My local college is working to implement a new voice over IP system. The system uses HP switches to route all VOIP traffic over a separate VLAN then normal network traffic for both security and compatibility. But what I’ve realized is that like IPV4 VLANS work by reading tags that are attached to each packet by the switch and like IPV4 source addressing these tags can be easily spoofed. Switches that support VLANS typically have trunking ports that have access to all VLANS for the purpose of routing traffic to other switches. With older switches the default policy was to set so that all ports could potentially be set to trunking mode which means that any system on VLAN 1 could access traffic on VLAN 2 so long as the proper tags were attached this means that an attacking host could potentially reroute and sniff traffic on different VLAN using ARP attacks (but we won’t get into that)(Once VOIP traffic can be sniffed, an attacker could listen in on any call occurring within the realm of the switch using freely available software). So what if the switch is setup so that user ports strip VLAN tagging? Well according to @stake research paid for by Cisco it is possible to double tag or encapsulate data or packets sent over the switch so that once again the user port functions like a trunking port once again negating all VLAN security. See below reference links for a better explanation.
References
Cisco - Layer 2 -- The Weakest Link
Ethernet: Layer 2 Security
Routing & Tunneling Protocol Attacks
Hacking Layer 2: Fun with Ethernet Switches
Comments (0)
Topsight.net
http://www.topsight.net/article.php/20040218203509163