Security Basics mailing list archives
RE: Firewall and VLAN security design
From: Ghaith Nasrawi <libero () aucegypt edu>
Date: Thu, 11 Nov 2004 01:03:01 -0500
interesting ... but i think they can't disallow this trick (for usability reasons), otherwise, you have to specify on each port of the switch whether the connected device is a regular machine which is not expecting tagged frames, or a switch that needs to lookup for tagged frames and maybe filter them in the appropriate manner. So, i think they trick to avoid this problem is doable, but it would put more hassle on the networks admins. to configure each single port of the switch accordingly. On Wed, 2004-11-03 at 07:50 -0700, Bryan S. Sampsel wrote:
Well, according to the articles, the weakness discovered in Cisco was the default VLAN. Change that, and your exploit goes out the window. Sounds like a default security setting issue. I've seen references in the articles to "Cisco says their competitor has the same problem" but not any tested instances. If there's any Foundry Networks TAC guys on this list, I'd love to know if they've discovered something similar. Though, I usually set the default VLAN ID to something different anyways. But, at least with the first couple of articles, the default VLAN settings appears to be the crux of the whole issue. Fix that and VLANs perform exactly like physically separate switches. As to the issue of VLAN aware firewalls...I'd never take advantage of that particular feature as I like simple, easily clamped down firewall configurations. But that's my particular philosophy. Good info though regarding Cisco. I'm going to file that away. Thanks. Sincerely, Bryan S. Sampsel LibertyActivist.org Ivan Coric said:I beg to differ, using VLANs to segregate your external and internal network is a bad idea. I don't think even Cisco recommends VLANs as a security mechanism http://www.sans.org/resources/idfaq/vlan.php http://www.spirit.com/Network/net0103.html http://www.terena.nl/conferences/tnc2003/programme/slides/s1c3.ppt http://www.sans.org/rr/whitepapers/networkdevs/1090.php http://www.google.com.au/search?q=vlan+hopping&hl=en&lr=&start=10&sa=N cheers Ivan
-- (o_ //\ Ghaith Nasrawi V_/_ "Evil thrives when good men do nothing"
Current thread:
- Firewall and VLAN security design Ahmed Ameen (Nov 01)
- RE: Firewall and VLAN security design David Gillett (Nov 01)
- RE: Firewall and VLAN security design Bryan S. Sampsel (Nov 02)
- RE: Firewall and VLAN security design David Gillett (Nov 03)
- RE: Firewall and VLAN security design Bryan S. Sampsel (Nov 02)
- <Possible follow-ups>
- RE: Firewall and VLAN security design Ivan Coric (Nov 03)
- RE: Firewall and VLAN security design Jonathan Loh (Nov 03)
- RE: Firewall and VLAN security design Paul Benedek (Nov 03)
- RE: Firewall and VLAN security design Bryan S. Sampsel (Nov 03)
- RE: Firewall and VLAN security design Ghaith Nasrawi (Nov 12)
- RE: Firewall and VLAN security design Ivan Coric (Nov 03)
- RE: Firewall and VLAN security design David Gillett (Nov 01)