Re: Cisco Catalyst issues

[Jan.Bervar () nil si]

> A few people have sent me private e-mail asking what I know about Cisco
> Catalyst VLAN security.  Since I said something to begin with, let me
> elaborate a bit more.

Ryan,

just a couple of notes between your text below...

> - CDP
> I've been able to get a Cat to believe there's another Cat of the
> same name, with the same MAC address running the same
> SW version and same IP address as itself out my Ethernet port,
> by simply replaying it's own CDP packets back at it.  This is mostly
> harmless... unless a network management station comes along
> looking for new Cisco devices... and sends me the SNMP
> passwords.

Isn't CDP one of the first things to disable in a router if you are
setting it up securely? Why not do the same in a switch?

Getting the current SNMP passwords would be much easier by just sending
gratitous ARPs towards the Cat polluting everyone's ARP cache. Posing as a
new device is even simpler. No Cat specific things here...

> -ISL
> By default, all ISL capable cards are in auto mode...which means
> they'll believe the other end of the wire when deciding whether to set
> up VLANS.  The intention of this is to allow ISL links to be set up from
> either end.  The also means that if I send ISL packets from my
workstation,
> and claim a particular VLAN and MAC address, I get all that MAC addresses'
> traffic, and of course I can send to the other VLAN now.  This is supposed
> to be able to be turned off, haven't done any testing with it yet.

This is analogous to running a L3 routing protocol with no authentication.
You
can easily reroute any traffic to yourself by spoofing routing traffic
(host
routes would be most effective as their effect would be more difficult to
notice).

On the other hand, if you can get access to a trunk port (which is
hopefully not
accesible to end users) you can do much more damage than playing with ISL
or VTP
(like sniffing all the traffic on that trunk).

> -Etherchannel
> Same as above... default is auto mode... will let the other end set up
> trunking.

Ditto. Hey, all the L3 routing protocols default to no authentication.

> There's lots of other things to try... spanning tree games, sending
> unsolicited
> ISL packets (even when it's turned off) writing exploits to attack the
> login

Turning off spanning tree at the leaf connections (end-users) is usually
one
of the first things to do if you want to have a stable switched network.

It seems to me that these are really not Cat problems. If you take very
elementary
precautions like:

- running ISL manually configured
- running etherchannel manually configured
- turning off CDP and all other unneccesary stuff
- turning off spanning tree at leaf ports

then you have a pretty tight box. If manageability/flexibility is your
primary
concern, don't do it. Setting up routers securely (in a firewall setup, for
example) is
an equally (un)demanding job: turning all the unnecessary things off and
knowing what to trust.


Best regards,
Jan