VLAN hopping

jonnytabpni

Hi There,

I have 2 HP Procurve switches 1800-24G and have a pfsense box. I'd like to make use of VLANs to make multiple LANs (As secure from each other as possible)

Can someone please give me any advice on how secure VLANs are with pfSense, regarding VLAN hopping etc..

How can I prevent these? Also, does anyone here have any experience with the HP switches, as the configuration is confusing…

Thanks

Perry

does anyone here have any experience with the HP switches, as the configuration is confusing…

A wink guide of the 1800-8G http://pfsense.site88.net/mysetup/index.html might help.

jonnytabpni

Hi Perry,

That's an excellent link, Thanks!

Just a few questions:

By unchecking "VLAN aware enabled", does this stop the infamous "double tagging" attacks that can be done?

Also, what settings are you supposed to use for the link between 2 procurve switches, for best security

Thanks

Perry

The basic security steps I follow is.
Only vlan traffic on the parent nic.
Don't use vlan1
All ports are assigned.

By unchecking "VLAN aware enabled", does this stop the infamous "double tagging" attacks that can be done?

I would say the Port ID takes care of that. http://www.docs.hp.com/en/5992-0538/ar01s01.html explains vlan aware

Also, what settings are you supposed to use for the link between 2 procurve switches, for best security

I tend to say just make sure you only allow traffic you need and set pid to none. But then I'm no security expert / hacker :).  Another question you could ask yourself do my design need it. In your case with a giga switch I would not use more than 10 vlan pr pfSense nic.

kc8apf

@jonnytabpni:

Hi There,

I have 2 HP Procurve switches 1800-24G and have a pfsense box. I'd like to make use of VLANs to make multiple LANs (As secure from each other as possible)

Can someone please give me any advice on how secure VLANs are with pfSense, regarding VLAN hopping etc..

How can I prevent these? Also, does anyone here have any experience with the HP switches, as the configuration is confusing…

Thanks

The general idea is to use a single port on the switch with only tagged traffic.  This port connects to the upstream device (pfSense, another switch, whatever).  It carries the various networks over a single physical link, but each is tagged independently.

On the switch, each port is assigned to groups of VLANs.  For most devices, you want them to exist on a single VLAN.  For those ports, you specify the VLAN to use for untagged traffic and remove the port from all other VLANs.  That way, even if the device sends a tagged packet, the switch won't allow the traffic onto the VLAN.

For some devices, you may wish to have it be accessible on multiple VLANs, but not route between them.  To do that, you setup the port to use only tagged traffic and only make the port a member of the VLANs that it should be allowed to participate in.  The device is then configured to set an IP per VLAN and disallow routing.  Unless you are doing something really complex, this probably isn't something you will need to do.

The main gotcha with VLANs is that VLAN tag 1 is almost always special in some way.  For the HP switch I have (2800), VLAN 1 is the default VLAN and is the one on which all the management services run.  That particular setting is configurable on my switch, but many other switches don't offer a way to change it.  To be on the safe side, use VLAN tags other than 1 for your actual networks.

jonnytabpni

Folks, thanks for your help!

The general idea is to use a single port on the switch with only tagged traffic.  This port connects to the upstream device (pfSense, another switch, whatever).  It carries the various networks over a single physical link, but each is tagged independently.

If my switch was in the middle of a chain of 3 switches, i guess 2 ports would be ok for this? (At the minute, I only have 2 switches, so this question I'm asking doesn't really apply atm)

On the switch, each port is assigned to groups of VLANs.  For most devices, you want them to exist on a single VLAN.  For those ports, you specify the VLAN to use for untagged traffic and remove the port from all other VLANs.  That way, even if the device sends a tagged packet, the switch won't allow the traffic onto the VLAN.

So in terms of our HP switch (Mine is a 1800-24G layer2 only), what setting does your quote above refer to? Uncheck VLAN aware? Or/And just make the port a member of NO VLANs but ONLY set the PVID? (See where I'm getting confused here?)

For some devices, you may wish to have it be accessible on multiple VLANs, but not route between them.  To do that, you setup the port to use only tagged traffic and only make the port a member of the VLANs that it should be allowed to participate in.  The device is then configured to set an IP per VLAN and disallow routing.  Unless you are doing something really complex, this probably isn't something you will need to do.

No need for this at the minute, but thanks for explaining. My switch is only layer 2 so it's probably a bad idea for this anyways (Unless I didn't care about the single device routing between the 2 VLANS)

The main gotcha with VLANs is that VLAN tag 1 is almost always special in some way.  For the HP switch I have (2800), VLAN 1 is the default VLAN and is the one on which all the management services run.  That particular setting is configurable on my switch, but many other switches don't offer a way to change it.  To be on the safe side, use VLAN tags other than 1 for your actual networks.

Understood :)