How to maximize the vulnerability of VLANs

The switch is not designed to be used as a security device, and its function is still to improve network performance. If the switch is to be part of the security mechanism, if the switch is to be properly configured first, then the manufacturer of the switch will have a complete understanding of the basic standards of the switch software and the implementation of these standards.

If you have strict network security requirements, or do not use a shared switch, you should use a dedicated switch to ensure network security. If you have to share a switch between untrusted networks and trusted users, you can only bring a security catastrophe.

VLAN does make it possible to isolate network services that share the same switch or even share a group of switches. But the switch's designers are not a security issue when they add this isolation to the product. VLANs work by restricting and filtering broadcast traffic, unfortunately, VLANs rely on software and configuration mechanisms rather than hardware to accomplish this task.

In recent years, some firewalls have become VLAN devices, which means that a packet-label based rule can be developed to move a packet to a specific VLAN. However, the firewall as a VLAN device also adds a lot of flexibility to the web hosting site, so that the tags that the firewall relies on are not designed to be safe. Devices other than switches can also generate labels that can be easily attached to packets to deceive firewalls.

What is the working principle of VLAN? What are the security benefits of VLANs? If you decide to use VLANs as part of your security system, how do you minimize the vulnerabilities of VLANs?

partitioning function

The term "switch" was first used to describe a device that exchanged network traffic between network interfaces called "ports." Not so long ago, a local area network switch was called a "bridge." It is now inevitable that the term "bridge" should be used even in the IEEE standards related to switches.

The bridge is used to connect different segments on the same LAN, where the LAN refers to a local network that does not require routing. The bridge software learns which port is connected to which network device by detecting the MAC address it receives in the packet. Initially, the bridge sends all packets received to each port, and over time, the bridge learns how to send packets to the correct network interface by building a tree and a table. These spanning trees and tables work by mapping MAC addresses to ports, through some algorithms that choose the correct network interface and avoid loops. By sending packets to the correct network interface, the bridge reduces network traffic. The bridge can be seen as a highway connecting two different roads, with only the necessary traffic flow between the two roads on the freeway.

Although the bridge reduces network traffic overall, the network can run more efficiently. The bridge still needs to send broadcast packets to all the ports. In any local area network, broadcasting means that a message broadcast is sent to all systems within the LAN. The ARP (Address Resolution Protocol) package is an example of broadcast information.

As the number of ports and additional management software increases, the capabilities of the bridge device become more and more strong. A new feature has emerged: the bridging appliance has a partitioning function that can be divided into multiple virtual bridges. When partitioning is done this way, broadcast information is limited to those ports that are associated with virtual bridges and corresponding VLANs, rather than being sent to all ports.

Restricting broadcasts to one VLAN does not prevent systems in one VLAN from accessing systems that are connected to the same bridge and that are different VLANs. Remember, however, that ARP broadcasts are used to obtain a MAC address that corresponds to a specific IP, without a MAC address, even if the machines in the same network cannot communicate with each other.

The Cisco Web site describes the two scenarios in which packets can be routed through VLANs connected to the same switch. In the first case, the system establishes a TCP/IP connection on the same VLAN, and the switch is reset so that the port of one switch belongs to another VLAN. Communications will continue because both parties have their own MAC addresses in their ARP buffers so that the bridge knows which port the destination MAC address is pointing to. In the second case, someone wants to manually configure the VLAN to establish a static ARP entry for the system to be accessed. This requires him to know the MAC address of the target system and may need to physically access the target system directly.

The problems described in both cases can be improved by using the switch software, which is capable of eliminating the information the packet needs when it is delivered. In Cisco's high-end switches, separate the spanning trees that exist for each VLAN. Other switches have either a similar feature or can be set up to filter the bridging information of members in each VLAN.

Link Aggregation

Multiple switches can share the same VLAN through the configuration mechanism and the tab for exchanging packets between switches. You can set up a switch so that one of the ports becomes a link and you can transfer packets for any VLAN on the link. When packets are passed between switches, each packet is added with a label based on the 802.1Q protocol, and the 802.1Q protocol is an IEEE standard set up to transfer packets between bridges. The receiving switch eliminates the packet's label and sends the packet to the correct port, or sends the packet to the correct VLAN if the packet is broadcast.

These four-byte long 802.1Q are appended to the Ethernet packet header, immediately after the source address. The first two bytes contain 81 00, which is the 802.1Q label protocol type. The last two bytes contain a possible priority, a flag, and a 12-bit vid (VLAN Identifier). The vid values are between 0 and 4095, while 0 and 4095 are reserved values. The default value for VID is 1, which is also the default value for unspecified ports for VLAN-configured switches.

Link aggregation is the recommended configuration, depending on the default configuration of the Cisco switch. If one port discovers that another switch is also connected to the port, this port can negotiate the link aggregation. The default link port belongs to VLAN1, which is called the local VLAN for that port. The administrator is able to assign a link port to any VLAN.

You can set up a link port to prevent the transfer of this VLAN packet, setting the local VLAN of the link port to a vid different from any other VLAN. Remember that the default local VLAN for the link port is vid 1. You can choose to set the local VLAN of the link port to 1001, or any value that the switch allows and is not used by any other VLAN.

Firewalls and VLANs

Once you know how the switch shares VLAN information, you can more accurately evaluate the firewall that supports VLANs. A VLAN-enabled firewall obtains packets with a 802.1Q label on the head from a VLAN-enabled switch that will be expanded by the firewall and used to detect security rules. Although so far we've only talked about Ethernet, 802.1Q tags are also available for other types of networks, such as ATM and FDDI.

802.1Q tags do not provide authentication, they are simply a way for a switch to flag specific packets from a particular VLAN. VLAN tags can also be forged, just as people have faked IP addresses for years. The latest Linux operating system with support for working in VLAN switch mode can generate arbitrary VLAN tags that local system administrators can choose from.

The key to safe use of the 802.1Q tag is to design a network in which the switch link connects to the firewall interface, and the security detection based on the VLAN tag will be on the firewall interface. If there are other lines that can reach the firewall's interface, the likelihood of forging a VLAN tag increases. The switch itself must be configured correctly, link ports for link aggregation are specially configured and then added to the Non-default vid.

In any discussion of switches, the conclusion that protection of administrative rights over switch devices is always the same. Switches can be managed in three ways as well as other network devices: Telnet, HTTP, and SNMP. Switch off the unused management path and add access control to the management path you use. Because when an attacker comes from outside the network, the firewall can control his access to the switch, and when an attacker comes from within the network or an attacker gains access to the internal system, the firewall is powerless.