If you are a network and security expert, pay attention to VLAN hopping.
When You Intend To Implement Virtual Local Networks, You Should Not Focus Only On Dividing The Network To Manage It More Easily. Still, You Should Also Pay Special Attention To Security Concepts.
One of the critical issues you should pay attention to when using local virtual networks is the concept of VLAN hopping.
The above term refers to attacking network resources through a virtual local area network. In this way, hackers send packets to a port unavailable to a client.
For this reason, hackers use the mentioned attack vector to gain access to other virtual local networks defined in the organization.
In the VLAN hopping attack vector, cybercriminals must attack one of the organization’s virtual local networks in the first step. This allows them to define a base to perform malicious operations in the enterprise network and then use it to attack other enterprise local networks.
How does VLAN hopping create a security gap in the enterprise network?
- Unfortunately, most vulnerabilities surrounding local virtual networks directly relate to their key features. Among the essential practical features that local virtual networks provide to users, the following should be mentioned:
- It allows network administrators to perform the segmentation process of a switched network by the performance and security requirements of the systems without the need for new cabling or making fundamental changes to the network infrastructure.
- It improves overall network performance by grouping devices that are continuously communicating with each other so that the clients of each group have their capacity and use it.
- It helps improve security on more extensive networks by allowing network administrators more control over how devices communicate with each other.
- Virtual LAN significantly improves security by separating users into their groups. In this case, users only have access to the networks that they have permission to access based on their role at the time. Also, if hackers gain access to a virtual local network, they can carry out criminal operations only on that network.
- However, once hackers gain access to local corporate networks, they can quickly exploit loopholes in security protocols and gain complete control over the web.
- Virtual LANs use a technique called trunking, in which the switches in the virtual LAN are programmed to search for specific channels to send or receive data. Hackers use the mentioned process to infiltrate other virtual local networks defined in the organizational network.
- Another feature that VLAN hopping provides to hackers is stealing passwords and sensitive information of employees or customers whose information is registered in corporate networks. Additionally, hackers can use this vulnerability to modify or delete data, install malware, and spread viruses, worms, and trojans over the web.
How is VLAN hopping attack vector implemented?
In most cases, hackers use one of the following two methods to implement a VLAN hopping attack:
double tagging
A double-tagging attack vector occurs when hackers add malicious tags to Ethernet frames and modify them. In this case, hackers can use multiple switches that process tags to further their goals. In this case, it is possible to send packets through any virtual local network to another virtual local network without a native label in the trunk.
In this case, hackers send data using one switch to another by sending frames with two 802.1Q tags. More precisely, one copy of the information is sent to the hacker switch and the other to the victim switch.
The above mechanism makes the victim think it has received the frame it is waiting for. Next, the target switch forwards the frame to the victim port. Most switches remove the outer label before sending the frame to all native VLAN ports.
Since encapsulation of the return packet is impossible, this security exploit creates a one-way attack. Of course, the above attack can only be made if the hacker is a member of the same trunk of the virtual local network. For example, if a network switch is configured in auto trunking mode, a hacker can turn it into a button that constantly needs a trunk to access all VLANs on the trunk port.
switch spoofing
The second attack vector used by hackers is switch spoofing. This attack vector occurs when a hacker sends DTP packets to negotiate a trunk with a switch. This mode can only be done if the switch modes are dynamic desirable or dynamic auto. The hacker can access all the local virtual networks when the box is connected to a computer. Unfortunately, this is a mistake that some network experts make. Always note that interfaces should not be configured to use dynamic switch port modes.
Network security tools
Yersinia is one of the most popular network security tools for Linux operating systems. Security experts have access to a set of tools that are available to identify attack vulnerabilities. These tools help you find problems with your virtual LAN. It also allows finding vulnerabilities in Cisco Discovery Protocol, Cisco Inter-Switch Link, DTP, Dynamic Host Configuration Protocol, Hot Standby Router Protocol, IEEE 802.1Q, IEEE 802.1X, Spanning Tree Protocol, and VLAN Trunk Protocol.
How to prevent a VLAN hopping attack?
One of the most critical steps to protect your network from a VLAN hopping attack is to close unused interfaces and place them in an isolated VLAN.
It would be best if you did not use a virtual LAN on trunk ports unless there is no other way. Also, access ports must be manually configured with switchport mode access.
Proper switch configuration plays an influential role in reducing the effects of switch spoofing and double tagging. To reduce the risk of switch spoofing, turn off the DTP auto trunking feature on all switches that do not require trunking. Also, ports that are not supposed to be trunks should be configured as access ports.
Also, avoid double tagging. Therefore, ensure that the hosts are not placed on the default Ethernet VLAN or VLAN 1. The native virtual LAN does not use a VLAN ID on each trunk port. Enable explicit native VLAN tagging for all trunk ports.