This article can also be found in the Premium Editorial Download "Information Security magazine: Betting the house on network anomaly detection systems."
Download it now to read this article plus other related content.
Learn how to leverage the VLAN as a security tool.
The virtual LAN (VLAN) capabilities of all modern LAN switches allow savvy network managers to create and distribute VoIP, mobile wireless and management networks without expensive equipment and infrastructures. But, can VLANs be used as security tools, and is it a good idea to make the VLAN barrier part of your security infrastructure? The answer is yes--with reservations.
Although VLANs themselves may not introduce security exposures, they do present the opportunity for attackers to have unprecedented access to the control plane of the network.
When VLANs are used as security barriers, your security infrastructure's "weak link" moves from the firewall to the switch, and, because switches aren't generally configured with security in mind, opportunities for mischief abound.
For example, suppose you wanted to distribute a wireless guest network. You can place all wireless users outside a separate wireless firewall and, using VLANs, mark certain switch ports as being on the "outside VLAN." Plug wireless gear into that port, and, if you've wired it back to the firewall, it's now logically separated from the rest of your network.
Without VLANs, the most an attacker might do to exploit a misconfigured switch would be to cause a DoS attack by shutting off specific ports. VLANs give the attacker potential access to the switch fabric inside the firewall.
|Common VLAN Attacks|
DoS flood attacks
ARP spoofing attacks
Sealing Virtual Leaks
The most common fear in this environment is "VLAN hopping," where packets jump from the outside VLAN to other network segments. When packets leak, datagrams from one switch port appear on a port they shouldn't--either within the same or on a separate VLAN. While just getting packets to jump from one port to another doesn't necessarily offer unlimited access, it does open a hole in the network that gives the attacker the opportunity to wreak havoc. The goal of a VLAN attack is to control the switch's failure so that packets leak where the attacker directs them so he can exploit the weak spot.
Switch vendors have worked hard to overcome these problems and reverse the perception that switches are poor security barriers. For example, Cisco Systems hired the consulting firm @stake (now a division of Symantec) to test its switches and attempt to cause VLAN leakage. The widely publicized results concluded that the tested switches didn't leak packets, even when under intentional attack.
Similar results have been noted in our testing of Hewlett-Packard and Extreme Networks switches. Nevertheless, this improved reliability is only applicable to new switches. Not every VLAN-capable switch is going to behave the same way. For example, older but very popular Cisco 2924-series switches have been shown in our lab to be poor choices as security devices because of their propensity to leak packets across VLANs.
This was first published in July 2005