VLAN security question

PM_13

Hi,
I am very new to VLANs so please excuse the rudimentary nature of my question:

1. VLAN's basic principle is cutting off network communications based on MAC address at L2...hopefully this is a correct interpretation!! So depending on port of physical connection a device cannot spoof MAC address to get extra privileges!

2. But VLAN only writes an extra frame over TCP packet, and re-writing a TCP packet seems pretty routine to me.......please correct me if I am wrong here.

So still struggling about what makes VLANs more secure?
Thanks!

bingo600

@pm_13

Vlan is all about tagging, at Layer2 level.
I gave a brief expl. here
https://forum.netgate.com/post/944383

bingo600

@pm_13 said in VLAN security question:

So still struggling about what makes VLANs more secure?
Thanks!

Vlans are not more secure than multiple std. interaces with networks defined.
Multi Lan segments can be more secure, as you can divide them in to zones of different trust and network access.

Vlan is just a way of running multi (Virtual Lan segments .. VLAN) down the same cable (tagging) , and not having to have a physical interface port for each lan segment.

So Vlan makes multi Lan segments easy to do , and therefor makes multi zone security easier to implement.

PM_13

@bingo600 Ok that makes sense so let me summarize it in my newbie ways!

1. If there are two physical ports on a router that connects "wireless" and "wired" through VLANs then it is not possible for any wireless device to get on "wired network" by spoofing MAC or re-writing the packet with VLAN header....correct?

2. But if there are shades of gray within "wireless" say "guest" and "printers" then it is possible for a malicious "wireless' client who is a "guest" to pose as a "printer" and VLAN would largely be useless because damage is done upstream way ahead of VLAN.....correct or wrong here?

Thanks!

bingo600

@pm_13 said in VLAN security question:

@bingo600 Ok that makes sense so let me summarize it in my newbie ways!

1. If there are two physical ports on a router that connects "wireless" and "wired" through VLANs then it is not possible for any wireless device to get on "wired network" by spoofing MAC or re-writing the packet with VLAN header....correct?

Vlans are L2 separating , so no you can't traverse Vlans by spoofing a Mac. Technically you would even be able to use the same mac on 2 different vlans , but it's prob not advisable. As Mac should be unique.

If you are connecting a device via a Vlan capable/enabled port. Then the "bad" device could in theory try to do tagging w. another vlan id , and thereby "hop" to another vlan.
That is why you would only allow the vlan's you know to be on that specific wire. upstream or downstream.

If a device receives a "tag" that is not enabled on that specific port , the tag (package) would just be dropped.

For simple end devices like printers or google/apple devices, i would always connect them via an untagged port that already is member of the vlan i chose for the device. That way any bogous tags could be "killed" on entry to the untagged switch-port.

2. But if there are shades of gray within "wireless" say "guest" and "printers" then it is possible for a malicious "wireless' client who is a "guest" to pose as a "printer" and VLAN would largely be useless because damage is done upstream way ahead of VLAN.....correct or wrong here?

A network is a network and it's transporting packets.
It doesnt give a .... about if its transporting for a WiFi guest or a Printer.
The security is up to the pfSense "driver"

A work of advise right now ...
Stop worrying about Vlan hopping, and Vlan (leaking) security right now.
Just trust it ...

Once you get more experienced w. Vlans and tagging, you can begin thinking about that.

A few rules of thumb:

1: On Vlan trunks (tagged ports), make sure you are setting your "Native Vlan / PVID" to something you control. Native Vlan is where untagged packets on a tagged port ends up. I use Vlan 666 for PVID , and it's a pure garbage vlan (catch untagged packages) , not used for anything else.

2:
If possible.
Always connect end devices to an untagged port that is member of the vlan you want it to belong to. That way it can't escape to another vlan. As tagging would be discarded.

3:
Never enable more Vlans on a tagged port then you need for it to operate the end devices.

And now the security lesson is over for today

/Bingo

JKnott

@pm_13

"VLAN" means Virtual LAN. That is they behave as though you have separate networks, even though they're on the same physical network. It has nothing to do with MACs and does not rewrite an IP packet. It adds an extra 4 bytes to the Ethernet frame for the VLAN tag. Switches and NICs use that tag to separate traffic. The usual method is to use 802.1q.

JKnott

@pm_13

VLANs have nothing to do with the MAC address. It's possible to have the same MAC in multiple VLANs. With Wifi, VLANs are used to connect multiple SSIDs to a network. For example, I have a guest WiFi, as well as main SSID. Both connect over the same cable to my switch.

JKnott

@bingo600 said in VLAN security question:

As Mac should be unique.

Well, any router that's connected to multiple VLANs will have the same MAC on those VLANs. On the other hand the IP addresses will be different, as they're on different subnets.