This article can also be found in the Premium Editorial Download "Information Security magazine: Betting the house on network anomaly detection systems."

Download it now to read this article plus other related content.

Bits & Bolts
Learn how to leverage the VLAN as a security tool.

The virtual LAN (VLAN) capabilities of all modern LAN switches allow savvy network managers to create and distribute VoIP, mobile wireless and management networks without expensive equipment and infrastructures. But, can VLANs be used as security tools, and is it a good idea to make the VLAN barrier part of your security infrastructure? The answer is yes--with reservations.

Although VLANs themselves may not introduce security exposures, they do present the opportunity for attackers to have unprecedented access to the control plane of the network.

When VLANs are used as security barriers, your security infrastructure's "weak link" moves from the firewall to the switch, and, because switches aren't generally configured with security in mind, opportunities for mischief abound.

For example, suppose you wanted to distribute a wireless guest network. You can place all wireless users outside a separate wireless firewall and, using VLANs, mark certain switch ports as being on the "outside VLAN." Plug wireless gear into that port, and, if you've wired it back to the firewall, it's now logically separated from the rest of your network.

Without VLANs, the most an attacker might do to exploit a misconfigured switch would be to cause a DoS attack by shutting off specific ports. VLANs give the attacker potential access to the switch fabric inside the firewall.

    Requires Free Membership to View

Common VLAN Attacks

Frame tagging
Adding frame encapsulation or double encapsulation to packets to confuse the switch into thinking the frames belong on another VLAN.

DoS flood attacks
Attempting to flood MAC addresses in a switch, causing it to incorrectly forward packets. A similar attack is to flood the switch with random sets of packets, causing it to leak packets across VLANs.

MAC spoofing
Forging MAC addresses to make the switch believe you should be on a different VLAN, thus letting you go around a firewall.

Multicast flooding
Sending many multicast frames to cause the switch to incorrectly forward packets, perhaps as a DoS attack, an eavesdropping attack or a firewall work-around.

STP exploits
Inserting 802.1d spanning tree protocol frames to make the switch reconfigure topology and incorrectly forward frames. In extreme cases, this attack could cause the network to route all traffic through the affected switch, which would give the attacker the ability to eavesdrop on all network traffic.

ARP spoofing attacks
Sending spoofed ARP entries for real devices to cause the switch to forward packets across VLANsÑan attack typically used to bypass a firewall.


Sealing Virtual Leaks
The most common fear in this environment is "VLAN hopping," where packets jump from the outside VLAN to other network segments. When packets leak, datagrams from one switch port appear on a port they shouldn't--either within the same or on a separate VLAN. While just getting packets to jump from one port to another doesn't necessarily offer unlimited access, it does open a hole in the network that gives the attacker the opportunity to wreak havoc. The goal of a VLAN attack is to control the switch's failure so that packets leak where the attacker directs them so he can exploit the weak spot.

Switch vendors have worked hard to overcome these problems and reverse the perception that switches are poor security barriers. For example, Cisco Systems hired the consulting firm @stake (now a division of Symantec) to test its switches and attempt to cause VLAN leakage. The widely publicized results concluded that the tested switches didn't leak packets, even when under intentional attack.

Similar results have been noted in our testing of Hewlett-Packard and Extreme Networks switches. Nevertheless, this improved reliability is only applicable to new switches. Not every VLAN-capable switch is going to behave the same way. For example, older but very popular Cisco 2924-series switches have been shown in our lab to be poor choices as security devices because of their propensity to leak packets across VLANs.

This was first published in July 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: