An attack on a PVLAN (Private VLAN).
Oleg Petukhov, lawyer in the field of international law and personal data protection, information security specialist security, protection of information and personal data.
Telegram channel: https://t.me/protectioninformation
Telegram Group: https://t.me/informationprotection1
Website: https://legascom.ru
Email: online@legascom.ru
#informationprotection #informationsecurity
VLAN (Virtual LAN) technologies are the logical separation of a switch. The main purposes of use are traffic differentiation for security and reducing the volume of traffic in one network segment.
With this attack, an attacker can gain access to a neighboring PVLAN device via an L3 device (router).
In PVLAN technology, unlike VLANs, ports can be in three modes: isolated, promiscuous, community. Isolated-ports cannot transfer data in their VLAN between clients. Data can only be transferred between Isolated and Promiscuous ports.
Promiscuous ports are PVLAN ports where data can be transferred from all Isolated and Community ports, just like in a regular VLAN.
A community is a group of ports between whose members VLAN data can be transferred to a VLAN.
If an attacker has access to a Layer 3 device (for example, a router), he can establish communication between clients that are on the same PVLAN, between isolated ports. To implement this attack, the user can forge a packet in which he will specify in the destination IP address the device he needs, located on another isolated port, the source will remain unchanged, but he will specify the MAC address of the L3 device as the destination MAC address. Upon receiving the package, this device will forward it to the specified address. The receiving party can do the same and thus ensure data transfer between isolated ports.
To prevent attacks of this type, it is necessary to create a special Access List on the L3 device, which prohibits direct data transfer between network segments.
router# conf t
router(config)# ip access-list extended vlan
router(config-ext-nacl)# deny ip 10.0.0.0 0.0.0.255
router(config-ext-nacl)# permit any any
router(config-ext-nacl)# exit
router(config)# int f0/1
router(config-if)# ip access-group pvlan in
The steps shown in this example must be performed on the L3 device router. An access control list called PVLAN was created, which states that it is forbidden to transfer data from the 10.0.0.0/24 network to 10.0.0.0/24, everything else is allowed. And this access list was connected with the f0/1 interface by the last command.
