Firewall Wizards mailing list archives

Re: vlan security ?

From: Darren Reed <darrenr () reed wattle id au>
Date: Fri, 11 Aug 2000 08:15:10 +1000 (EST)

In some email I received from John Adams, sie wrote:
[...]

I've spent alot of time configuring VLANs on Catalyst 6xxx series
switches, and other Cisco products and I have to admit, this is one of the
first times I've seen concerns raised about packets jumping from VLAN to
VLAN. I'd guess that it's entirely possible to make this happen, but I'm
looking for hard evidence that this can happen. 

There's simply no command (aside from putting a port up as a span port or
trunk) to put a port in two VLANs. Would this attack involve injecting ISL
packets into the switch to send data to multiple ports? ISL isn't
authenticated, nor is VTP, so you could have packets crossing boundaries
that way.


Something which needs to be considered is that for any VLAN "hacking" to
occur the person doing that hacking needs to have (a) broken into a box
on a wire connected to the switch and (b) gained the ability to send raw
packets out on the network.  I'd say that in most cases if a hacker can
achieve (a) then (b) is also achievable.  So in effect, for the VLAN to
reach a point of "being vulnerable" your DMZ must already have been hacked
successfully.  The only wildcard there being if the switch acknowledges
SNMP things and an attacker can sneak through SNMP packets - or in some
cases HTTP traffic(!) - and cause it to "reconfigure".

There's another variable I just remembered and that's the ability to use
telnet to (re)configure the switch.  This doesn't take getting root to
send weird packets to exploit and if the manufacturer has built in some
hidden passwords then you could seriously be hosed (hackers always know
these things well in advance of you).  Telnet/SSH(?) should also be on
the list of traffic prohibited from reaching your switch.

In summary, generally if the switch VLAN configuration reaches a point
where it is "at risk" from raw ethernet frames (weird multicast/broadcast
packets), you have got bigger problems to worry about than the switch
being "not a switch".

Darren

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

Current thread:

Re: vlan security ? Predrag Zivic (Aug 11)
- <Possible follow-ups>
- Re: vlan security ? Eric Hall (Aug 11)
- RE: vlan security ? Ryan Russell (Aug 11)
  - Re: vlan security ? Jim Duncan (Aug 12)
- RE: vlan security ? trall (Aug 11)
- Re: vlan security ? Darren Reed (Aug 11)