Security Basics mailing list archives
Re: VLAN security
From: Darren Carter <darren.carter () mci com>
Date: 3 Jun 2003 22:44:34 -0000
In-Reply-To: <20030603065216.15407.qmail () web20210 mail yahoo com> I looked into vlan security a little while back and found few problems with respect to security. Note the following discussion relates to Cisco kit. Cisco have some good documentation on CCO, but you'll likely need a support contract/login to get there. A quick search for "vlan security" turned up some useful stuff including this: http://www.cisco.com/en/US/partner/products/hw/switches/ps708/products_whit e_paper09186a008013159f.shtml I also recall reading a paper by @Stake who were contracted by Cisco to investigate VLAN security. The investigation found only one concern and that was where user traffic was allowed in VLAN 1 (the default management VLAN). The management VLAN is used by switches for VTP, and it was found that crafted frames could hop from the management VLAN to another VLAN, but this ONLY occurred when a host/station sat on the management VLAN. This concern was eliminated by ensuring that all switch ports used for connecting hosts were placed in a VLAN other than the management VLAN. The paper above also suggests "pruning" the management VLAN from ports that dont need it, but I assume they mean that in the manual switch configuration sense rather than relying on VTP pruning. By the way, note that the discussion revolves around frames and not packets. You need to be L2 adjacent to the switch to effect VLAN hopping. Cheers Darren
Received: (qmail 12643 invoked from network); 3 Jun 2003 17:08:56 -0000 Received: from outgoing3.securityfocus.com (205.206.231.27) by mail.securityfocus.com with SMTP; 3 Jun 2003 17:08:56 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
by outgoing3.securityfocus.com (Postfix) with QMQP id D4AE7A3185; Tue, 3 Jun 2003 10:33:13 -0600 (MDT) Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <security-basics.list-id.securityfocus.com> List-Post: <mailto:security-basics () securityfocus com> List-Help: <mailto:security-basics-help () securityfocus com> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com> Delivered-To: mailing list security-basics () securityfocus com Delivered-To: moderator for security-basics () securityfocus com Received: (qmail 29053 invoked from network); 3 Jun 2003 06:19:50 -0000 Message-ID: <20030603065216.15407.qmail () web20210 mail yahoo com> Date: Tue, 3 Jun 2003 14:52:16 +0800 (CST) From: =?iso-8859-1?q?LINKCRAFT?= <linkcraft () yahoo com sg> Reply-To: linkcraft () yahoo com sg Subject: VLAN security To: security-basics () securityfocus com MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit I have a leased line network with few VLAN configured, may I know how can I implement the security in order to prevent hacking from one VLAN to another VLAN or from internet. There is no firewall installed in the network. Can I implement firewall? If affirmative, how can I protect between each VLAN? They don't have to access to each other. Or should I use IDS or any other tools? Is there any freeware available? Thanks/regards ===== Thanks/regards Tan Yew Kwee Linkcraft Supply & Services HP: 96959406 Fax: 67814648 __________________________________________________ Do You Yahoo!? Send free SMS from your PC! http://sg.sms.yahoo.com --------------------------------------------------------------------------
-
--------------------------------------------------------------------------
--
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- VLAN security LINKCRAFT (Jun 03)
- RE: VLAN security Carles Fragoso i Mariscal (Jun 04)
- <Possible follow-ups>
- Re: VLAN security Darren Carter (Jun 04)
- RE: VLAN security Mann, Bobby (Jun 04)