+ Post New Thread
Results 1 to 3 of 3
Wireless Networks Thread, After Access Point: Physical 802.1q trunk port security against VLAN hopping in Technical; G'day We're deploying UniFi UAP/UAP-Pro here and plan to offer a student and a teacher SSID, they'll be separate from ...
  1. #1

    Join Date
    Apr 2012
    Posts
    22
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    After Access Point: Physical 802.1q trunk port security against VLAN hopping

    G'day

    We're deploying UniFi UAP/UAP-Pro here and plan to offer a student and a teacher SSID, they'll be separate from the rest of the network via a packet filter, so they can only access a limited range of ports and hosts.
    But for multiple SSIDs, the switch port connecting the Access Point to the network needs to transport more than 1 VLAN via VLAN tagging - thus the need to have 802.1q trunk ports.
    I was aware of VLAN hopping danger, but stumbling upon a talk at DEFCON 19 about VoIP VLAN hopping made me think more about the risks (See Video at 7:20 where the issue is explained)

    Now this means that the RADIUS authentication barrier to your staff network can easily circumvented:
    • Ignore the Access Point, just plug into the port where the Access Point normally is connected
    • Optionally set up a transparent bridge in between
    • Sniff traffic and get the VLAN tags used (simple with Linux and OS X, Windows is more depending on the NIC driver)
    • Spawn a interface with correct VLAN tag and set yourself and IP, *boom* done.


    Now I guess that controller based systems like Cisco LAP using the their LWAPP protocol encapsulate all traffic to the controller and VLANs get separated at the controller level - so there is no need to use trunk ports in locations people can access the network plugs.
    Anyone who has spent on thinking about this issue and perhaps up to some levels this can be mitigated? (no, I can't install plugs in secure places just for access points, that would be far to expensive)
    Last edited by koffi2k; 8th October 2012 at 06:55 AM.

  2. #2

    Join Date
    Dec 2009
    Location
    Woking
    Posts
    96
    Thank Post
    0
    Thanked 17 Times in 17 Posts
    Rep Power
    12
    How do you currently protect your non-trunk ports? 802.1x?

  3. #3

    Join Date
    Apr 2012
    Posts
    22
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Not 802.1x I'd like but there isn't the time for - neither do all device support 802.1x, think of network printers.

    All ports are configured as access ports as normally recommended. The VLANs are set to these ports according to the groupe of people who can access the ports.
    Meaning: Staff ports are only in staff work rooms and all the rest is students. Up to a certain level you have to trust your teachers to close the doors by key, yes, the physical protection can be circumvented, but at least you first need to get a key from a teacher first.

    I don't think we can really start setting up access points for one or the other wifi network exclusively - which would add much higher cost and also complicate cabling and configuration...

SHARE:
+ Post New Thread

Similar Threads

  1. Access points need resetting
    By Outpost in forum Wireless Networks
    Replies: 7
    Last Post: 20th February 2008, 03:47 PM
  2. D-Link access points keep crashing
    By HodgeHi in forum Wireless Networks
    Replies: 26
    Last Post: 15th June 2006, 02:59 PM
  3. Intel PRO/Wireless 2011B LAN Access Point
    By Joedetic in forum Hardware
    Replies: 10
    Last Post: 22nd May 2006, 03:49 PM
  4. Unsecured Access Points
    By richard in forum General Chat
    Replies: 18
    Last Post: 11th April 2006, 11:23 AM
  5. Wireless Access Point SSID Question
    By mseaney in forum Wireless Networks
    Replies: 14
    Last Post: 14th October 2005, 08:23 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •