Communiquez avec les autres et partagez vos connaissances professionnelles

Inscrivez-vous ou connectez-vous pour rejoindre votre communauté professionnelle.

Suivre

How do VLAN'S make a network better?

user-image
Question ajoutée par Dean Naidoo , Second in charge (Added Duty) , Standard Bank
Date de publication: 2015/12/06

VLAN:s are not inherently insecure. I'm writing this from a service provider perspective, where VLANs are the technology used in% (statistics made up on the spot) of cases to segment different customers from each other. Residential customers from each other, residential customers from enterprise leased lines, enterprise VPNs from each other, you name it.

The VLAN hopping attacks that exist all depend on a few factors;

  • The switch speaks some kind of trunk protocol to you, allowing you to "register" for a different VLAN. This should never, ever occur on a customer port, or someone should get fired.

  • The port is a tagged port, and the switch isn't protected against double tagged packets. This is only an issue if you have customers on VLAN-tagged ports, which you shouldn't. Even then, it's only an issue if you allow untagged packets on trunk ports between switches which, again, you shouldn't.

The "packets travel on the same wire" reasoning is valid, if the attacker has access to the physical wire in question. If that's the case, you have a lot bigger problems than what VLANs can solve.

So, by all means use VLANs as a security measure, but make sure that you never, ever speak VLAN tags with the entities you want segmented from each other, and do keep track of which switch features are enabled on ports facing such entities.

More Questions Like This