Security Basics mailing list archives

RE: Firewall and VLAN security design

From: Ghaith Nasrawi <libero () aucegypt edu>
Date: Thu, 11 Nov 2004 01:03:01 -0500

interesting ... but i think they can't disallow this trick (for
usability reasons), otherwise, you have to specify on each port of the
switch whether the connected device is a regular machine which is not
expecting tagged frames, or a switch that needs to lookup for tagged
frames and maybe filter them in the appropriate manner. So, i think they
trick to avoid this problem is doable, but it would put more hassle on
the networks admins. to configure each single port of the switch
accordingly.


On Wed, 2004-11-03 at 07:50 -0700, Bryan S. Sampsel wrote:

Well, according to the articles, the weakness discovered in Cisco was the
default VLAN.  Change that, and your exploit goes out the window.  Sounds
like a default security setting issue.

I've seen references in the articles to "Cisco says their competitor has
the same problem" but not any tested instances.

If there's any Foundry Networks TAC guys on this list, I'd love to know if
they've discovered something similar.  Though, I usually set the default
VLAN ID to something different anyways.

But, at least with the first couple of articles, the default VLAN settings
appears to be the crux of the whole issue.  Fix that and VLANs perform
exactly like physically separate switches.

As to the issue of VLAN aware firewalls...I'd never take advantage of that
particular feature as I like simple, easily clamped down firewall
configurations.  But that's my particular philosophy.

Good info though regarding Cisco.  I'm going to file that away.  Thanks.

Sincerely,

Bryan S. Sampsel
LibertyActivist.org


Ivan Coric said:

I beg to differ, using VLANs to segregate your external and internal
network is a bad idea.

I don't think even Cisco recommends VLANs as a security mechanism

http://www.sans.org/resources/idfaq/vlan.php

http://www.spirit.com/Network/net0103.html

http://www.terena.nl/conferences/tnc2003/programme/slides/s1c3.ppt

http://www.sans.org/rr/whitepapers/networkdevs/1090.php

http://www.google.com.au/search?q=vlan+hopping&hl=en&lr=&start=10&sa=N

cheers
Ivan

-- 


 (o_
 //\   Ghaith Nasrawi
 V_/_  


"Evil thrives when good men do nothing"

Current thread:

Firewall and VLAN security design Ahmed Ameen (Nov 01)
- RE: Firewall and VLAN security design David Gillett (Nov 01)
  - RE: Firewall and VLAN security design Bryan S. Sampsel (Nov 02)
    - RE: Firewall and VLAN security design David Gillett (Nov 03)
- <Possible follow-ups>
- RE: Firewall and VLAN security design Ivan Coric (Nov 03)
  - RE: Firewall and VLAN security design Jonathan Loh (Nov 03)
  - RE: Firewall and VLAN security design Paul Benedek (Nov 03)
- RE: Firewall and VLAN security design Bryan S. Sampsel (Nov 03)
  - RE: Firewall and VLAN security design Ghaith Nasrawi (Nov 12)
- RE: Firewall and VLAN security design Ivan Coric (Nov 03)