T 5.115 Overcoming the boundaries between VLANs

Virtual LANs (VLANs) are used to logically structure networks. In a VLAN, a logical network structure is formed in a physical network by connecting workstations and servers with similar functions to a virtual network. At the same time a VLAN forms a separate broadcast domain. This means that broadcasts are only distributed within the VLANs. A VLAN can involve an entire switched network and does not need to remain restricted to a single switch.

The expansion of VLANs over several switches is carried out using various so-called trunking protocols. Here a physical port is reserved per switch for the inter-switch communication, the logical connection between the switches is termed the trunk. An Ethernet frame is encapsulated in the trunking protocol for the exchange of information between the switches. In this way, the destination switch is able to allocate the information to the related VLAN. IEEE 802.1q and the proprietary protocols ISL (Inter Switch Link) and VTP (VLAN Trunking Protocol) from the manufacturer Cisco are used as the standards.

If an attacker, who is connected to a switch, for example identifies him/herself as a switch by using the trunking protocol ISL (Inter Switch Link) or IEEE 802.1q, it is possible to obtain access to all VLANs configured and therefore to read data that belong to a VLAN; data to which the attacker would not normally have access.

Information on configured VLANs is exchanged between Cisco switches with the aid of the proprietary protocol VTP. Here it is possible to distribute the VLAN configuration on a central VTP server to all switches involved within a VTP domain. Although this simplifies the management of VLANs with several switches, at the same time it represents an additional security risk: Although VTP supports authentication within a VTP domain, if a password is not set for the authentication of switches within a domain, an attacker (for example on a dedicated switch configured as a VTP server) can overwrite the entire VLAN architecture on switches in the VTP domain.

© Federal Office for Information Security. All rights reserved.