Cisco Catalyst issues

["Ryan Russell" <ryanr () sybase com>]

A few people have sent me private e-mail asking what I know about Cisco
Catalyst VLAN security.  Since I said something to begin with, let me
elaborate a bit more.

First off, the Catalysts I'm referring to are the 5000/5500 family.  I
don't
know what the differences are in the 2900 family or the 8500
family.  I'll have some 8500s before too long.  My understanding
of the 8500s is that they are very similar to 5500s with the RSM module,
only faster.  The one difference with the 8500s I'm aware of is that
the routing portion of them isn't quite a full IOS yet, similar to the
12000.  To be fair, I haven't laid hands on an 8500 or 2900 yet,
so I can't speak with any authority there.

If I write up something more formal, I'll let folks know, but here's
the short version:

- CDP
I've been able to get a Cat to believe there's another Cat of the
same name, with the same MAC address running the same
SW version and same IP address as itself out my Ethernet port,
by simply replaying it's own CDP packets back at it.  This is mostly
harmless... unless a network management station comes along
looking for new Cisco devices... and sends me the SNMP
passwords.

-ISL
By default, all ISL capable cards are in auto mode...which means
they'll believe the other end of the wire when deciding whether to set
up VLANS.  The intention of this is to allow ISL links to be set up from
either end.  The also means that if I send ISL packets from my workstation,
and claim a particular VLAN and MAC address, I get all that MAC addresses'
traffic, and of course I can send to the other VLAN now.  This is supposed
to be able to be turned off, haven't done any testing with it yet.

-Etherchannel
Same as above... default is auto mode... will let the other end set up
trunking.

There's lots of other things to try... spanning tree games, sending
unsolicited
ISL packets (even when it's turned off) writing exploits to attack the
login
prompt bug (may only be for the RSM module.. it's not clear from Cisco's
advisories)  The list goes on.  Cisco doesn't QA them as if they were
security devices, the won't claim they're good enough for seperating
security domains, you should believe them.

They really shouldn't be used to seperate security domains of different
security requirements.

I do plan to do more research into these areas, time permitting.  Sorry
I don't have a cool exploit written to demonstrate, or an
explicit advisory notice or anything.   If your Cisco rep is telling you
it's good enough for security seperation, then they're ignorant of
the issues, or lying.  I know there are people at Cisco that will
tell you the Cats aren't good enough for different security domains.

                              Ryan