VLAN Vulnerabilities
Private VLAN vulnerabilities

Private VLANs are a common mechanism to restrict communications between systems on the same logical IP subnet. Private VLANs work by limiting the ports within a VLAN that can communicate with other ports in the same VLAN. Isolated ports within a VLAN can communicate only with promiscuous ports. Community ports can communicate only with other members of the same community and promiscuous ports. Promiscuous ports can communicate with any port. One network attack capable of bypassing the network security of private VLANs involves the use of a proxy to bypass access restrictions to a private VLAN.

Private VLAN Proxy Attack
In this network attack against private VLANs, frames are forwarded to a host on the network connected to a promiscuous port, such as on a router. In Figure the network attacker sends a packet with the source IP and MAC address of their device, a destination IP address of the target system, but a destination MAC address of the router. The switch forwards the frame to the router. The router routes the traffic, rewrites the destination MAC address as that of the target, and sends the packet back out. Now the packet has the proper format as shown in Figure and is forwarded to the target system. This network attack allows only for unidirectional traffic because any attempt by the target to send traffic back will be blocked by the private VLAN configuration. If both hosts are compromised, static ARP entries could be used to allow bidirectional traffic. This scenario is not a private VLAN vulnerability because all the rules of private VLANs were enforced. However, the network security was bypassed.

NOTE:

Private VLANs are not configurable on the Cisco Catalyst 2950 switch. More information about Private VLANs is available at the web links below.


Web Links