Friday, May 22, 2015

Firewall build (part 3) VLAN Security

Since I plan on using VLANs on the WiFi Access Points to separate guest vs friend vs trusted traffic, I need to make sure that I'm doing VLANs in a secure fashion and not leaving any large holes.

The primary recommendations from the listed sources are:

  • Don't use VLAN 1 (the default VLAN) for anything
  • Any ports that do VLAN trunking should use a dedicated VLAN ID
  • Do explicit tagging of the native VLAN on trunking ports
  • Set all end-user ports to non-trunking (a.k.a. "access ports"?)
  • Disable unused ports and put them in a separate VLAN
  • Disable Spanning Tree Protocol (STP) on end-user ports
  • Use MD5 authentication for Virtual Trunking Protocol (VTP)
  • Physically secure the switch and control access to the management functions

Reference Links:

  1. Virtual LAN Security: weaknesses and countermeasures (SANS)
  2. VLAN Hacking (InfoSec Institute)
  3. VLAN Hopping (Wikipedia)

No comments: