An Example of a Security Exploit Due to the Native VLAN

January 18, 2018 at 8:24 pm

Native VLAN

In many of our Cisco courses, we learn that networking best practices often point to the non-use of the Native VLAN. But why is this?

It turns out there are security vulnerabilities that could result from having a VLAN not tagged across your trunk links. For example, there is the VLAN hopping attack.

Here is how this attack could work:

Step 1: A bad person at a customer site wants to send frames into a VLAN that they are not part of.

Step 2: This person double tags the frame (Q-in-Q) with the outer frame matching the native VLAN in use at the provider edge switch.

Step 3: The provider edge switch strips off the outer tag (because it matches the native VLAN), and send this frame across the trunk.

Step 4: The next switch in the path examines the frame and reads the inner VLAN tag and forwards the frame accordingly.

Notice this attack is unidirectional. The attacker can send traffic into the VLAN, but traffic will not return. Even still, this is obviously not something we want taking place.

What are possible solutions?

  • Use ISL trunks in the cloud – this becomes less and less possible as ISL trunks fade away.
  • Use a Native VLAN that is outside of the range permitted for the customer.
  • Tag the native VLAN in the cloud.

 

Static Routes on the ASA

September 24, 2014 at 9:00 am

In this MicroNugget, I demonstrate the configuration and verification of static IP routes on the Cisco ASA firewall. This tutorial relates to CBT Nuggets’ CCNA Security certification playlist. Try CBT Nuggets free for 7 days.

MicroNugget: ASA Interface Setup and Security Levels

September 22, 2014 at 9:00 am

I demonstrate the initial setup of ASA interfaces and also teach about security levels in the ASA. This tutorial relates to CBT Nuggets’ CCNA Security training. Try CBT  Nuggets free for 7 days.

MicroNugget: The ASA in GNS3

September 20, 2014 at 9:00 am

In this MicroNugget, I demonstrate the setup and testing of an ASA in GNS3 version 0.8.7. This tutorial relates to CBT Nuggets’ CCNA Security training. Try CBT Nuggets free for 7 days.

MicroNugget: The ASA Setup Wizard

September 19, 2014 at 9:00 am

I demonstrate the setup script on the Cisco ASA firewall. This tutorial relates to CBT Nuggets’ CCNA Security training. Try CBT Nuggets free for 7 days.

MicroNugget: Traffic Filtering ACLs on the ASA

September 18, 2014 at 9:00 am

I demonstrate how to control traffic filtering configurations with ACLs on the Cisco ASA. This tutorial relates to CBT Nuggets’ CCNA Security certification playlist. Try CBT Nuggets free for 7 days.

Who is Hacking Who?

February 20, 2013 at 3:47 am

China is upset with US claims that hacking attacks are being sponsored by the Chinese Government. Check out the full story here. Notice the very interesting statistics on hacking highlighted in this article!

Click Here for the Full Story!

Facebook Hit with “Watering Hole” Style Attack

February 16, 2013 at 5:06 pm

In the CCNA Security discipline, we learn about many different security attacks. These include such common issues as Reconnaissance Attacks and the dreaded Distributed Denial of Service (DDoS) attacks. It is understandable that new day zero (brand new and unknown) attacks are always going to take place.

Want a real world example? Facebook just experienced some new day zero problems centered around a class of attack known as a Watering Hole attack. This is where a popular Web site used by an organization is attacked and is able to infect systems that visit that site. This is certainly a scary proposition, especially when you consider that Facebook computers that were infected were fully patched to protect against all known attacks.

Want to read the complete story? I hope you do – check it out here:

Wall Street Journal: Facebook – We Were Hacked But Don’t Panic