Solved: Switches vlans

adamgibs7 · ‎02-23-2018

Dears,

On every switch I have a vlan 1 interface in shut state but there are some ports assigned to vlan 1 as the default vlan , is it a high security risk to keep the ports in the default vlan though my vlan 1 interface is shutdown.

thanks

Deepak Kumar · ‎02-24-2018

Hi,

You can and most likely will need to use a native VLAN on your trunk ports, at least on Cisco switches, other vendors do it differently. But what you have to remember that the security risk is more to do with VLAN 1 (default VLAN) being set as a native VLAN.

You should change the native VLAN from being VLAN 1 to a new VLAN that you create. The native VLAN is used for a lot of management data such as DTP, VTP and CDP frames and also BPDU’s for spanning tree.

When you get a brand new switch, VLAN 1 is the only VLAN that exists, this also means that all ports are members of this VLAN by default.

If you are using VLAN 1 as your native VLAN, you have all the ports that you haven't configured to be part of this VLAN. So if an attacker connects to a port that is not used and not configured (because it's not used), he has straight away access to your management VLAN and can read and inject packets that could allow VLAN hopping or capture packets you don't want him/her to see, or worse, SSH into your switches/routers (never allow telnet).

The advice is always to not use VLAN 1, so if an attacker or unwanted client connects and ends up on VLAN 1 and there is nothing configured on this VLAN, such as a useable gateway, they are pretty much stuck and can't go anywhere, while you native VLAN is something like VLAN 900 which is less likely to have any port access as it isn't the default VLAN.

Alot of engineers do not disable unused ports and using VLAN 1 for important stuff leaves you in a situation where the access is open unless you use something like 802.1x. Engineers/Network admins forget and you have a little security hole that can benefit an attacker. If your VLAN 1 is not used and ports are left as default, it's not such a big deal because it is not used.

Hope this helps you on your quest.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

Dennis Mink · ‎02-24-2018

well I am with deepak on this one. i.e. vlan 1 is the default native vlan. although you will most likely not need a native vlan, you are best off to assign native vlan another number like 999 and assigns no access ports to it.

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

Dennis Mink · ‎02-24-2018

if your rigorously shut the interface that have vlan 1 you should be good. and if your vlan1 interface 1 has no ip addresses you really cant route in and out of the vlan either.

Please remember to rate useful posts, by clicking on the stars below.

adamgibs7 · ‎02-24-2018

Dears Mink,

My vlan 1 interface is shut on all switches but they were allowed on the trunk still it will not have an effect of vlan hopping attack.

thanks

Dennis Mink · ‎02-24-2018

well I am with deepak on this one. i.e. vlan 1 is the default native vlan. although you will most likely not need a native vlan, you are best off to assign native vlan another number like 999 and assigns no access ports to it.

Please remember to rate useful posts, by clicking on the stars below.

Deepak Kumar · ‎02-24-2018

Hi,

You can and most likely will need to use a native VLAN on your trunk ports, at least on Cisco switches, other vendors do it differently. But what you have to remember that the security risk is more to do with VLAN 1 (default VLAN) being set as a native VLAN.

You should change the native VLAN from being VLAN 1 to a new VLAN that you create. The native VLAN is used for a lot of management data such as DTP, VTP and CDP frames and also BPDU’s for spanning tree.

When you get a brand new switch, VLAN 1 is the only VLAN that exists, this also means that all ports are members of this VLAN by default.

If you are using VLAN 1 as your native VLAN, you have all the ports that you haven't configured to be part of this VLAN. So if an attacker connects to a port that is not used and not configured (because it's not used), he has straight away access to your management VLAN and can read and inject packets that could allow VLAN hopping or capture packets you don't want him/her to see, or worse, SSH into your switches/routers (never allow telnet).

The advice is always to not use VLAN 1, so if an attacker or unwanted client connects and ends up on VLAN 1 and there is nothing configured on this VLAN, such as a useable gateway, they are pretty much stuck and can't go anywhere, while you native VLAN is something like VLAN 900 which is less likely to have any port access as it isn't the default VLAN.

Alot of engineers do not disable unused ports and using VLAN 1 for important stuff leaves you in a situation where the access is open unless you use something like 802.1x. Engineers/Network admins forget and you have a little security hole that can benefit an attacker. If your VLAN 1 is not used and ports are left as default, it's not such a big deal because it is not used.

Hope this helps you on your quest.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

adamgibs7 · ‎02-24-2018

thanks Deepak and Mink,

I have rated you both.