After Access Point: Physical 802.1q trunk port security against VLAN hopping
G'day
We're deploying UniFi UAP/UAP-Pro here and plan to offer a student and a teacher SSID, they'll be separate from the rest of the network via a packet filter, so they can only access a limited range of ports and hosts.
But for multiple SSIDs, the switch port connecting the Access Point to the network needs to transport more than 1 VLAN via VLAN tagging - thus the need to have 802.1q trunk ports.
I was aware of VLAN hopping danger, but stumbling upon a talk at DEFCON 19 about VoIP VLAN hopping made me think more about the risks (See Video at 7:20 where the issue is explained)
Now this means that the RADIUS authentication barrier to your staff network can easily circumvented:
- Ignore the Access Point, just plug into the port where the Access Point normally is connected
- Optionally set up a transparent bridge in between
- Sniff traffic and get the VLAN tags used (simple with Linux and OS X, Windows is more depending on the NIC driver)
- Spawn a interface with correct VLAN tag and set yourself and IP, *boom* done.
Now I guess that controller based systems like Cisco LAP using the their LWAPP protocol encapsulate all traffic to the controller and VLANs get separated at the controller level - so there is no need to use trunk ports in locations people can access the network plugs.
Anyone who has spent on thinking about this issue and perhaps up to some levels this can be mitigated? (no, I can't install plugs in secure places just for access points, that would be far to expensive)
