Browse > Article
http://dx.doi.org/10.13089/JKIISC.2018.28.1.449

Detection and Prevention of Bypassing Attack on VLAN-Based Network Segmentation Environment  

Kim, Kwang-jun (Hannam University)
Hwang, Kyu-ho (National Security Research Institute)
Kim, In-kyoung (National Security Research Institute)
Oh, Hyung-geun (National Security Research Institute)
Lee, Man-hee (Hannam University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.28, no.2, 2018 , pp. 449-456 More about this Journal
Abstract
Many organizations divide the network to manage the network in order to prevent the leakage of internal data between separate organizations / departments by sending and receiving unnecessary traffic. The most fundamental network separation method is based on physically separate equipment. However, there is a case where a network is divided and operated logically by utilizing a virtual LAN (VLAN) network access control function that can be constructed at a lower cost. In this study, we first examined the possibility of bypassing the logical network separation through VLAN ID scanning and double encapsulation VLAN hopping attack. Then, we showed and implemented a data leak scenario by utilizing the acquired VLAN ID. Furthermore, we proposed a simple and effective technique to detect and prevent the double encapsulation VLAN hopping attack, which is also implemented for validation. We hope that this study improves security of organizations that use the VLAN-based logical network separation by preventing internal data leakage or external cyber attack exploiting double encapsulation VLAN vulnerability.
Keywords
Virtual LAN; double encapsulation VLAN attack; Virtual Network; Network separation; Data leakage;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Hong-soon Shin and Sun-cheol Hwang, "Result of the survey about an intrusion on personal information in Interpark," Ministry of Science, ICT, Future Planning and Korea Communications Commission, pp. 1-3, Aug. 2016.
2 Dong-cheol Kang, "Interpark leaked customer information… 'Internet network separation' was insufficient," Chosunbiz, pp. 1, July. 2016.
3 Steve A. Rouiller, "Virtual LAN Security weaknesses and countermeasures,", SANS Institute, pp. 8-9, Dec. 2006.
4 Yusuf Bhaiji, "Layer 2 Attacks & Mitigation Techniques," Cisco Systems, pp. 21-26, Aug. 2006.
5 Hyun-Jin Oh and Jae-Oh Moon, "Analysis and Prevention of network at- tacks that target weakness in Data link layer," University of Dongseo, pp. 12, Dec. 2011.
6 Yusuf Bhaiji, "Understanding, Preventing, and Defending Against Layer 2 Attacks," Cisco Systems, pp. 15, 2009.
7 CISCO, "Inter-Switch Link and IEEE 802.1Q Frame Format," Document ID 17056, pp. 5-6, Aug. 2006.
8 IEEE Computer Society, "IEEE Standard for Local and Metropolitan Area Networks---Virtual Bridged Local Area Networks," ISBN 978-0-7381-4877-9, pp. 74-78, May. 2006.
9 Google, "VLAN's," https://sites.google.com/site/nikiccnawiki/swithes/vlans
10 Isiaka A. Alimi and Akeem O. Mufutau, "Enhancement of Network Performance of an Enterprises Network with VLAN," American Journal of Mobile Systems, Applications and Services, vol. 1, no. 2, pp. 82-93, July. 2015.