Currently studying for a CCNA Security, I have been taught to never use the native VLAN for security purposes. This old discussion from Cisco forum states it very clearly:
You should never use the default VLAN either because VLAN hopping is
much more easily accomplished from the default VLAN.
However, from a practical point-of-view, I am not able to precisely pin-point what actual threat is being addressed.
My thoughts are the following:
-
The attacker being located on the native VLAN, maybe he can directly inject 802.1q packets which will be forwarded without modification by the first switch (as coming from a native VLAN) and upcoming switches will consider these packets as legitimate packets coming from any VLAN chosen by the attacker.
This would have indeed made VLAN hopping attacks "much more easy". However, this does not work since the first switch rightly considers it as abnormal to receive 802.1q packets on an access port and therefore drops such packets.
-
An attacker being located on a non-native VLAN manages to turn a switch access port into a trunk one. To send traffic to the native VLAN he will just have to change his IP address (a single command) instead of enabling VLAN on his network interface (four commands), saving three commands.
I obviously consider this at most as a very marginal gain…
-
When digging in the history, I thought I read somewhere old recommendations stating that 802.1q injection could require a compatible network card and specific drivers. Such requirements would indeed limit attacker's ability to inject 802.1q packets and make native VLAN exploitation much more practical in the previous scenario.
However this does not seem to be a real limitation nowadays and VLAN configuration commands are a common part of Linux (at least) network configuration commands.
Could we consider this advice of not using the native VLANs to be outdated and kept only for historical and configuration sanity purposes, even-though this practice does not address any particular threat anymore? Or is there a concrete scenario where VLAN hopping indeed becomes much more easy because of the native VLAN being used?
Best Answer
You can and most likely will need to use a native VLAN on your trunk ports, at least on Cisco switches, other vendors do it differently. But what you have to remember that the security risk is more to do with VLAN 1 (default VLAN) being set as a native VLAN.
You should change the native VLAN from being VLAN 1 to a new VLAN that you create. The native VLAN is used for a lot of management data such as DTP, VTP and CDP frames and also BPDU’s for spanning tree.
When you get a brand new switch, VLAN 1 is the only VLAN that exists, this also means that all ports are members of this VLAN by default.
If you are using VLAN 1 as your native VLAN, you have all the ports that you haven't configured to be part of this VLAN. So if an attacker connects to a port that is not used and not configured (because it's not used), he has straight away access to your management VLAN and can read and inject packets that could allow VLAN hopping or capture packets you don't want him/her to see, or worse, SSH into your switches/routers (never allow telnet).
The advice is always to not use VLAN 1, so if an attacker or unwanted client connects and ends up on VLAN 1 and there is nothing configured on this VLAN, such as a useable gateway, they are pretty much stuck and can't go anywhere, while you native VLAN is something like VLAN 900 which is less likely to have any port access as it isn't the default VLAN.
Alot of engineers do not disable unused ports and using VLAN 1 for important stuff leaves you in a situation where the access is open unless you use something like 802.1x. Engineers/Network admins forget and you have a little security hole that can benefit an attacker. If your VLAN 1 is not used and ports are left as default, it's not such a big deal because it is not used.
Hope this helps you on your quest.
SleepyMan