On 08/09/2000 at 12:15:55 EST, "Jerry Wintrode" <wintrojr_at_tripos.com>
wrote:
> VLANS are just tagged packets. So if someone were to spoof the VLAN
header
> of a packet the switch will forward the packet on another VLAN. There may
> be no return path but a good DOS approach.
The talk about VLAN tagging being an exposure because it is unauthenticated
should not apply to well-designed switches and switch networks. Each
switch port, by default, should not allow tagged packets. The only ports
that need to support tagging are for actual inter-switch links (and only
those that need to allow traffic for multiple VLANs); and those should have
to be specifically configured to permit tagging.
Some folks have alluded to the fact that if you can so configure a port,
you can configure it incorrectly. Or, if you allow configuration over the
network (snmp, etc.), an attacker could change his port to allow tagging
(or even simply switch his port to another VLAN). These exposures can be
alleviated if it is possible to configure the switch so that the
configuration can't be changed over the network (again, if the switch
cannot be so configured it has no place in an environment requiring secure
separation).
It would be useful to us security folks to know which switch models meet
the requirements I've discussed. I don't have that info.
And then, even if we thought we had a secure switch setup, a bug in the
switch logic could make all of our efforts for naught. At this point, I'm
still using air-gap separation.
Tony Rall
_______________________________________________
Firewall-wizards mailing list
Firewall-wizards_at_nfr.net
http://www.nfr.net/mailman/listinfo/firewall-wizards
Received on Aug 11 2000
Intro
