Tip

How to configure a VLAN to achieve the benefits of VLAN security

Expert Brad Casey explains how to configure a VLAN in order to achieve the benefits of VLAN security, including protection against insider attacks.

With the proliferation of cryptologic technology, Web application firewalls and intrusion- detection systems in recent years, the emphasis placed on the acquisition and deployment of said devices has been profound, to say the least. Entire industries have been spawned by the continued use of these devices, but one type of device that receives little mention in contemporary security circles is the Layer 2 switch. Commonly thought of as simple devices that take packets in and spit packets out, Layer 2 switches are often forgotten about in terms of useful enterprise security technology.

While prudence suggests that the wise security professional stay up-to-date with the latest technological advancements, a parallel suggestion would be a return to the basics of network security.

While prudence suggests that the wise security professional stay up-to-date with the latest technological advancements, a parallel suggestion would be a return to the basics of network security. More specifically, security pros should consider widening the breadth of their knowledge with regard to concepts such as Virtual Local Area Networks (VLANs); after all, one never knows when an accurately configured VLAN will be the only barrier between an organization's crown jewels and those who wish to acquire them.

In this tip, we detail how to achieve the security benefits of a properly configured VLAN. We also discuss one of the most common risks to a Virtual Local Area Network LAN: VLAN hopping.

The benefits of VLAN security explained

VLANs have been around almost as long as the Ethernet switch itself. In a typical VLAN configuration, each node on a given network is physically connected to an Ethernet switch. The network administrator then configures the switch to segment certain ports for certain groups. Each grouping is referred to as a VLAN, and from that point forward, all members of the same VLAN can communicate with each other without having to traverse other network devices, excluding specific cases where a VLAN spans across two or more geographic locations in which case the corresponding VLAN has no choice but to traverse more than one network device. The reasoning behind this layer 2 segmentation is varied, but in terms of security, this provides the network administrator a means by which he can barricade his network against dreaded insider attacks.

For example, in a network that is not properly VLAN’ed, a malicious user on a given node can run a packet sniffer and begin capturing all network traffic that traverses the switch to which he is physically connected. With a securely configured VLAN though, this becomes infinitely more difficult. In terms of how to configure a VLAN for security purposes, there are several different methods, but one that has gained a considerable amount of popularity is the department-based VLAN. Simply put, a given VLAN is segmented by organizational department; this is accomplished by recording all of the MAC addresses to each node within a given department and inserting them into the switch's MAC table. After the MAC table has become sufficiently populated, the network administrator configures the switch/switches to designate certain MAC addresses as being in a certain VLAN. If the above-mentioned malicious user begins to run a packet capture on his or her end device, it will at most capture the Ethernet frames of the network traffic that traverses his corresponding VLAN. This is because the switch where the VLAN configuration resides examines each incoming Ethernet frame, and it only forwards frames based on the data within the IEEE 802.1Q field.

The danger of VLAN hopping

Though VLANs provide some security benefits, they are not without their own set of risks. One consideration that security professionals should keep in mind is VLAN hopping, which, as the name implies, is the unauthorized practice of end use communicating within a VLAN to which they don't belong. This hack is most effectively carried out when a given VLAN spans across more than one switch. Such a scenario is common in organizations where group-based VLANs are utilized, and one or more of the groups become too large for one physical Ethernet switch. In this case, a concept known as VLAN trunking can be utilized. VLAN trunking is the practice of configuring one or more ports on an Ethernet switch specifically for the purpose of forwarding and receiving all VLAN traffic to and from another physical switch.

A common form of VLAN hopping is known as double tagging. In this type of attack, a malicious user inserts a duplicate 802.1Q header into an Ethernet frame, thereby allowing the frame to be passed to an unauthorized VLAN. The frame is passed because the initial switch examines the frame, strips the first of the two 802.1Q headers and forwards the remaining portion of the frame. Unbeknownst to the rest of the network, a secondary 802.1Q header is still attached to the frame; the resulting logic error can wreak havoc on a given network. To defend against double tagging attacks, network administrators must be vigilant in their monitoring of network logs. Some type of layer 3 alerting mechanism may also be needed in order to better combat this scenario.

Back to network security basics

A return to the fundamentals is always good, no matter the discipline. In terms of network security, it's obviously important to keep up with the latest technologies and trends, but being knowledgeable about fundamental concepts like VLANs can help keep security professionals sharp and their corresponding network secure.

From the editors: More on VLANs

About the author
Brad Casey holds an M.S. in information assurance from the University of Texas at San Antonio and has extensive experience in the areas of penetration testing, public key infrastructure, VoIP and network packet analysis. He is also knowledgeable in the areas of system administration, Active Directory and Windows Server 2008. He spent five years doing security assessment testing in the U.S. Air Force, and in his spare time, you can find him looking at Wireshark captures and playing with various Linux distros in VMs.

Next Steps

How to perform VLAN troubleshooting

Dig Deeper on Network security