Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    VLAN security question

    L2/Switching/VLANs
    3
    8
    190
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PM_13 last edited by

      Hi,
      I am very new to VLANs so please excuse the rudimentary nature of my question:

      1. VLAN's basic principle is cutting off network communications based on MAC address at L2...hopefully this is a correct interpretation!! So depending on port of physical connection a device cannot spoof MAC address to get extra privileges!

      2. But VLAN only writes an extra frame over TCP packet, and re-writing a TCP packet seems pretty routine to me.......please correct me if I am wrong here.

      So still struggling about what makes VLANs more secure?
      Thanks!

      bingo600 JKnott 3 Replies Last reply Reply Quote 0
      • bingo600
        bingo600 @PM_13 last edited by bingo600

        @pm_13

        Vlan is all about tagging, at Layer2 level.
        I gave a brief expl. here
        https://forum.netgate.com/post/944383

        1 Reply Last reply Reply Quote 1
        • bingo600
          bingo600 @PM_13 last edited by bingo600

          @pm_13 said in VLAN security question:

          So still struggling about what makes VLANs more secure?
          Thanks!

          Vlans are not more secure than multiple std. interaces with networks defined.
          Multi Lan segments can be more secure, as you can divide them in to zones of different trust and network access.

          Vlan is just a way of running multi (Virtual Lan segments .. VLAN) down the same cable (tagging) , and not having to have a physical interface port for each lan segment.

          So Vlan makes multi Lan segments easy to do , and therefor makes multi zone security easier to implement.

          P 1 Reply Last reply Reply Quote 2
          • P
            PM_13 @bingo600 last edited by PM_13

            @bingo600 Ok that makes sense so let me summarize it in my newbie ways!

            1. If there are two physical ports on a router that connects "wireless" and "wired" through VLANs then it is not possible for any wireless device to get on "wired network" by spoofing MAC or re-writing the packet with VLAN header....correct?

            2. But if there are shades of gray within "wireless" say "guest" and "printers" then it is possible for a malicious "wireless' client who is a "guest" to pose as a "printer" and VLAN would largely be useless because damage is done upstream way ahead of VLAN.....correct or wrong here?

            Thanks!

            bingo600 JKnott 2 Replies Last reply Reply Quote 0
            • bingo600
              bingo600 @PM_13 last edited by bingo600

              @pm_13 said in VLAN security question:

              @bingo600 Ok that makes sense so let me summarize it in my newbie ways!

              1. If there are two physical ports on a router that connects "wireless" and "wired" through VLANs then it is not possible for any wireless device to get on "wired network" by spoofing MAC or re-writing the packet with VLAN header....correct?

              Vlans are L2 separating , so no you can't traverse Vlans by spoofing a Mac. Technically you would even be able to use the same mac on 2 different vlans , but it's prob not advisable. As Mac should be unique.

              If you are connecting a device via a Vlan capable/enabled port. Then the "bad" device could in theory try to do tagging w. another vlan id , and thereby "hop" to another vlan.
              That is why you would only allow the vlan's you know to be on that specific wire. upstream or downstream.

              If a device receives a "tag" that is not enabled on that specific port , the tag (package) would just be dropped.

              For simple end devices like printers or google/apple devices, i would always connect them via an untagged port that already is member of the vlan i chose for the device. That way any bogous tags could be "killed" on entry to the untagged switch-port.

              1. But if there are shades of gray within "wireless" say "guest" and "printers" then it is possible for a malicious "wireless' client who is a "guest" to pose as a "printer" and VLAN would largely be useless because damage is done upstream way ahead of VLAN.....correct or wrong here?

              A network is a network and it's transporting packets.
              It doesnt give a .... about if its transporting for a WiFi guest or a Printer.
              The security is up to the pfSense "driver"

              A work of advise right now ...
              Stop worrying about Vlan hopping, and Vlan (leaking) security right now.
              Just trust it ...

              Once you get more experienced w. Vlans and tagging, you can begin thinking about that.

              A few rules of thumb:

              1: On Vlan trunks (tagged ports), make sure you are setting your "Native Vlan / PVID" to something you control. Native Vlan is where untagged packets on a tagged port ends up. I use Vlan 666 for PVID , and it's a pure garbage vlan (catch untagged packages) , not used for anything else.

              2:
              If possible.
              Always connect end devices to an untagged port that is member of the vlan you want it to belong to. That way it can't escape to another vlan. As tagging would be discarded.

              3:
              Never enable more Vlans on a tagged port then you need for it to operate the end devices.

              And now the security lesson is over for today 😊

              /Bingo

              JKnott 1 Reply Last reply Reply Quote 1
              • JKnott
                JKnott @PM_13 last edited by

                @pm_13

                "VLAN" means Virtual LAN. That is they behave as though you have separate networks, even though they're on the same physical network. It has nothing to do with MACs and does not rewrite an IP packet. It adds an extra 4 bytes to the Ethernet frame for the VLAN tag. Switches and NICs use that tag to separate traffic. The usual method is to use 802.1q.

                1 Reply Last reply Reply Quote 1
                • JKnott
                  JKnott @PM_13 last edited by

                  @pm_13

                  VLANs have nothing to do with the MAC address. It's possible to have the same MAC in multiple VLANs. With Wifi, VLANs are used to connect multiple SSIDs to a network. For example, I have a guest WiFi, as well as main SSID. Both connect over the same cable to my switch.

                  1 Reply Last reply Reply Quote 1
                  • JKnott
                    JKnott @bingo600 last edited by

                    @bingo600 said in VLAN security question:

                    As Mac should be unique.

                    Well, any router that's connected to multiple VLANs will have the same MAC on those VLANs. On the other hand the IP addresses will be different, as they're on different subnets.

                    1 Reply Last reply Reply Quote 1
                    • First post
                      Last post

                    Products

                    • Platform Overview
                    • TNSR
                    • pfSense
                    • Appliances

                    Services

                    • Training
                    • Professional Services

                    Support

                    • Subscription Plans
                    • Contact Support
                    • Product Lifecycle
                    • Documentation

                    News

                    • Media Coverage
                    • Press
                    • Events

                    Resources

                    • Blog
                    • FAQ
                    • Find a Partner
                    • Resource Library
                    • Security Information

                    Company

                    • About Us
                    • Careers
                    • Partners
                    • Contact Us
                    • Legal
                    Our Mission

                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                    Subscribe to our Newsletter

                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                    © 2021 Rubicon Communications, LLC | Privacy Policy