Re: VLAN security

[Darren Carter <darren.carter () mci com>]

In-Reply-To: <20030603065216.15407.qmail () web20210 mail yahoo com>

I looked into vlan security a little while back and found few problems 
with respect to security.  Note the following discussion relates to Cisco 
kit.

Cisco have some good documentation on CCO, but you'll likely need a 
support contract/login to get there.  A quick search for "vlan security" 
turned up some useful stuff including this:

http://www.cisco.com/en/US/partner/products/hw/switches/ps708/products_whit
e_paper09186a008013159f.shtml 

I also recall reading a paper by @Stake who were contracted by Cisco to 
investigate VLAN security.  The investigation found only one concern and 
that was where user traffic was allowed in VLAN 1 (the default management 
VLAN).  The management VLAN is used by switches for VTP, and it was found 
that crafted frames could hop from the management VLAN to another VLAN, 
but this ONLY occurred when a host/station sat on the management VLAN.  

This concern was eliminated by ensuring that all switch ports used for 
connecting hosts were placed in a VLAN other than the management VLAN.  
The paper above also suggests "pruning" the management VLAN from ports 
that don’t need it, but I assume they mean that in the manual switch 
configuration sense rather than relying on VTP pruning.

By the way, note that the discussion revolves around frames and not 
packets.  You need to be L2 adjacent to the switch to effect VLAN hopping.
 
Cheers
Darren

> Received: (qmail 12643 invoked from network); 3 Jun 2003 17:08:56 -0000
> Received: from outgoing3.securityfocus.com (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 3 Jun 2003 17:08:56 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com 
[205.206.231.19])
>       by outgoing3.securityfocus.com (Postfix) with QMQP
>       id D4AE7A3185; Tue,  3 Jun 2003 10:33:13 -0600 (MDT)
> Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <security-basics.list-id.securityfocus.com>
> List-Post: <mailto:security-basics () securityfocus com>
> List-Help: <mailto:security-basics-help () securityfocus com>
> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
> Delivered-To: mailing list security-basics () securityfocus com
> Delivered-To: moderator for security-basics () securityfocus com
> Received: (qmail 29053 invoked from network); 3 Jun 2003 06:19:50 -0000
> Message-ID: <20030603065216.15407.qmail () web20210 mail yahoo com>
> Date: Tue, 3 Jun 2003 14:52:16 +0800 (CST)
> From: =?iso-8859-1?q?LINKCRAFT?= <linkcraft () yahoo com sg>
> Reply-To: linkcraft () yahoo com sg
> Subject: VLAN security
> To: security-basics () securityfocus com
> MIME-Version: 1.0
> Content-Type: text/plain; charset=iso-8859-1
> Content-Transfer-Encoding: 8bit
>
> I have a leased line network with few VLAN configured,
> may I know how can I implement the security in order
> to prevent hacking from one VLAN to another VLAN or
> from internet. There is no firewall installed in the
> network. Can I implement firewall? If affirmative, how
> can I protect between each VLAN? They don't have to
> access to each other. Or should I use IDS or any other
> tools? Is there any freeware available?
> Thanks/regards
>
> =====
>
> Thanks/regards 
> Tan Yew Kwee
>
> Linkcraft Supply & Services 
> HP: 96959406 
> Fax: 67814648
>
>
> __________________________________________________
> Do You Yahoo!?
> Send free SMS from your PC!
> http://sg.sms.yahoo.com
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
--
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------