0

While VLAN switches can be used to provide security between network segments using VLAN filtering rules. Is there any possibility to have an security issue which is exploited to VLAN switches?

Sivaram Rasathurai
  • 390
  • 2
  • 4
  • 15
  • Any software can have vulnerabilities. And vulnerabilities can be introduced by weak configurations. This is too broad to answer. – schroeder Sep 25 '20 at 14:40

1 Answers1

2

As an abstraction, the operation of a managed switch can be described with three planes:

  1. Management plane used to configure the switch (SSH, HTTP...).
  2. Control plane that controls how the packets should be forwarded (L2) or routed (L3). It can learn from MAC addresses from the packets it sees and there are protocols swithes can use to share information, prevent loops (spanning-tree) or handle shortest routing paths (OSPF).
  3. Data plane or forwarding plane that does the actual switching job.

Leaving aside the possible software vulnerabilities in the switch itself, the main issue remains how well the control plane and the management plane are protected from the data forwarded in the data plane. The data plane handles also all the control plane protocol traffic between the switches, and if the packet seen must be processed by the control plane, forwards the packet to it.

In a secure configuration, every access port can only see the traffic inside its own VLAN, and the switch should not accept any control plane protocol traffic from them. If any of these protocols is open on an access port, an attacker connected to it might mimic another switch and

  • jailbreak from its own VLAN e.g. by

    • becoming a spanning-tree root or a node with MitM position.
    • activating trunking on the port and seeing all traffic with 802.1Q tags (DTP, VTP, HSRP...)

  • cause DoS attacks e.g. by flooding CDP table, or flooding any BPDUs that will cause too much processing on the control plane, exhausting its resources

  • disable 802.1Q VLANs altogether, making all networks see each other (VTP).

Yersinia is a tool that automates all these tricks...

The management plane must be secured, because by altering the configuration its possible to remove any lower plane restrictions the port has. Ideally, you'd have a separated management VLAN altogether.

Esa Jokinen
  • 16,100
  • 5
  • 50
  • 55