Possible switch into HUB Mode?

Hubsi-Smith · ‎03-07-2021

Hello,

we have a small network with some c9200 switches and a lot of VLAN there.

Now, some days ago a network expierenced guy told us, that using VLANs could be dangerous because of VLAN hopping. I am not very common in that because we declare all ports as access or trunk and no used ports are disabled. Like the previous configuration on HP Procurve switches. Back to VLAN hopping, he also told as, that it is possible to put an switch into an HUB mode. There are already exploits that using this technic to got access to an switch or get access to read the datas on every VLAN.

I searched at the internet and I could not find much of this move switch into hub mode.

How difficult is this attack szenario and what preference are necessary to avoid this attack?

Giuseppe Larosa · ‎03-07-2021

Hello @Hubsi-Smith ,

modern Cisco switches are not so sensible to VLAN hopping attack.

In order to defeat VLAN hopping attack is enough to use a native VLAN on trunks that is dedicated to this scope with no Layer 3 services on it.

>> no used ports are disabled

This is good from a security point of view.

>> he also told as, that it is possible to put an switch into an HUB mode.

Yes, but this is another type of attack that attempts to fill the CAM table of your switches with randomly generated frames each of them with a different source MAC address.

The attacking device needs to be attacked to your network physically on an access port to be able to perform this second type of attack.

Port security with a maximuma MACs per port and violation action shutdown is a good countermisure to this MAC flloding attack.

The tools for perfoming this kinf of attacks are avaiable in some linux distributions or it can be installed in a linux distribution.

I have done some tests many years ago with a library called dsniff on a red hat linux box.

Hope to help

Giuseppe

Hubsi-Smith · ‎03-07-2021

Thank you for your explanation...

For example I have this environment:

Lancom Internet router <-> Cisco SG350-24 <-> Cisco SG350-24 with following VLANs
VLAN 1: Internet (default VLAN)
VLAN 700: Meraki Management (nativ VLAN)
VLAN 701: Meraki first SSID (trunk) Internet-access
VLAN 702: Meraki second SSID (trunk) Internet-access

Meraki AP port configuration:

switchport mode trunk
switchport trunk native vlan 700

Uplink on last SG350

switchport mode trunk
switchport trunk native vlan 700

On VLAN-1 are a lot of Internet PCs connected. I also need them to get access via Meraki APs to the Internet.

If I understand it right, I should not allow connect the default VLAN to the Lancom Internet router to avoid VLAN hopping?

Joseph W. Doherty · ‎03-07-2021

From a security perspective, the only "safe" network device is one that's turned off - and even that might be debatable (laugh).

Anyway, once you activate the device, there's always some risk, especially from zero day exploits, but otherwise if you follow generally recommended security practices, you're often pretty secure. If yours is a "high risk" environment, then you might consider extreme security approaches, such as perhaps not using any VLANs on a switch, but for general use, that's often "overkill".

"I searched at the internet and I could not find much of this move switch into hub mode."

Hmm, what search criteria did you use? I used "vlan hopping exploit" and quickly found:

https://en.wikipedia.org/wiki/VLAN_hopping

https://cybersecurity.att.com/blogs/security-essentials/vlan-hopping-and-mitigation

https://www.exploit-db.com/docs/english/45050-vlan-hopping-attack.pdf

"Back to VLAN hopping, he also told as, that it is possible to put an switch into an HUB mode."

Yea, as Giuseppe describes, at one time that might be possible by overfilling a switch's MAC table, but unless you're using some very, very old switch, likely that exploit was corrected by the vendor on later switch models.

Leo Laohoo · ‎03-07-2021

Allow me to chime in:

VLAN Hopping can only work if the malicious client is directly connected to your switch infrastructure. The biggest threat, in my opinion, is not "just" the attack but physical access to the network gear.
A lot of SMB network have very little idea what a VLAN is. And most of the time, SMB give the responsibility (of configuring and managing the network) to fly-by-night operators. One-big-fat-VLAN (VLAN 1), /8 or /16 DHCP scope and all ports are Trunk are some of the handiwork.
Switches' CAM table are relatively deep. Consideration has been made where a switch can either be an access switch or a core switch. VLAN Hopping will not affect the CAM table, not as much, but the DHCP scope will feel the effect first when it runs out of useable DHCP IP addresses to dish out.
The most "basic" mitigation is to minimize configuring access ports to auto-negotiate between an access port or a trunk port. Ports connected to non-network-related equipment, such as PC, printers, phones, servers, etc., needs to be an access port. Period.
If the port needs to be configured as a trunk then specify what VLANs are allowed -- Never leave a trunk to be configured for "all VLANs".
In our network, we use VLAN 1 as a "sin bin": VLAN 1 interface is disabled and no IP address is configured to it. Put un-used ports into VLAN 1, disable portfast but enable BPDU Guard.

Hope this helps.

Leo Laohoo · ‎03-07-2021

@Hubsi-Smith wrote:

some days ago a network expierenced guy told us

that it is possible to put an switch into an HUB mode

Now that is funny as f00k. That as an "experienced network guy", the only recommendation he/she could think of is "put the switch into HUB mode".