Vulnerability Development mailing list archives

Re: Vlans

From: "Aaron D. Turner" <aturner () ONESECURE COM>
Date: Thu, 18 Jan 2001 09:52:26 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Tim,

The answer it 'depends'.  How switches actually impliment VLAN's are up to
the vendor.  Also, rememeber that VLAN's were designed to restrict
broadcast traffic *not* unicast (ie, you may be able to jump vlans if you
know the MAC of the target host- I've seen this happen on Bay Network
switches).  VLAN's were designed to improve network performance *NOT*
security.  Not to say that VLAN's can't improve security, but you have to
realize the limitations (which is implimentation dependant).

The most important thing is configuring it correctly and managing it
securely.  I've lost count how many times someone swore to me that the
VLAN's were set like "this" and didn't look anything like that which had
the effect of opening up huge holes in the network if someone knew.

In most cases, it is more cost effective and secure to use a dedicated hub
or even cross over cable between routers and firewalls since you generally
only have those two devices on that network.  An additional advantage of a
hub is that it makes adding a sniffer or IDS easier and does so without
impacting the performance of the switch.

For more info on this topic, see:
http://www.synfin.net/docs/switch_security.html

- --
Aaron D. Turner  Security Architect, OneSecure  http://www.onesecure.com/
aturner () onesecure com  work: 408-992-8045  cell: 408-314-9874
pub  1024D/1B57EB4D 2000-09-27 Aaron D. Turner <aturner () onesecure com>
     Key fingerprint = F90C BFB4 4404 5504 295D  4435 578B 1DD5 1B57 EB4D
All emails by me are PGP signed; an invalid signature indicates a forgery.

On Wed, 17 Jan 2001, Tim Salus wrote:

I am not certain if this is the place to ask this and if not please let
me know where to send it.

I have a client who has the following configuration

Internet -> router -> firewall -> load balancer

The connection from the router to the firewall is on a switch and the
connection from the inside interface of the firewall is on the same
switch. The separation is done using VLANS.

I was taught this is bad due to 802.1q tagging and VLAN hopping using
tagged packets. The problem is I can find very little information on
this to prove my point.

Also what if there is no 802.1q trunking being done. Is there still a
problem with this?

Is there an exploit to get around the firewall and do server flooding by
jumping VLANS.

No one can get on the firewall segment so what I need to know is can
anyone on the internet cause a problem with this type of configuration.

Thanks in advance

Timothy L. Salus

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Public key 0x1B57EB4D at: http://www.keyserver.net/en/
Filter: gpg4pine 4.1 (http://azzie.robotics.net)

iEYEARECAAYFAjpnLVsACgkQV4sd1RtX6002HgCePFC7kkib403vWwiBnr+TtWHk
I/MAni/4yTVWQlBZmMbh5DNaJKhFpe+6
=jwZO
-----END PGP SIGNATURE-----

Current thread:

Vlans Tim Salus (Jan 17)
- Re: Vlans Tony Soprano (Jan 18)
- Re: Vlans Dom De Vitto (Jan 18)
  - Re: Vlans Tim Salus (Jan 18)
- Re: Vlans Aaron D. Turner (Jan 18)
- Re: Vlans John Kinsella (Jan 18)
  - Re: Vlans Samuel Patton (Jan 19)
  - Re: Vlans Aaron D. Turner (Jan 22)
    - Re: Vlans John Kinsella (Jan 21)
    - Re: Vlans Dom De Vitto (Jan 22)
    - Re: Vlans Dan Kaminsky (Jan 22)
- Re: Vlans Akatosh (Jan 18)
- Re: Vlans Lincoln Yeoh (Jan 22)
  - Re: Vlans Carson Sweet (Jan 22)
    - Re: Vlans Philipp Buehler (Jan 23)

(Thread continues...)