Bugtraq mailing list archives

Re: VLAN Security

From: David.Taylor () ALPHAWEST COM AU (David Taylor)
Date: Wed, 8 Sep 1999 14:14:16 +0800


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mike and Mike wrote:

While I think it's immensely useful that your study has debunked
in hard testing a common myth (that VLANs provide unbeatable
isolation), the limits of inter-switch VLAN isolation are discussed
already in Cisco's documentation.  See, e.g.:

http://www.cisco.com/univercd/cc/td/doc/product/lan/28201900/1928v8x/ee
scg8x/aleakyv.htm


Indeed, according to the document, all one needs to jump VLANs
involving more than one switch is the MAC of the target system.  Is
that NOT the case?


Thanks for the Cisco hyperlink.  It was an interesting read.  The
content of the document does not seem to apply to our test scenario.
I thoroughly tested the possibility of getting ethernet frames to
cross VLAN boundaries by specifying the MAC addresses, and I was not
able to get this to occur under any circumstances using our test gear
- - two Cisco 2924 switches.

However, in response to our initial post, I did receive feedback from
a couple of people, telling me that they were able to do what the
Cisco document describes.  I attribute this difference in results to
different models of switch.  It seems that the first generation of
Cisco VLAN switches (1900 and 2880) did have this fault, but the more
recent ones don't.  I guess we have to be thankful for small mercies.

I suspect (although I haven't checked yet) that ISL trunking may have
some problems of its own.  We only tested against 802.1q trunking.

We also received a few responses to the initial post saying that the
behaviour we observed conforms to the 802.1q spec, and basically "what
was our problem?".  I haven't had an opportunity to dissect 802.1q in
great detail, and I doubt that I will.  The whole point of our post
was to raise public awareness of the potential security issues when
using VLANs in a security situation, especially when using vendor
default settings.

I guess the moral of the story, from all the feedback, is not to use
VLAN technology to divide security domains unless you really know what
you are doing in terms of switch configuration, and even then to make
sure you test the configuration thoroughly.

Regards,
Dave Taylor (david.taylor () alphawest com au)

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2
Comment: Public key available from ldap://certserver.pgp.com

iQA/AwUBN9WOW7XZ1jV6EllXEQLjHQCcCca8SxmxAW1OulgHU3Ij5jiZBNgAoNvk
mQNehSht5ura47MpB7F2Bdo2
=SPjo
-----END PGP SIGNATURE-----

Current thread:

VLAN Security bugtraq () SIS ALPHAWEST COM AU (Sep 01)
- Re: VLAN Security Tilman Schmidt (Sep 02)
- Re: VLAN Security Basil V. Dolmatov (Sep 03)
- Re: VLAN Security Stefan Stefanov (Sep 03)
  - Re: VLAN Security Lisa Napier (Sep 08)
- Internet Gambling Exploit Gary McGraw (Sep 03)
- Re: VLAN Security Strange (Sep 03)
  - the morning after: VLAN Security llynch () JORSM COM (Sep 07)
- Re: VLAN Security Jason Lutz (Sep 07)
- <Possible follow-ups>
- Re: VLAN Security David Taylor (Sep 07)
- Re: VLAN Security Roche-Kelly, Edmund B. (Sep 08)
- Re: VLAN Security LEPAGE, YVES (Sep 08)