Security Basics mailing list archives
RE: VALN hopping
From: "Bryan S. Sampsel" <bsampsel () libertyactivist org>
Date: Fri, 30 Sep 2005 15:02:48 -0600 (MDT)
The most referenced exploit you'll find, specifically for Cisco switches but prob works on others too, relies on someone being dumb enough to leave the default vlan numbered at 1. You change that and much of the steam against the issue goes away. The switch is like any other system, you don't leave anything in a default state. Actually, the use of switches to implement security by way of logical VLANs is fairly common...you can either filter your layer 3 traffic with your layer 3 switch or use something like the Cisco PIX. The advantage of the PIX is that it is a stateful packet firewall, layer 3 switches are not...so there's some flexibility issues at stake there. But, just because you have a switch with more than one VLAN does not mean you have to define all your VLANS on that switch. At most, you'd want your "DMZ" vlans and then probably the "management" VLAN that you use to remotely manage your switch. Opinions differ on the subject, the archives will show you some heated debates on this topic. ;) Either way will work...much of it depends on the level of hardware you want to implement, man hours, and space taken up by additional chassis that you may not need. It's a calculated risk. Good luck, Bryan
-----Original Message----- From: josh () tstc edu [mailto:josh () tstc edu] Sent: Wednesday, September 28, 2005 9:59 AM To: security-basics () securityfocus com Subject: VALN hopping WWe are having a heated discussion about using VLAN's as a type ofDMZ, soI am asking the experts. I prsonally like to see physical isolation; however, our network person doesn't feel there is a threat of VLAN hopping. Please let me know your opinions. Thank you,
Current thread:
- RE: VALN hopping Bryan S. Sampsel (Oct 03)
- <Possible follow-ups>
- Re: VALN hopping Micheal Espinola Jr (Oct 03)
- RE: VALN hopping Craig Wright (Oct 04)
- RE: VALN hopping Steve McLaughlin (Oct 05)
- Re: VALN hopping David Barroso (Oct 06)
- RE: VALN hopping Joshua Berry (Oct 06)
- RE: VALN hopping Joshua Berry (Oct 06)
- Re: VALN hopping David Barroso (Oct 06)