximum frame size that can be transported on the data link layer, e.g., Ethernet frame.

The Spanning Tree Protocol (STP) is a network protocol that builds a loop-free logical topology for Ethernet networks. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them. Spanning tree also allows a network design to include backup links providing fault tolerance if an active link fails.

<span class="mw-page-title-main">VLAN</span> Network communications domain that is isolated at the data link layer

A virtual local area network (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer. In this context, virtual refers to a physical object recreated and altered by additional logic, within the local area network. Basically, a VLAN behaves like a virtual switch or network link that can share the same physical structure with other VLANs while staying logically separate from them. Between network devices, VLANs work by applying tags to network frames and handling these tags in networking systems –creating the appearance and functionality of network traffic that is physically on a single network but acts as if it were split between separate networks. In this way, VLANs can keep network applications separate despite being connected to the same physical network, and without requiring multiple sets of cabling and networking devices to be deployed.

A multilayer switch (MLS) is a computer networking device that switches on OSI layer 2 like an ordinary network switch and provides extra functions on higher OSI layers. The MLS was invented by engineers at Digital Equipment Corporation.

In telecommunications, trunking is a technology for providing network access to multiple clients simultaneously by sharing a set of circuits, carriers, channels, or frequencies, instead of providing individual circuits or channels for each client. This is reminiscent to the structure of a tree with one trunk and many branches. Trunking in telecommunication originated in telegraphy, and later in telephone systems where a trunk line is a communications channel between telephone exchanges.

Cisco Discovery Protocol (CDP) is a proprietary data link layer protocol developed by Cisco Systems in 1994 by Keith McCloghrie and Dino Farinacci. It is used to share information about other directly connected Cisco equipment, such as the operating system version and IP address. CDP can also be used for On-Demand Routing, which is a method of including routing information in CDP announcements so that dynamic routing protocols do not need to be used in simple networks.

Class of service is a parameter used in data and voice protocols to differentiate the types of payloads contained in the packet being transmitted. The objective of such differentiation is generally associated with assigning priorities to the data payload or access levels to the telephone call.

IEEE 802.1Q, often referred to as Dot1q, is the networking standard that supports virtual local area networking (VLANs) on an IEEE 802.3 Ethernet network. The standard defines a system of VLAN tagging for Ethernet frames and the accompanying procedures to be used by bridges and switches in handling such frames. The standard also contains provisions for a quality-of-service prioritization scheme commonly known as IEEE 802.1p and defines the Generic Attribute Registration Protocol.

VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol that propagates the definition of Virtual Local Area Networks (VLAN) on the whole local area network. To do this, VTP carries VLAN information to all the switches in a VTP domain. VTP advertisements can be sent over 802.1Q, and ISL trunks. VTP is available on most of the Cisco Catalyst Family products. Using VTP, each Catalyst Family Switch advertises the following on its trunk ports:

<span class="mw-page-title-main">EtherChannel</span> Computer networking link aggregation technology

EtherChannel is a port link aggregation technology or port-channel architecture used primarily on Cisco switches. It allows grouping of several physical Ethernet links to create one logical Ethernet link for the purpose of providing fault-tolerance and high-speed links between switches, routers and servers. An EtherChannel can be created from between two and eight active Fast, Gigabit or 10-Gigabit Ethernet ports, with an additional one to eight inactive (failover) ports which become active as the other active ports fail. EtherChannel is primarily used in the backbone network, but can also be used to connect end user machines.

Cisco Inter-Switch Link (ISL) is a Cisco proprietary link layer protocol that maintains VLAN information in Ethernet frames as traffic flows between switches and routers, or switches and switches. ISL is Cisco's VLAN encapsulation protocol and is supported only on some Cisco equipment over the Fast and Gigabit Ethernet links. It is offered as an alternative to the IEEE 802.1Q standard, a widely used VLAN tagging protocol, although the use of ISL for new sites is deprecated by Cisco.

<span class="mw-page-title-main">Router on a stick</span> Router that has a single connection to a network

A router on a stick, also known as a one-armed router, is a router that has a single physical or logical connection to a network. It is a method of inter-VLAN routing where one router is connected to a switch via a single cable. The router has physical connections to the broadcast domains where one or more VLANs require the need for routing between them.

Multiple Registration Protocol (MRP), which replaced Generic Attribute Registration Protocol (GARP), is a generic registration framework defined by the IEEE 802.1ak amendment to the IEEE 802.1Q standard. MRP allows bridges, switches or other similar devices to register and de-register attribute values, such as VLAN identifiers and multicast group membership across a large local area network. MRP operates at the data link layer.

A broadcast storm or broadcast radiation is the accumulation of broadcast and multicast traffic on a computer network. Extreme amounts of broadcast traffic constitute a broadcast storm. It can consume sufficient network resources so as to render the network unable to transport normal traffic. A packet that induces such a storm is occasionally nicknamed a Chernobyl packet.

The Dynamic Trunking Protocol (DTP) is a proprietary link layer protocol developed by Cisco Systems for the purpose of negotiating trunking on a link between two VLAN-aware switches, and for negotiating the type of trunking encapsulation to be used. VLAN trunks formed using DTP may utilize either IEEE 802.1Q or Cisco ISL trunking protocols.

In computer networking, CDP spoofing is a technique employed to compromise the operation of network devices that use Cisco Discovery Protocol (CDP) for discovering neighboring devices. CDP spoofing is a network security threat that can be mitigated by taking precautionary measures.

<span class="mw-page-title-main">Private VLAN</span> Computer network security technique

Private VLAN, also known as port isolation, is a technique in computer networking where a VLAN contains switch ports that are restricted such that they can only communicate with a given uplink. The restricted ports are called private ports. Each private VLAN typically contains many private ports, and a single uplink. The uplink will typically be a port connected to a router, firewall, server, provider network, or similar central resource.

The VLAN Query Protocol (VQP) was developed by Cisco and allows end-devices on LANs to be authenticated via their MAC address and an appropriate VLAN attributed to the port, using a VLAN Management Policy Server (VMPS). VQP is a Cisco-only protocol that is supported only by older switches running CatOS. Many vendors have turned to support dynamic VLAN assignments using the 802.1x authentication protocol with a Radius server that has additional attributes designating the VLAN.

IEEE 802.1ad is an amendment to the IEEE 802.1Q-1998 networking standard which adds support for provider bridges. It was incorporated into the base 802.1Q standard in 2011. The technique specified by the standard is known informally as stacked VLANs or QinQ.

In computer networking, a unicast flood occurs when a switch receives a unicast frame and the switch does not know that the addressee is on any particular switch port. Since the switch has no information regarding which port, if any, the addressee might be reached through, it forwards the frame through all ports aside from the one through which the frame was received.

References

  1. Rik Farrow (2003-03-17). "VLAN Insecurity" . Retrieved 2017-06-07.
  2. 1 2 Boyles, Tim (2010). CCNA Security Study Guide: Exam 640-553. SYBEX Inc. ISBN   9780470527672.
  3. Rouiller, Steve A. "Virtual LAN Security: weaknesses and countermeasures". SANS Institute InfoSec Reading Room. Retrieved 2017-06-07.
  4. "What is Double tagging attack and how to prevent Double tagging attack" . Retrieved 2017-10-15.
  5. "Configuration Examples Related to VLAN Features". Catalyst 2820 and 1900 Enterprise Edition Software Guide. Cisco. Archived from the original on 2013-01-28. Retrieved 2017-06-07.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.