When You Intend To Implement Virtual Local Networks(VLAN ), You Should Not Focus Only On Dividing The Network To Manage It More Easily. Still, You Should Also Pay Special Attention To Security Concepts. 

One critical issue to consider when using local virtual networks is the concept of VLAN hopping.

The above term refers to attacking network resources through a virtual local area network. In this way, hackers send packets to a port unavailable to a client.

For this reason, hackers use the mentioned attack vector to access other virtual local networks defined in the organization.

In the VLAN hopping attack vector, cybercriminals must attack one of the organization’s virtual local networks in the first step. This allows them to define a base to perform malicious operations in the enterprise network and then use it to attack other enterprise local networks.

How does VLAN hopping create a security gap in the enterprise network?

• Unfortunately, most vulnerabilities surrounding local virtual networks directly relate to their key features. Among the essential practical features that local virtual networks provide to users, the following should be mentioned:
• It allows network administrators to segment a switched network based on the system’s performance and security requirements without requiring new cabling or fundamental changes to the network infrastructure.
• It improves overall network performance by grouping devices that continuously communicate with each other so that the clients of each group have their capacity and use it.
• It helps improve security on more extensive networks by allowing network administrators more control over how devices communicate with each other.
• Virtual LAN significantly improves security by separating users into their groups. In this case, users only have access to the networks that they have permission to access based on their role at the time. Also, if hackers gain access to a virtual local network, they can carry out criminal operations only on that network.
• However, once hackers gain access to local corporate networks, they can quickly exploit loopholes in security protocols and gain complete control over the web.
• Virtual LANs use trunking, in which the switches in the virtual LAN are programmed to search for specific channels to send or receive data. Hackers use the mentioned process to infiltrate other virtual local networks defined in the organizational network.
• Another feature that VLAN hopping provides to hackers is stealing passwords and sensitive information of employees or customers whose information is registered in corporate networks. Additionally, hackers can use this vulnerability to modify or delete data, install malware, and spread viruses, worms, and trojans over the web.

How is the VLAN hopping attack vector implemented?

In most cases, hackers use one of the following two methods to implement a VLAN hopping attack:

Double Tagging

A double-tagging attack vector occurs when hackers add malicious tags to Ethernet frames and modify them. In this case, hackers can use multiple switches that process tags to further their goals. In this case, it is possible to send packets through any virtual local network to another virtual local network without a native label in the trunk.

In this case, hackers send data from one switch to another by sending frames with two 802.1Q tags. More precisely, one copy of the information is sent to the hacker switch and the other to the victim switch.

The above mechanism makes the victim think it has received the frame it is waiting for. Next, the target switch forwards the frame to the victim port. Most switches remove the outer label before sending the frame to all native VLAN ports.

Since encapsulation of the return packet is impossible, this security exploit creates a one-way attack. Of course, the above attack can only be made if the hacker is a member of the same trunk of the virtual local network.
For example, if a network switch is configured in auto trunking mode, a hacker can turn it into a button that constantly needs a trunk to access all VLANs on the trunk port.

Switch Spoofing

The second attack vector used by hackers is switch spoofing. This attack vector occurs when a hacker sends DTP packets to negotiate a trunk with a switch. This mode can only be done if the switch modes are dynamically desirable or automatic. The hacker can access all the local virtual networks when the box is connected to a computer.
Unfortunately, some network experts make this mistake. Always note that interfaces should not be configured to use dynamic switch port modes.

Network security tools

Yersinia is one of the most popular network security tools for Linux operating systems. Security experts have access to a set of tools to identify attack vulnerabilities. These tools help you find problems with your virtual LAN.
They also allow finding vulnerabilities in Cisco Discovery Protocol, Cisco Inter-Switch Link, DTP, Dynamic Host Configuration Protocol, Hot Standby Router Protocol, IEEE 802.1Q, IEEE 802.1X, Spanning Tree Protocol, and VLAN Trunk Protocol.

How to prevent a VLAN hopping attack?

One of the most critical steps to protect your network from a VLAN hopping attack is to close unused interfaces and place them in an isolated VLAN.

It would be best not to use a virtual LAN on trunk ports unless there is no other way. Access ports must also be manually configured with switchport mode access.

Proper switch configuration is influential in reducing the effects of switch spoofing and double tagging. To reduce the risk of switch spoofing, turn off the DTP auto trunking feature on all switches that do not require trunking. Also, ports not supposed to be trunks should be configured as access ports.

Also, avoid double tagging. Therefore, ensure the hosts are not on the default Ethernet VLAN or VLAN 1. The native virtual LAN does not use a VLAN ID on each trunk port. Enable explicit native VLAN tagging for all trunk ports.