VLANs and Access Control

I’m writing this post because I’ve been in many environments where a VLAN is brought up as if it’s securing and protecting the environment. This is not true based on how the VLANs are set up. I’ve been in many PCI Compliant environments, and there’s a checkbox for network segmentation, and VLANs are mentioned as an option. If you look into the documentation, you’ll see something like this:

4. Implement controls to limit connectivity between CDE and other in-scope systems to only that which is necessary.
5. Implement controls to segment the CDE from people, processes, and technologies that do not need to interact with or influence the CDE.

You can see that they don’t just want to segment off traffic, but they want to control traffic to and from whatever is being segmented off. If all you’re doing is creating VLANs and SVIs, there are no controls for traffic management. This is typical of what I see out there. All you are doing is controlling the broadcast domain. Let’s say you don’t use SVI’s for some of the VLANs, so now those assets are safer from other VLANs. You are probably tagging VLANs, so you still risk something like VLAN hopping.

#VLAN 101

VLAN = Layer 2 Entity
VLAN Interface or SVI = Layer 3 Entity

A VLAN defines a single broadcast domain. This implies that any device connected to this VLAN can directly communicate with any other device on the VLAN. They aid in the organization and limitation of multicast protocols’ broadcast range. As a result, they can significantly boost your LAN’s performance. VLANs restrict the broadcast domain but do not prohibit traffic from flowing between VLANs. To conduct network segmentation, you’ll require firewall gateways or ACLs. VLANs aren’t the same as network firewalls. They serve as security barriers. However, they are insufficient security barriers on their own.

#WHY WE SHOULD NOT USE VLAN 1

On Cisco switches, VLAN1 serves as the default access VLAN, the default native VLAN on trunk ports, and the VLAN in which various L2 protocols exchange traffic. VLAN1-dependent L2 protocols like CDP and VTP will continue to deliver traffic between switches in VLAN1 even if VLAN1 is not allowed on the trunk port.

#VLAN HOPPING

VLAN hopping is one attack vector. This is easily done with something like Kali and Yersinia. Users connect to access ports assigned to a VLAN by the switch configuration. VLAN hopping occurs when a user connects to a switch port and gains access to a VLAN that is not connected to that switch port.

A user can accomplish this in two ways when working with a Cisco switch port’s default configuration. The most straightforward and most typical technique of VLAN hopping is for the attacker to configure their workstation as a trunk port. Most switches require just one side of a connection to advertise themselves as a trunk in their typical setup; the switch then trunks all accessible VLANs through the switch port. Switch spoofing is a usual method for an attacker using InterSwitch Link (ISL) or 802.1q packets to imitate a trunk port. The attacker can exploit this approach to join any VLAN setup in the VLAN Trunking Protocol (VTP) domain. As a result, the attacker can observe all traffic on all VLANs.

This works on a Cisco switch because Cisco’s proprietary trunking technology, Dynamic Trunking Protocol (DTP), is used to automatically negotiate trunks between Cisco switches. DTP may dynamically negotiate and construct trunk connections between Cisco switches. You are just tricking the Cisco switch into thinking that your PC/Workstation/Server is a Cisco switch. Cisco defaults to “dynamic desirable” which will actively try to convert the link to a trunk.

Below are some ways to help mitigate VLAN Hopping:

  • Disable DTP to ensure that ports are not set to automatically negotiate trunks:
  • switchport nonegotiate
  • NEVER utilize VLAN 1 at all.
  • Unused ports should be disabled and placed in an unused VLAN.

Double Tagging is the second way an attacker can hop VLANs. The attacker puts a second 802.1q tag before the original 802.1q tag via double tagging. The switch must strip off only the first 802.1q tag to be susceptible to the second tag. This form of VLAN hopping is less frequent than trunking.

Below are some ways to help mitigate Double Tagging:
Create a VLAN with no ports assigned. Do not send user traffic using the native VLAN. Only the native VLAN assignment uses this unused VLAN.