Bugtraq mailing list archives

Re: VLAN Security

From: dol () EAST RU (Basil V. Dolmatov)
Date: Fri, 3 Sep 1999 11:42:03 +0400


On Wed, 1 Sep 1999 bugtraq () SIS ALPHAWEST COM AU wrote:

To Bugtraq,

We have recently conducted some testing into the security of the
implementation of VLANs on a pair of Cisco Catalyst 2900 series
switches and we feel that the results of this testing might be of some
value to the readers.  Testing basically involved  injecting 802.1q
frames with forged VLAN identifiers into the switch in an attempt to
get the frame to jump VLANs.  A brief background is included below for
those that might not be too familiar with VLANs.  Others should skip
to the end for the results.

[skip]

Findings
========
We found that under specific conditions it was possible to inject
frames into one VLAN and have them 'hop' to a different VLAN.  This is
a serious concern if the VLAN mechanism is being used to maintain a
security gradient between two network segments.  This has been
discussed with Cisco and we believe that it is an issue with the
802.1q specification rather than an implementation issue.

That _is_ the point... 802.1q specifications were made wide deliberately
in order to incorporate maximum of existent vendor-specific VLAN inplementaions
panopticum...

You may find after thorough reading of 802.1q specification that VLANless
network _is_ still 802.1q compliant... Giggle... Sad one...

The trunk port, along with all the other ports, must be assigned to a
VLAN.  If some non-trunk ports on the switch share the same VLAN as
the trunk port, then it is possible to inject modified 802.1q frames
into these non-trunk ports, and have the frames hop to other VLANs on
another switch.

Yes... This tecnology is used sometimes in 802.1q networks deliberately
in order to put given server in different VLANs simultaneously, even
if switch does not allow multi-VLAN operation.


Recommendations
===============
Try not to use VLANs as a mechanism for enforcing security policy.
They are great for segmenting networks, reducing broadcasts and
collisions and so forth, but not as a security tool.

If you MUST use them in a security context, ensure that the trunking
ports have a unique native VLAN number.

I would spell it as: "Try not to use 802.1q VLANs as a..."

If you have Cisco equipment at hand, you can use ISL for VLANs and trunking,
which has no peculiarities mentioned in your posting...


--------------------------------------
Basil (Vasily)  Dolmatov  CCNP-Security, CCDA
East Connection ISP, Moscow, Russia. (http://www.east.ru)

Current thread:

VLAN Security bugtraq () SIS ALPHAWEST COM AU (Sep 01)
- Re: VLAN Security Tilman Schmidt (Sep 02)
- Re: VLAN Security Basil V. Dolmatov (Sep 03)
- Re: VLAN Security Stefan Stefanov (Sep 03)
  - Re: VLAN Security Lisa Napier (Sep 08)
- Internet Gambling Exploit Gary McGraw (Sep 03)
- Re: VLAN Security Strange (Sep 03)
  - the morning after: VLAN Security llynch () JORSM COM (Sep 07)
- Re: VLAN Security Jason Lutz (Sep 07)
- <Possible follow-ups>
- Re: VLAN Security David Taylor (Sep 07)
- Re: VLAN Security Roche-Kelly, Edmund B. (Sep 08)
- Re: VLAN Security LEPAGE, YVES (Sep 08)