Vulnerability Development mailing list archives
Re: Vlans
From: "Aaron D. Turner" <aturner () ONESECURE COM>
Date: Thu, 18 Jan 2001 09:52:26 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tim, The answer it 'depends'. How switches actually impliment VLAN's are up to the vendor. Also, rememeber that VLAN's were designed to restrict broadcast traffic *not* unicast (ie, you may be able to jump vlans if you know the MAC of the target host- I've seen this happen on Bay Network switches). VLAN's were designed to improve network performance *NOT* security. Not to say that VLAN's can't improve security, but you have to realize the limitations (which is implimentation dependant). The most important thing is configuring it correctly and managing it securely. I've lost count how many times someone swore to me that the VLAN's were set like "this" and didn't look anything like that which had the effect of opening up huge holes in the network if someone knew. In most cases, it is more cost effective and secure to use a dedicated hub or even cross over cable between routers and firewalls since you generally only have those two devices on that network. An additional advantage of a hub is that it makes adding a sniffer or IDS easier and does so without impacting the performance of the switch. For more info on this topic, see: http://www.synfin.net/docs/switch_security.html - -- Aaron D. Turner Security Architect, OneSecure http://www.onesecure.com/ aturner () onesecure com work: 408-992-8045 cell: 408-314-9874 pub 1024D/1B57EB4D 2000-09-27 Aaron D. Turner <aturner () onesecure com> Key fingerprint = F90C BFB4 4404 5504 295D 4435 578B 1DD5 1B57 EB4D All emails by me are PGP signed; an invalid signature indicates a forgery. On Wed, 17 Jan 2001, Tim Salus wrote:
I am not certain if this is the place to ask this and if not please let me know where to send it. I have a client who has the following configuration Internet -> router -> firewall -> load balancer The connection from the router to the firewall is on a switch and the connection from the inside interface of the firewall is on the same switch. The separation is done using VLANS. I was taught this is bad due to 802.1q tagging and VLAN hopping using tagged packets. The problem is I can find very little information on this to prove my point. Also what if there is no 802.1q trunking being done. Is there still a problem with this? Is there an exploit to get around the firewall and do server flooding by jumping VLANS. No one can get on the firewall segment so what I need to know is can anyone on the internet cause a problem with this type of configuration. Thanks in advance Timothy L. Salus
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Public key 0x1B57EB4D at: http://www.keyserver.net/en/ Filter: gpg4pine 4.1 (http://azzie.robotics.net) iEYEARECAAYFAjpnLVsACgkQV4sd1RtX6002HgCePFC7kkib403vWwiBnr+TtWHk I/MAni/4yTVWQlBZmMbh5DNaJKhFpe+6 =jwZO -----END PGP SIGNATURE-----