Site icon DED9

If You Are A Network And Security Expert, Pay Attention To VLAN Hopping

If You Are A Network And Security Expert, Pay Attention To VLAN Hopping.

d iWhen You Intend To Implement Virtual Local Networks, You Should Not Focus Only On Dividing The Network To Manage It More Easily. Still, You Should Also Pay Special Attention To Security Concepts. 

One of the critical issues you should pay attention to when using local virtual networks is the concept of VLAN hopping. The above term refers to attacking network resources through a virtual local area network.

In this way, hackers send packets to a port unavailable to a client. For this reason, hackers use the mentioned attack vector to gain access to other virtual local networks defined in the organization.

In the VLAN hopping attack vector, cybercriminals must attack one of the organization’s virtual local networks in the first step. This allows them to define a base to perform malicious operations in the enterprise network and then use it to attack other enterprise local networks.

How does VLAN hopping create a security gap in the enterprise network?

How is VLAN hopping attack vector implemented?

In most cases, hackers use one of the following two methods to implement a VLAN hopping attack:

double tagging

A double-tagging attack vector occurs when hackers add malicious tags to Ethernet frames and modify them. In this case, hackers can use multiple switches that process tags to further their goals. In this case, it is possible to send packets through any virtual local network to another virtual local network without a native label in the trunk.

Ann this case, hackers send data using one switch to another by sending frames with two 802.1Q tags. More precisely, one copy of the information is sent to the hacker switch and the other to the victim switch.

The above mechanism makes the victim think it has received the frame it is waiting for. Next, the target switch forwards the frame to the victim port. Most switches remove the outer label before sending the frame to all native VLAN ports.

Since encapsulation of the return packet is impossible, this security exploit creates a one-way attack. Of course, the above attack can only be made if the hacker is a member of the same trunk of the virtual local network. For example, if a network switch is configured in auto trunking mode, a hacker can turn it into a button that constantly needs a trunk to access all VLANs on the trunk port.

switch spoofing

The second attack vector used by hackers is switch spoofing. This attack vector occurs when a hacker sends DTP packets to negotiate a trunk with a switch. This mode can only be done if the switch modes are dynamic desirable or dynamic auto. The hacker can access all the local virtual networks when the box is connected to a computer. Unfortunately, this is a mistake that some network experts make. Always note that interfaces should not be configured to use dynamic switch port modes.

Network security tools

Yersinia is one of the most popular network security tools for Linux operating systems. Security experts have access to a set of tools that are available to identify attack vulnerabilities. These tools help you find problems with your virtual LAN. It also allows vulnerabilities in Cisco Discovery Protocol, Cisco Inter-Switch Link, DTP, Dynamic Host Configuration Protocol, Hot Standby Router Protocol, IEEE 802.1Q, IEEE 802.1X, Spanning Tree, and VLAN Trunk Protocol.

How to prevent a VLAN hopping attack?

One of the most critical steps to protect your network from a VLAN hopping attack is to close unused interfaces and place them in an isolated VLAN.

You should not use a virtual LAN on trunk ports unless there is no other way. Also, access ports must be manually configured with switchport mode access.

Proper switch configuration plays an influential role in reducing the effects of switch spoofing and double tagging. To reduce the risk of switch spoofing, turn off the DTP auto trunking feature on all switches that do not require trunking. Also, ports that are not supposed to be trunks should be configured as access ports.

Also, avoid double tagging. Therefore, ensure that the hosts are not placed on the default Ethernet VLAN or VLAN 1. The native virtual LAN does not use a VLAN ID on each trunk port. Enable explicit native VLAN tagging for all trunk ports.

Exit mobile version