Vulnerability Development mailing list archives
Re: Vlans
From: John Kinsella <jlk () slip net>
Date: Thu, 18 Jan 2001 00:35:26 -0800
Tim - In theory it's capable to "flatten" VLANs on a switch by slamming the switch's CPU with enough traffic that it stops tagging packets for the appropriate VLANs. From what I understand, at this point instead of the switch dropping the packet, it sends the packet out destined for all VLANs. There was some discussion on this topic on bugtraq last year. I've been meaning to test out the theory myself in the lab over the last few weeks but haven't had a chance yet...I will say that unless money is a serious constraint that a client has, I always try to keep internal and external network traffic on physically separate switches. Some piece of mind may come, though, from considering that the amount of traffic needed to jump a switch's VLANs *should* be more than easily generated by a remote user...I'd guess at least 80% of a switch's backplane capacity would need to be forced through the switch. John On Wed, Jan 17, 2001 at 09:02:03AM -0800, Tim Salus wrote:
I am not certain if this is the place to ask this and if not please let me know where to send it. I have a client who has the following configuration Internet -> router -> firewall -> load balancer The connection from the router to the firewall is on a switch and the connection from the inside interface of the firewall is on the same switch. The separation is done using VLANS. I was taught this is bad due to 802.1q tagging and VLAN hopping using tagged packets. The problem is I can find very little information on this to prove my point. Also what if there is no 802.1q trunking being done. Is there still a problem with this? Is there an exploit to get around the firewall and do server flooding by jumping VLANS. No one can get on the firewall segment so what I need to know is can anyone on the internet cause a problem with this type of configuration. Thanks in advance Timothy L. Salus
Current thread:
- Vlans Tim Salus (Jan 17)
- Re: Vlans Akatosh (Jan 18)
- Re: Vlans Lincoln Yeoh (Jan 22)
- <Possible follow-ups>
- Vlans Tim Salus (Jan 18)