Wireless Networks Thread, After Access Point: Physical 802.1q trunk port security against VLAN hopping in Technical; G'day
We're deploying UniFi UAP/UAP-Pro here and plan to offer a student and a teacher SSID, they'll be separate from ...
8th October 2012, 07:53 AM #1
- Rep Power
After Access Point: Physical 802.1q trunk port security against VLAN hopping
We're deploying UniFi UAP/UAP-Pro here and plan to offer a student and a teacher SSID, they'll be separate from the rest of the network via a packet filter, so they can only access a limited range of ports and hosts.
But for multiple SSIDs, the switch port connecting the Access Point to the network needs to transport more than 1 VLAN via VLAN tagging - thus the need to have 802.1q trunk ports.
I was aware of VLAN hopping danger, but stumbling upon a talk at DEFCON 19 about VoIP VLAN hopping made me think more about the risks (See Video at 7:20 where the issue is explained)
Now this means that the RADIUS authentication barrier to your staff network can easily circumvented:
- Ignore the Access Point, just plug into the port where the Access Point normally is connected
- Optionally set up a transparent bridge in between
- Sniff traffic and get the VLAN tags used (simple with Linux and OS X, Windows is more depending on the NIC driver)
- Spawn a interface with correct VLAN tag and set yourself and IP, *boom* done.
Now I guess that controller based systems like Cisco LAP using the their LWAPP protocol encapsulate all traffic to the controller and VLANs get separated at the controller level - so there is no need to use trunk ports in locations people can access the network plugs.
Anyone who has spent on thinking about this issue and perhaps up to some levels this can be mitigated? (no, I can't install plugs in secure places just for access points, that would be far to expensive)
Last edited by koffi2k; 8th October 2012 at 07:55 AM.
8th October 2012, 03:42 PM #2
- Rep Power
How do you currently protect your non-trunk ports? 802.1x?
8th October 2012, 04:36 PM #3
- Rep Power
Not 802.1x I'd like but there isn't the time for - neither do all device support 802.1x, think of network printers.
All ports are configured as access ports as normally recommended. The VLANs are set to these ports according to the groupe of people who can access the ports.
Meaning: Staff ports are only in staff work rooms and all the rest is students. Up to a certain level you have to trust your teachers to close the doors by key, yes, the physical protection can be circumvented, but at least you first need to get a key from a teacher first.
I don't think we can really start setting up access points for one or the other wifi network exclusively - which would add much higher cost and also complicate cabling and configuration...
By Outpost in forum Wireless Networks
Last Post: 20th February 2008, 04:47 PM
By HodgeHi in forum Wireless Networks
Last Post: 15th June 2006, 03:59 PM
By Joedetic in forum Hardware
Last Post: 22nd May 2006, 04:49 PM
By richard in forum General Chat
Last Post: 11th April 2006, 12:23 PM
By mseaney in forum Wireless Networks
Last Post: 14th October 2005, 09:23 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)