Bugtraq mailing list archives
Re: VLAN Security
From: lnapier () CISCO COM (Lisa Napier)
Date: Wed, 8 Sep 1999 17:59:23 -0700
Hi all, In our testing, working with default configurations of competitors products, we found roughly the same behavior. And if you are using ISL, this is not a problem, and packets are dropped accordingly. The implementation of 802.1q is focused on speed. The changes necessary to function as the Bayswitch does, looking for the 802.1q on input would affect performance. We are discussing the tradeoffs and options with product management at this time. The use of ISL trunking eliminates this problem, and improperly tagged packets are indeed dropped at the input port. This is due to where this information is located in the frames. ISL tags are prior to the destination mac address, 802.1q tags occur after the destination mac. On these switches, the input processing only goes as far as the destination mac, and presumes that is all the information needed to make a determination as to where to forward the frame. It should also be noted that there are configuration workarounds. This can occur ONLY from the native vlan. Forwarding improperly tagged packets across an 802.1q trunk can be avoided by assigning an unused vlan number to the native vlan. Thank you, Lisa Napier Product Security Incident Response Team Cisco Systems At 11:23 AM 9/3/1999 +0300, Stefan Stefanov wrote:
bugtraq () SIS ALPHAWEST COM AU wrote:To Bugtraq, We have recently conducted some testing into the security of the implementation of VLANs on a pair of Cisco Catalyst 2900 series switches and we feel that the results of this testing might be of some value to the readers. Testing basically involved injecting 802.1q frames with forged VLAN identifiers into the switch in an attempt to get the frame to jump VLANs. A brief background is included below for those that might not be too familiar with VLANs. Others should skip to the end for the results.Interesting proposal, but I think it is more or less Cisco specific. Here I have a BayStack 350T-24 running software revision 1.0.0.2. According to the documentation the switch has the following feature that can be configured on per Port basis: Filter Tagged Frames: Allows you to set this port to filter (discard) all received tagged packets. I think all the ethernet switches should filter all tagged frames when a port is not a trunk port. This way a machine that is connected to a non trunked port, should not be able to send frames with 802.1q tags in it. In your example the switch should have filtered the tagged frames. -- Best Regards, Stefan Stefanov Orbitel Ltd.
Current thread:
- VLAN Security bugtraq () SIS ALPHAWEST COM AU (Sep 01)
- Re: VLAN Security Tilman Schmidt (Sep 02)
- Re: VLAN Security Basil V. Dolmatov (Sep 03)
- Re: VLAN Security Stefan Stefanov (Sep 03)
- Re: VLAN Security Lisa Napier (Sep 08)
- Internet Gambling Exploit Gary McGraw (Sep 03)
- Re: VLAN Security Strange (Sep 03)
- the morning after: VLAN Security llynch () JORSM COM (Sep 07)
- Re: VLAN Security Jason Lutz (Sep 07)
- <Possible follow-ups>
- Re: VLAN Security David Taylor (Sep 07)
- Re: VLAN Security Roche-Kelly, Edmund B. (Sep 08)
- Re: VLAN Security LEPAGE, YVES (Sep 08)