VLAN Hopping Defeats Segmentation

When we set up a Network we segment the network.

The firewall protects the inside network, and the inside network critical systems are separated from the rest of the devices.

Also for compliance reasons one needs to segment networks.

 

So the hacker wants to see all the computers… (how?) VLAN hopping.

http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-convery-switches.pdf

This is an old presentation(2002), but is still apt in todays  environment. Because even old attacks come back again – especially if you are not paying attention.

layer2weakness

If you control the switches or how they are supposed to function they sometimes allow VLAN’s to be hopped.  which means there really is no segmentation with a good attack.

How to attack ? CAM overflow with the macof script on Linux. Use the macof  script to flood the CAM table of the existing VLAN, but when the CAM table fills it will also fill adjacent switches  and VLANs.

How to mitigate this ? make sure you set up proper port security on the switch.

Another method is if there are trunk ports between switches:

trunkportrefresher

The detailed report has several other attacks on switches,

But the key is to test your switches for any potential VLAN hopping attacks.

It depends on your network, VLAN architecture, and Switch model numbers plus operating system of switches.

Do you have  an old switch? Not updated in a while? Old attacks sometimes work…

 

#testforsecurity is the best policy

Test, Test, Test

http://oversitesentry.com/contact-us/

 

Advertisements

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.