Tip

VLAN security

This week, I wanted to address VLAN security, which like Ethernet, is a mystery to most people. That may sound like a strange statement, since I'm sure everyone reading this has been using Ethernet for years, but seriously, how many network engineers do you know who could explain Manchester bit encoding or how Fast Link Pulses work? Not very many, of course, and why should they? After all, Ethernet is one of those protocols that "just works." Network administrators don't understand it for the very simple reason that they never have to troubleshoot it.

VLANs are pretty much the same way. Sure, the configuration of a few more advanced topics like VTP and VLAN pruning can give you a mental workout, and of course, nobody likes Spanning-Tree Protocol, but really, when was the last time you really needed to know how your switches implemented VLANs? For the most part, you define a VLAN, and assign ports to it, and define

    Requires Free Membership to View

trunk ports and configure which VLANs can cross it... and it just works... simple as that.

But it's precisely this simplicity that can lull you into leaving open a raft of security vulnerabilities.

So as I was checking a few quick facts for this tip, I ran across an @Stake white paper so concise and illuminating, despite being 2 years old, that I decided to just link you to it and offer a quick summary.

The reason I like this article is because it explains at a high level, several ways your network can be attacked at Layer 2. Many of these aren't nearly as intuitively obvious as the higher-level attacks we witness daily, so many administrators think that it's impossible to attack VLANs, which is of course, absurd.

So here are a few key points to remember when configuring your network:

VLAN 1 (on Catalyst switches) is the default for both ports and the "Native" VLAN on 802.1Q trunks, which is precisely why you should NEVER use it.

Don't allow dynamic protocols to talk to untrusted devices. Many administrators don't realize there are a lot of these operating around Layer 2, such as VTP, PAgP, CDP, DTP, UDLD and of course STP.

If at all possible, authenticate all hosts and/or limit their connectivity. Port Security, 802.1x and Dynamic VLANs are three methods mentioned in this article you can use.


Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.


This was first published in March 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.