Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Untrusted VLANs on Core Gear
From: "David C. Smith" <dcs44 () GEORGETOWN EDU>
Date: Thu, 8 Feb 2007 12:31:20 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have been meaning to respond with roughly the same message, that there
might be some overreaction here.  VLAN hopping attacks are valid and
while there has been some advances, it has remained a pretty static threat.

Not sure if you have already seen this, but it does a pretty good job of
describing layer 2 attacks and counter measures.  Cisco based, but most
of the counter measures should be found on all major switches.

Noted VLAN attacks:
Switch spoofing.
Double-tagging.
Vlan injections.

http://www.ciscopress.com/content/images/1587201534/samplechapter/1587201534content.pdf

- -Dave

- ---
David C. Smith, CISSP, CISM
University Information Security Officer, Georgetown University
http://security.georgetown.edu
dcs44 () georgetown edu


Michael Sinatra wrote:
I think that "run screaming" is a serious overreaction in this case.
Both dsniff and the vlan-traversal attacks are fairly old news (and I
believe that the SANS paper cited is itself pretty old--I remember
reading it, or something similar, years ago).  Modern switches, like the
cisco 6500, are able to effectively counter these attacks, at least to
the point where the risks do not outweigh the serious network design and
troubleshooting issues that arise from having separate equipment for
every firewall.  Moreover, cisco has staked a lot on their ability to
provide virtualizable firewall services in their 6500 platform, so it's
no surprise that they have been doing a lot of the research in vlan
traversal attacks.

There are basically two issues here: one is a vlan traversal that allows
traffic to get across a vlan where it's not supposed to go.  There are
easy ways to defeat this (although the SANS document previously cited is
very unclear and, in my reading, appears to advise you to do the wrong
thing).  Make sure you check with your switch vendor to get their best
practice.

To execute most vlan-traversal attacks, you must be physically on one of
the layer-2 vlans.  Getting there via some other L3 router doesn't
count.  So, imagine a topology where you have a room with two ISP
routers, a switch with trusted and untrusted vlans, the interior router
and the firewall.  The attacker would have to be physically IN THAT ROOM
to perform most vlan-traversal attacks or would have to root a machine
that is physically IN THAT ROOM.  If someone roots a machine there, you
have other things to worry about other than vlan traversals.

The other issue is sniffing, and Randy brings up a good point.  But
sniffing is an issue everywhere, even on switched networks with only one
vlan.  (I saw Dug Song demonstrate dsniff in 1999.)  I don't believe
that there is ever a location where the encryption of anything remotely
sensitive is not warranted.  "Behind my firewall" is NOT an exception.
So, if you encrypt your data end-to-end using strong encryption (and you
manage keys properly), you have much less to worry about anyway.

So I don't think running screaming into the night is a good idea.  I
think that it is very possible to create a design based on your initial
description and truly minimize the risk.  (It's also possible to create
a really insecure design with multiple switches.)  So, you WILL have to
think about the issues that each potential design raises and how to
counteract those issues.  But I find that it's much easier for me to
think clearly about minimizing risk when I am not currently screaming,
which is why I advise you not to do so.

michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFy15o82y8mrTDgSARAieOAJ92+7sPmao4bROwtrw1bUbeHeo4+ACeKOyP
o7pZ9NRlE2Cjx2gE7eKGj1w=
=wdzP
-----END PGP SIGNATURE-----

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault