Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Untrusted VLANs on Core Gear
From: Michael Sinatra <michael () RANCID BERKELEY EDU>
Date: Thu, 8 Feb 2007 08:54:23 -0800

I think that "run screaming" is a serious overreaction in this case.
Both dsniff and the vlan-traversal attacks are fairly old news (and I
believe that the SANS paper cited is itself pretty old--I remember
reading it, or something similar, years ago).  Modern switches, like the
cisco 6500, are able to effectively counter these attacks, at least to
the point where the risks do not outweigh the serious network design and
troubleshooting issues that arise from having separate equipment for
every firewall.  Moreover, cisco has staked a lot on their ability to
provide virtualizable firewall services in their 6500 platform, so it's
no surprise that they have been doing a lot of the research in vlan
traversal attacks.

There are basically two issues here: one is a vlan traversal that allows
traffic to get across a vlan where it's not supposed to go.  There are
easy ways to defeat this (although the SANS document previously cited is
very unclear and, in my reading, appears to advise you to do the wrong
thing).  Make sure you check with your switch vendor to get their best

To execute most vlan-traversal attacks, you must be physically on one of
the layer-2 vlans.  Getting there via some other L3 router doesn't
count.  So, imagine a topology where you have a room with two ISP
routers, a switch with trusted and untrusted vlans, the interior router
and the firewall.  The attacker would have to be physically IN THAT ROOM
to perform most vlan-traversal attacks or would have to root a machine
that is physically IN THAT ROOM.  If someone roots a machine there, you
have other things to worry about other than vlan traversals.

The other issue is sniffing, and Randy brings up a good point.  But
sniffing is an issue everywhere, even on switched networks with only one
vlan.  (I saw Dug Song demonstrate dsniff in 1999.)  I don't believe
that there is ever a location where the encryption of anything remotely
sensitive is not warranted.  "Behind my firewall" is NOT an exception.
So, if you encrypt your data end-to-end using strong encryption (and you
manage keys properly), you have much less to worry about anyway.

So I don't think running screaming into the night is a good idea.  I
think that it is very possible to create a design based on your initial
description and truly minimize the risk.  (It's also possible to create
a really insecure design with multiple switches.)  So, you WILL have to
think about the issues that each potential design raises and how to
counteract those issues.  But I find that it's much easier for me to
think clearly about minimizing risk when I am not currently screaming,
which is why I advise you not to do so.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]