Educause Security Discussion
mailing list archives
Re: Untrusted VLANs on Core Gear
From: David LaPorte <david_laporte () HARVARD EDU>
Date: Thu, 8 Feb 2007 12:35:45 -0500
Well said! I was going to draft something along these lines, but you
beat me to it. We have based much of our data center and core network
design around the Cisco 6500 platform and the firewall services module.
Most of the issues are easily countered either right out of the box or
with proper procedures and port settings.
In my opinion, the flexibility of doing things "virtually" far outweighs
the threat of easily countered VLAN-based attacks. As Michael mentions,
the CAM and ARP-based attacks are applicable to any switched network.
Michael Sinatra wrote:
I think that "run screaming" is a serious overreaction in this case.
Both dsniff and the vlan-traversal attacks are fairly old news (and I
believe that the SANS paper cited is itself pretty old--I remember
reading it, or something similar, years ago). Modern switches, like the
cisco 6500, are able to effectively counter these attacks, at least to
the point where the risks do not outweigh the serious network design and
troubleshooting issues that arise from having separate equipment for
every firewall. Moreover, cisco has staked a lot on their ability to
provide virtualizable firewall services in their 6500 platform, so it's
no surprise that they have been doing a lot of the research in vlan
There are basically two issues here: one is a vlan traversal that allows
traffic to get across a vlan where it's not supposed to go. There are
easy ways to defeat this (although the SANS document previously cited is
very unclear and, in my reading, appears to advise you to do the wrong
thing). Make sure you check with your switch vendor to get their best
To execute most vlan-traversal attacks, you must be physically on one of
the layer-2 vlans. Getting there via some other L3 router doesn't
count. So, imagine a topology where you have a room with two ISP
routers, a switch with trusted and untrusted vlans, the interior router
and the firewall. The attacker would have to be physically IN THAT ROOM
to perform most vlan-traversal attacks or would have to root a machine
that is physically IN THAT ROOM. If someone roots a machine there, you
have other things to worry about other than vlan traversals.
The other issue is sniffing, and Randy brings up a good point. But
sniffing is an issue everywhere, even on switched networks with only one
vlan. (I saw Dug Song demonstrate dsniff in 1999.) I don't believe
that there is ever a location where the encryption of anything remotely
sensitive is not warranted. "Behind my firewall" is NOT an exception.
So, if you encrypt your data end-to-end using strong encryption (and you
manage keys properly), you have much less to worry about anyway.
So I don't think running screaming into the night is a good idea. I
think that it is very possible to create a design based on your initial
description and truly minimize the risk. (It's also possible to create
a really insecure design with multiple switches.) So, you WILL have to
think about the issues that each potential design raises and how to
counteract those issues. But I find that it's much easier for me to
think clearly about minimizing risk when I am not currently screaming,
which is why I advise you not to do so.
David LaPorte, CISSP, CCNP
Security Manager, Network and Server Systems
Harvard University Information Systems
Email: david_laporte () harvard edu