Our weekly course module introduced us to layer 2 attacks, specifically MAC & ARP attacks. I added to the discussion by introducing basic and double encapsulation VLAN hopping. I also provided mitigation techniques after presenting my findings.
One of the ways attackers are able to bypass security protection is by exploiting virtual local area network (VLAN) weaknesses. The main purpose of using VLANs is proper isolation of assets for increased security of high value assets. For example, your company’s product database should always sit on a separate VLAN from the publicly facing web server.
Implementing segmentation is a security best practice that makes the assets on each VLAN more difficult to attack or less susceptible to compromise. Note that VLANs in and of themselves cannot stop a system from being compromised, especially if either the tag or a system that has legitimate access to the VLAN is compromised. Let’s look at two types of VLAN hopping attacks.
Basic VLAN Hopping
Attackers can perform VLAN hopping by spoofing workstations to act as trunk ports, resulting in attackers workstation becoming a member of all VLANs. Cisco’s default configuration trunks VLANs over the switch port, thereby allowing hackers to see all VLAN traffic (Mason, 2011).
Double Encapsulation VLAN Hopping
Since Cisco remediated this vulnerability in newer versions of IOS updates, hackers started using double encapsulation VLAN hopping attacks. Double encapsulation involves stripping the first and second tag followed by sending the frames to a separate VLAN ID (Rouiller, 2016). The attack is successful because the switches are limited to performing a single level of de-encapsulation.
Basic VLAN hopping mitigation: disable unused ports and assign all others as access mode (Mason, 2011). Cisco also advises users to disable dynamic trunk protocol (Cisco Networking Academy, 2014).
Double encapsulation hopping mitigation: implement a fixed native VLAN from other user VLANS for all 802.1Q trunks (Cisco Networking Academy, 2014). Another mitigation technique is to always use a “dedicated VLAN ID for all trunk ports” (Rouiller, 2016).
In addition to these measures, there should be ongoing audits of ports and services allowed. LAN and VLAN audits should also be performed regularly to ensure that no misconfigurations exist and that only authorized users have access to change router configurations.