RE: VALN hopping

["Bryan S. Sampsel" <bsampsel () libertyactivist org>]

The most referenced exploit you'll find, specifically for Cisco switches
but prob works on others too, relies on someone being dumb enough to leave
the default vlan numbered at 1.

You change that and much of the steam against the issue goes away.  The
switch is like any other system, you don't leave anything in a default
state.

Actually, the use of switches to implement security by way of logical
VLANs is fairly common...you can either filter your layer 3 traffic with
your layer 3 switch or use something like the Cisco PIX.  The advantage of
the PIX is that it is a stateful packet firewall, layer 3 switches are
not...so there's some flexibility issues at stake there.

But, just because you have a switch with more than one VLAN does not mean
you have to define all your VLANS on that switch.  At most, you'd want
your "DMZ" vlans and then probably the "management" VLAN that you use to
remotely manage your switch.

Opinions differ on the subject, the archives will show you some heated
debates on this topic.  ;)

Either way will work...much of it depends on the level of hardware you
want to implement, man hours, and space taken up by additional chassis
that you may not need.  It's a calculated risk.

Good luck,

Bryan

> > -----Original Message-----
> > From: josh () tstc edu [mailto:josh () tstc edu]
> > Sent: Wednesday, September 28, 2005 9:59 AM
> > To: security-basics () securityfocus com
> > Subject: VALN hopping
> >
> > WWe are having a heated discussion about using VLAN's as a type of
> DMZ, so
> > I am asking the experts.  I prsonally like to see physical isolation;
> > however, our network person doesn't feel there is a threat of VLAN
> > hopping.  Please let me know your opinions.
> >
> > Thank you,