The key thing (and vaguely surprising to me when I first used them) to remember about VLANs is that they don't provide any privacy if your "adversary" has access to the medium. That is, if someone can listen in or inject traffic directly on the ethernet (or wireless) span, they can trivially see the VLANs, and read and write to them. That's not to say they aren't useful.
On Tue, Jun 7, 2022 at 10:41 AM Cy <[email protected]> wrote: > > On Mon, 6 Jun 2022 15:33:57 -0700 > Eric House <[email protected]> wrote: > > > suggesting that the VLAN implementations in consumer grade switches from > > both TP-Link and Netgear are insecure. > > > > Can anybody tell me how worried I should be about this? Should I: > > I'm not an expert on this to say the least, but as far as I can tell the only > security > risk is if you have two VLANs. A switch that's supposed to transport > packets for two separate VLANs can in some cases transport packets from one > VLAN to the > other, and if they're marked with a bogus return address, computers in the > other VLAN may > think it came from one of the machines within their VLAN. > > I can't imagine that is a problem unless those machines on the first VLAN > have special > privileges, and a program is running that changes a computer's behavior based > on > a single packet, only authenticated by its return address. And no information > is going to > leak out, since with a bogus return address, whoever's on the second VLAN > isn't going to > see a response. > > So... unless you're dealing with one switch managing two VLANs, and unless > you're > granting potentially malicious users access to one of your VLANs, but not the > other, and > unless it's a security breach for one of the VLANs to send packets to the > other, I'd go > with not worrying about it.
