What Is VLAN Hopping?

Introduction To Network Segmentation

Network segmentation is the IT practice of dividing a network into smaller sub-networks and is a fundamental method for isolating different parts of a network in order to protect critical assets from unauthorized access. Network segmentation can also improve network performance, making managing a large organization's network more manageable. 

Generally, there are two types of network segmentation:

• Physical network segmentation: refers to physically isolating networks from each other by creating separate physical infrastructure and using different routers and switches on each network.

• Logical network segmentation: refers to using protocols and software to create virtual segments within a single physical network using VLANs (Virtual Local Area Networks) and VPNs (Virtual Private Networks).

A Deeper Look At Logical Segmentation

Logical network segmentation involves the OSI model Layers 2, and 3 (the Data Link Layer and the Network Layer) to create virtualized network segments by defining distinct IP address ranges (known as subnets) and using smart switches and routers to restrict traffic such that only devices on the same virtual network can communicate with each other. The ultimate goal of logical segmentation is to enable virtual networks to operate in the same way that physically segmented networks do while also leveraging the convenience of and flexibility of software-defined networking.

To accomplish logical segmentation, each VLAN is assigned a unique identifier, known as a VLAN ID, and network switches and routers tag each Ethernet frame as it transits the network. When a device sends packets over the network, the VLAN ID tag is added to the frame header and used by switches and routers to determine which VLAN the frame belongs to and forward the frame to the correct destination.

VLANs can be designed with their unique properties to improve network security, performance, and manageability. In terms of security, VLANs can provide a level of network isolation, providing "defence in depth" mitigation. Defence in depth refers to the IT security principle of providing a layered approach to security. In some cases, such as PCI-DSS, network segmentation is required for compliance.

What is VLAN Hopping?

VLAN hopping is a cyberattack to access network resources that are logically isolated on a separate VLAN. By "hopping" to a segment of the network that is supposed to be restricted, the attacker can discover new sensitive systems and data to target. Let's take a look at how VLAN hopping attacks work.

Double Tagging

802.1Q is the IEEE networking standard that adds a 4-byte VLAN tag to Ethernet frames, known as a VLAN ID that identifies which VLAN the data belongs to. In a double tagging attack, an adversary transmits malformed ethernet frames with two 802.1Q tags. This attack takes advantage of how most switches will remove the first 802.1Q tag and then forward the packet. However, the second switch the packet encounters will encounter the second tag and route the packet to the specified VLAN. However, double tagging is a one-way attack since the attacker cannot double tag packets the response. 

Switch Spoofing / Rouge Switch Attack

In a switch spoofing attack, an adversary tricks the network devices by adding a rogue switch and then uses this rouge switch to modify the 8021.Q tags of Ethernet frames to forward frames between VLANs. There are several possible ways to accomplish this attack. 

• Dynamic Trunking Protocol (DTP) manipulation: DTP is a protocol used to negotiate the configuration of a trunk link between switches. In this attack, the attacker takes advantage of DTP to add a rogue switch to the network configuration and can then request that all traffic or certain types of traffic be forwarded to it. This allows the attacker to manipulate VLAN IDs and sniff the IP addresses to map the network and forward data between VLANs that are supposed to be isolated from each other. Yersinia is a penetration testing tool for attacking Layer 2 protocols that can be used for DTP manipulation.

• Adding a physical rouge switch: If an attacker connects a rogue switch to the network, they can configure it to forward data between VLANs. This allows the attacker to bypass the security measures that are in place to separate the VLANs and gain unauthorized access to sensitive data or resources.

• ARP poisoning attack: In an ARP poisoning attack, the adversary tries to associate the MAC address of a device they control with the IP address of a legitimate switch on the network. This would cause other devices on the network to send data to the attacker's rogue switch, which can then be used to carry out switch spoofing and VLAN hopping attacks. Arpspoof, Aprpoison, Cain and Abel, and Ettercap, are some popular pentesting tools for ARP poisoning testing.

Defending Against VLAN Hopping Attacks

Since VLAN hopping is a "second stage" attack, meaning that an attacker must first gain unauthorized access to have an initial foothold on the victim's network. According to the Cyber Kill Chain, it is safe to say that preventing any previous stage of the attack chain would be sufficient to protect against a VLAN hopping attack. What's less obvious is how to defend against this tactic in order to provide a layered defence in depth approach. Let's quickly investigate the defensive tactics to match the offensive ones at play.

• Disable DTP and use static trunking: By disabling DTP using static trunking instead, the network configuration of the trunk cannot be dynamically modified by arbitrary devices on the network.

• Implement 802.1X authentication: 802.1X authentication requires devices to prove their identity before they are granted access to the network, providing a secure method for controlling access to the network.

• Configure port security on switches: Port security can specify particular MAC addresses that can be associated with a switch port, making it more difficult for attackers to spoof a switch to the network. Port security may also include completely disabling unused ports to prevent an attacker from plugging into an exposed ethernet port to gain access to the network.

• Monitor network traffic: Continuously monitoring network traffic allows network defenders to detect and respond to switch spoofing and double tagging attacks in a timely manner. This can be done using network monitoring tools and security devices, such as intrusion detection systems (IDSs) and intrusion prevention systems (IPSs).

Summary

VLAN hopping is a cyber-attack to access network resources that are logically isolated on a separate VLAN and can result in unauthorized access to restricted network segments, sensitive systems, and data. Defensive cybersecurity best practices can protect against VLAN hopping attacks, and penetration testing should also be used to verify that an organization's network is effectively protected.