Tuesday, September 14, 2021

VLAN Hopping/ Routing Risk via Management Computer

Hopefully I can check my sanity here:

I have a network with a single Windows-based management PC spanning several VLANs via several adapters, e.g. VLAN10 = NIC1, VLAN20 = NIC2. The 802.1Q VLAN is enforced by a managed switch.

The management PC needs to span several VLANs to share network resources and for network monitoring, reporting and SDN controllers.

All VLANs are non-default and either port PVID'd or tagged via the AP SDN interface, so there's no untagged traffic floating around from hard or WiFi connected devices.

On the PC, file/ printer sharing and network discovery is disabled on all "untrusted" VLANs, ACL rules forbid routing between untrusted IPs and IPs on different/ same VLANs where these are deemed a security risk and port isolation further denies inter-group/ zone routing external to the PC.

Is there a credible threat of VLAN hopping or inter-VLAN routing via the management PC here?

I've put myself into each VLAN and tried to ping, port scan and route to other VLAN devices and all my attempts failed, when I scan with Nessus it also shows up nothing.

This is a SMB network with a single 48 port switch and VLAN unaware router, so not exactly super high threat either in terms either exposure or attractiveness (i.e. I'm not expecting GCHQ/ NSA to come probing).



No comments:

Post a Comment