Start networking and exchanging professional insights

Register now or log in to join your professional community.

Follow

How do VLAN'S make a network better?

user-image
Question added by Dean Naidoo , IT Support (Added Duty) , Standard Bank
Date Posted: 2015/12/06

VLAN:s are not inherently insecure. I'm writing this from a service provider perspective, where VLANs are the technology used in% (statistics made up on the spot) of cases to segment different customers from each other. Residential customers from each other, residential customers from enterprise leased lines, enterprise VPNs from each other, you name it.

The VLAN hopping attacks that exist all depend on a few factors;

  • The switch speaks some kind of trunk protocol to you, allowing you to "register" for a different VLAN. This should never, ever occur on a customer port, or someone should get fired.

  • The port is a tagged port, and the switch isn't protected against double tagged packets. This is only an issue if you have customers on VLAN-tagged ports, which you shouldn't. Even then, it's only an issue if you allow untagged packets on trunk ports between switches which, again, you shouldn't.

The "packets travel on the same wire" reasoning is valid, if the attacker has access to the physical wire in question. If that's the case, you have a lot bigger problems than what VLANs can solve.

So, by all means use VLANs as a security measure, but make sure that you never, ever speak VLAN tags with the entities you want segmented from each other, and do keep track of which switch features are enabled on ports facing such entities.

More Questions Like This