Private VLANs are a common mechanism to restrict communications
between systems on the same logical IP subnet. Private VLANs work by limiting
the ports within a VLAN that can communicate with other ports in the same VLAN.
Isolated ports within a VLAN can communicate only with promiscuous ports.
Community ports can communicate only with other members of the same community
and promiscuous ports. Promiscuous ports can communicate with any port. One
network attack capable of bypassing the network security of private VLANs
involves the use of a proxy to bypass access restrictions to a private
VLAN.
Private VLAN Proxy Attack
In this network attack against private
VLANs, frames are forwarded to a host on the network connected to a promiscuous
port, such as on a router. In Figure
the network
attacker sends a packet with the source IP and MAC address of their device, a
destination IP address of the target system, but a destination MAC address of
the router. The switch forwards the frame to the router. The router routes the
traffic, rewrites the destination MAC address as that of the target, and sends
the packet back out. Now the packet has the proper format as shown in Figure
and is forwarded
to the target system. This network attack allows only for unidirectional
traffic because any attempt by the target to send traffic back will be blocked
by the private VLAN configuration. If both hosts are compromised, static ARP
entries could be used to allow bidirectional traffic. This scenario is not a
private VLAN vulnerability because all the rules of private VLANs were
enforced. However, the network security was bypassed.
 |
NOTE:
Private VLANs are not configurable on the Cisco Catalyst 2950 switch.
More information about Private VLANs is available at the web links below.
|