Recently we learned from one of our customers that a consultant with a CCIE had recommended they consider using VLANs (Virtual Local Area Networks) on their core LAN switch to accommodate their various DMZ hosts which is in stark contrast to our standard recommendation that these assets should remain on a physically separate switch due to the inherent risks associated with them (hence why they live in a DMZ in the first place). We thought it would be a prudent exercise to talk through the issue to better illustrate our point of view and our philosophical objections to this practice since this is definitely not the first time we have run into this before.
Background
The use of virtualization as a trend in modern computing cannot be ignored. It is pervasive. You can find it at every level of the network stack from layer 1 (Wireless Networking) all the way up to layer 7 (Virtual Hosts/Machines). With virtualization comes some amount of complexity and that complexity demands thoughtful consideration of the consequences. When layer 3 switches came into the picture and the difference between routers (layer 3 devices) and switches (layer 2 devices) was blurred, a virtual Pandora’s Box was opened that allowed network administrators to do more with less networking gear -- both a good and a bad thing. Instead of needing five separate switches for five different segments of the network, only one switch was needed with five distinct VLANs (the good). Minimal thought was given to the security ramifications (the bad) and how the use of VLANs would evolve over time. The following discussion will explore four distinct issues we see with network architectures that rely solely on VLAN security to keep network traffic separate and confidential.
Known Exploits
There are currently two well known and validated exploits that allow for the activity called “VLAN Hopping” which is the practice of someone on a host on one VLAN exploiting a vulnerability to see and participate in traffic on another VLAN on the same switch (to illustrate the point think someone on a web server listening to and participating in communications with a database server that stores sensitive, personally identifiable information). While it is true that there are configuration options that, if implemented properly, will minimize or eliminate these two threats on most switches, there is a more fundamental question that should be asked. Before there were two known exploits for this, there was one. Before there was one, there were none. We are left wondering why any reasonable person wouldn’t ask themselves whether it is reasonable to assume there will not be a third, fourth, etc. exploitable vulnerability as yet unknown. If we as a community of security professionals have learned anything it is that history is an excellent predictor of the future -- there are no systems that don’t have exploitable vulnerabilities given the proper amount of time and motivation.
Configuration Conundrum
We touched above on the fact that for the two currently known exploits for VLAN hopping there are configuration specifics that address the security issues. What we didn’t mention is that by far and large, almost all switches coming out of the box are vulnerable to these two methods of exploiting this vulnerability and without very specific attention to configuring these switches to protect them, they will remain vulnerable to this vulnerability. This begs a much larger question as to how much faith in one’s “corporate jewels” an organization is willing to place in the weakest link in any network administration team. So knowing that there are presently only two exploits to take advantage of this vulnerability today and making a huge assumption that there will never be another, in order to deploy switches and be 100% confident that VLAN security is going to protect the confidentiality of sensitive data traversing the network one needs to have 100% confidence that all switches throughout an organization have been configured to include all necessary protections against the two known exploits and that those configurations will never be altered, tampered with, or inadvertently changed. This is a tall order in our estimation and certainly one on which we would not give odds.
