VLAN Hopping: How to defend your systems against attacks on a virtual LAN?

Daily, 230,000 copies of malware are produced with the objective of permeating the systems of medium and large companies around the world. Generally, these attackers only look for one thing: sensitive data. This means, confidential information of users, products and processes.

And it is precisely the VLAN Hopping one of the methods used to sneak into virtual corporate networks.

VLAN Hopping

Incorrect VLAN settings and the lack of information about secure network management can cost your company a lot of money. At the same time, this situation affects the positioning of the brand and its reliability. That is why it is essential to set plans of prevention, monitoring and automatic defense to contain data leaks whenever it happens.

To help you create a SIEM strategy for the layer 2 of the business, here is a short guide to prevent and contain VLAN Hopping attacks.

VLAN Hopping, a constant threat for medium and large companies

The VLAN Hopping is a type of cyber assault in which the attacker tries to enter the data flow of restricted virtual networks. Once an attacker gets in, he can manipulate any resource inside these systems. In other words, unwanted hosts try to move from VLAN to VLAN without raising suspicions to steal sensitive information, delete data, install spyware and any type of malware and so on.

VLAN Hopping can occur at any time during the day. Also, attackers could access through any profile within the network. In this case, there are two main ways to get access:

VLAN Hopping# 1 Switched spoofing

With this method, the attacker attempts to impersonate a switch on the victim’s network to cheat the legitimate DTP and create a trunk link. In this way, he can collect all the information that is transmitted from one point to another. Besides, the attacker could travel from LAN to LAN without raising suspicion.

Switched spoofing in Cisco routers is the most common attack. It occurs when the Ethernet ports are in Auto or Desirable mode.

# 2 Double tagging

The double tagging VLAN Hopping is a change in the Ethernet frame’s tags. In this method, the attacker takes advantage of factory settings to cheat the systems and create a truncal link. The objective is to set the attacker’s ID as a Native VLAN of a corporate network. After that, the unwanted host could easily send and receive any type of packages.

How to defend a virtual LAN from unwanted hosts?

You can avoid VLAN Hopping by applying prevention strategies (which implies reinforcing security in the primary layers of the OSI model), complying with data protection frames and monitoring activity in your systems. In any case, a well-structured work plan mixed with automation is required to detect threatening events 24 hours a day.

The implementation of SIEM solutions is especially useful when it comes to create cybersecurity frameworks. With these software you can control the traffic of sensitive information, register attacker’s methods, detect early dangerous activities and take automate actions to optimize your IT structure.

Here is how to proceed with effectiveness against VLAN Hopping threats:

VLAN Hopping

# Prevention

Most companies devote security resources to the deepest layers of their systems. They usually ignore the connection dynamics between hardware and software. And with this lack of upper layer strategies, the doors to their daily traffic are inevitable open.

However, this vulnerability can be eliminated. You just need to combine the workforce of IT team with the support of a Security Management software to develop an with an early response strategy. Firstly, IT team should understand the methods and intentions of their attackers. With this information, you can execute effective automate processes, either in threat detection activities, compliance or reinforcement of specific areas in the system.  

For this task, the ATT&CK model is quite useful. With this resource, your team can trace the path of the attacker prior to his first move. By doing this, you will be able to intercept his entrance to the corporate network and cut early menaces.

Pre-attack prediction

According to ATT&CK, most cybercriminals implement meticulous tactics for the recognition of weaknesses in corporate systems. The pre-attack recognition can be done through cybersecurity analysis:  IT infrastructure and configurations mapping and studying the counterattack capabilities of corporate systems.

In general, these pre-attack stages are difficult to identify by conventional software, so the IT team must predict the attacker’s strategy and fix all weaknesses between the devices and the programs.

For example, you can make an inventory of the entire business network to determinate who uses it, what are the primary resources, what are the behavioral patterns in each hardware, the current configurations, their factory breaches and so on.

In this sense, avoid all the default configuration. After detecting which are the vulnerable routers, you must disable the “Dynamic”, “Auto” and “Trunk” modes. Also, it is essential to eliminate all the DTP access and turn the disused interfaces off.

On the other hand, your team can prevent the double tagging attacks by stopping the usage of native VLAN for common users traffic.

And remember, you should constantly monitor the structure and behavior between hardware and software. This is a vital factor to prevent attacks from the inside of the company.

VLAN Hopping

# PCI compliance

If your company process payments and credit card information, we recommend you to use a Compliance Management Software. This will help you ensure that all data follows the PCI DSS’ requirements to the letter.

It is simple, if the company applies several restriction layers to the financial information of customers, it will be more difficult for VLAN hoppers to receive sensitive information traffic. At the same time, it is recommended to segment the data in ACL VLANs to keep these payment records away from the common network.

# Threats detection

We emphasize the constant monitoring of all network processes. With unified security software you can detect attacks in your systems through Network IDS. At the same time, you could check the integrity of the digital files with an FMI.

These software are designed to obtain detailed information of each active device in the virtual network. Also, help you create accurate profiles of attackers and their specific tactics.

Unified security follows an automatic workflow of monitoring> detection> counterattack execution that considerably minimizes risks. In this regard, we recommend the AlienVault SIEM software for managing and controlling threats.

If you are looking for the best methods to optimize your cybersecurity, at GB Advisors we can offer you professional consulting for a high-quality performance of your new IT resources. Contact us.

To see the credits of the images, Here