Virtual Local Area Networks (VLANs) present a number of advantages. They can add to a layered defence and improve the flexibility of network design. However, if they are not deployed with some care, they can give rise to a number of vulnerabilities that hackers can exploit. Redscan’s Simon Heron describes the fundamental anatomy of VLANs and explains how they work. Many networks still look like the one shown in Figure 1: flat with no segmentation. There is a single broadcast domain and this is not good on two levels:
- All broadcasts span the network and as the network grows, this traffic can have a serious effect on network performance. Cisco recommends that 512 is the maximum number of devices an organisation should have on any one segment.
- As all machines are in the one broadcast domain, they are all accessible to each other at layer 2. So once inside the firewall, a hacker has free access to the network, and one of the devices on the LAN is almost certainly going to be susceptible to compromise.
Segmentation helps to make the network more efficient and faster and can increase security by making a hacker’s life just a little bit harder. Packet sniffing becomes harder and the attacker is restricted to the segment that the compromised machine is in. Unless, of course, he or she is lucky enough to find the network misconfigured or unpatched.
This segmentation could be achieved through the use of individual switches and routers but this can be expensive and difficult to manage. VLANs offer an alternative way of logically having multiple switches and provide added flexibility for configuring segmentation. VLANs effectively divide up the network as if those departments were on separate switches, see Figure 2.
How do VLANs work?
VLANs work at layer 2, or the data link layer of the OSI model.In simple networks, VLAN bridges can be created that group the ports on a switch into VLANs based on a mapping held within the bridge. The end devices are put in a VLAN depending on that mapping (see below for how this mapping might be carried out). However as a network becomes more complex, it is useful to associate packets with a VLAN by adding a ‘tag’ which contains information to identify the VLAN to which the packet belongs. A standard untagged packet will have the tag, or 802.1Q header, inserted just after the source MAC address in a standard Ethernet frame, see Figure 3.
This allows a VLAN-enabled switch to identify and control traffic. For example, in Figure 2, if a device on a particular VLAN, say PC1 on VLAN 10, sends a broadcast ARP request requesting the MAC address of a particular server, this request will only be sent to devices on the same VLAN, in our example, this would be PC5 and Server 3. There are a number of ways in which VLANs can be assigned. As described above the default is to use physical ports the VLAN aware device[LP1] . However there are other options:
- IP Addresses: map VLAN to IP addresses
- MAC addresses: map VLANs to MAC addresses
- Device: some devices will allow a VLAN to be specified, so packets generated by this endpoint will have the necessary VLAN tag inserted
- Protocols: packets are assigned to a VLAN depending on the protocol being used
- Dynamic: assignment of a VLAN is dependent on the user’s authentication; someone who is a member of HR is assigned to the VLAN of the HR group
- Applications: packets are assigned to a VLAN based on the payload of the packet.
Key: TPID[LP2] – Tag Protocol Identifier: given the value for 0x8100 to identify a 802.1Q header; in the case of double tagging, the outer tag has the value 0x88a8 (802.1ad) PCP – Priority Code Point: used to prioritise different classes of traffic DEI – Drop Eligible Indicator: indicates that packet can be dropped in congested state VLAN ID – VLAN Identifier: identifies which VLAN the packet belongs to
Trunk Ports
Many companies use more than one switch and have more than one location. If multiple VLANs are used across the estate, then it is necessary for switches to be able to transport more than one VLAN over the port that connects them with these other switches. The trouble is that VLAN tables are local to each switch so this is not a global setting. However, by adding VLAN tags to the frames before transmission to another switch, the receiving switch can recognise the VLAN that the frame belongs to. For multiple VLANs to communicate, it becomes necessary to allow the port between switches to carry more than one VLAN. Such a port is referred to as a“trunk “port. However, when transmitting untagged traffic between switches, a VLAN has to indicate that the traffic being sent is supposed to be untagged. So a VLAN is allocated this task, and by default this is usually VLAN 1.
However, this is configurable from switch to switch and care should be taken to ensure that switches in the network are configured so untagged packets are delivered correctly. At this stage, some mention should be made of Cisco’s VLAN Trunking Protocol (VTP) because if it is configured incorrectly, it can allow attackers to exploit it. VTP is a Cisco proprietary protocol that propagates the definition of a VLAN on the whole local area network. To do this, VTP carries VLAN information to all the switches in a VTP domain.
Another frequently used protocol created by Cisco is Dynamic Trunking Protocol (DTP) which is used to negotiate trunks on a link between two VLAN-enabled switches. Usually enabled by default on Cisco switches to make connectivity easy, it can be overlooked during security configuration hardening. This is a very quick overview of what VLANs are, and it is in no way comprehensive. However, it does identify some of the elements that attackers will use to try to exploit a network with VLANs. The second article in this series, to be published in Redscan’s October 2013 eNewsletter, will discuss the vulnerabilities of VLANs and indicate what organisations can do to defend against them.