Re: Untrusted VLANs on Core Gear

["Raw, Randy" <rawr () MORE NET>]

This has been a good discussion, thanks for the different perspectives.


It raises another question that is potentially more troublesome, and
that is the Metro Ethernet that many ISPs now provide. Are they not also
using VLANs for separating traffic in the core of their networks? It
just doesn't seem feasible that they would have a physically separate
network for every customer. How do they keep overflow attacks from
happening on their networks?

Furthermore, it is much easier to run Ethereal/Wireshark to grab traffic
off of one of those VLANS than it is for capturing traffic off of an
OC-3/12/48. What keeps an ISP employee from illegally capturing your
data?  Do any of you have SLAs that address these sort of issues, or do
they keep you up at night?

Randy Raw, CISSP
MOREnet Manager, Network Security
3212 LeMone Industrial Blvd
Columbia, MO 65201
573.882.0749
573.884.7699 fax
http://www.more.net/security
 

> -----Original Message-----
> From: John Ladwig [mailto:John.Ladwig () CSU MNSCU EDU] 
> Sent: Wednesday, February 07, 2007 1:47 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Untrusted VLANs on Core Gear
>
> I guess I have a qualified answer to the "run screaming" question.  
> Like so many security analyses, it depends.
>
> I'm affiliated with a rather large installation wherein 
> compartments of differing security levels are implemented on 
> VLANs, and I am not currently losing sleep over it.  
>
> The large caveat is that we have *very* good control over the 
> entire switching fabric of those compartments.  We have 
> operational change control that requires MAC assignments 
> per-port, with unused ports configured in an 
> operationally-down state.  That alone reduces the risk of ARP 
> or CAM-table overflow attacks tremendously.  And the cost of 
> the number of gigabit-capable ports we'd need to implement 
> the number of security compartments we've defined is enough 
> to cause us to accept this level of risk, at this time.
>
> The scenario from the OP, I think, probably does not fit the 
> model of mixed-assurance VLANs on a switch, unless the 
> compensatory control of fascist per-port layer-2 addressing 
> were followed scrupulously on all other nominally-trusted 
> VLANs on connected devices.
>
> If you can't do that, then I'd advise the OP to look for another
> solution.   
>
> One man's opinion.  Mileage varies.
>
>     -jml
>
> John Ladwig -
> Minnesota State Colleges and Universities ITS Wells Fargo 
> Place 30 7th St. E., Suite 350 St. Paul, MN  55101-7804
>
> Email: John.Ladwig () csu mnscu edu
> Voice: +1.651.201.1458
> Fax: +1.651.917.4731
> IM: xmpp:ladwigjo () jabber its mnscu edu
>
> > > > halln () OTC EDU 02/07/07 1:33 PM >>>
> I have had similar questions before.  I asked other GIAC 
> alumni and I was referred to DSniff by Dug Song.
>
> http://www.monkey.org/~dugsong/dsniff/
>
> --
> Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA Network Security 
> System Administrator OTC Computer Networking
>
> Office: (417) 447-7535
>
> -----Original Message-----
> From: Glenn Forbes Fleming Larratt [mailto:gl89 () CORNELL EDU]
> Sent: Wednesday, February 07, 2007 1:18 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Untrusted VLANs on Core Gear
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Yes (to the "run screaming" question).
>
> I made the argument recently in another forum that:
>
> } 1. In a design that includes a firewall appliance of any 
> sort, it's a } violation of default-deny to use VLAN's, 
> rather than distinct hardware, } to segregate networks on 
> different sides of the firewall. Even though } there are no 
> known (to me) failure modes of VLAN switches that would } 
> allow effective bridged connectivity between nominally 
> separated } networks, the possibility that such a failure 
> mode could exist justifies } the physical separation.
> }
> } 2. Buying/creating a firewall appliance and then using 
> VLAN's to } separate the networks on different sides of it is 
> "silver-bullet" 
> } design; to get defense in depth, physical separation is indicated.
> }
> } Given the relative cost of firewall appliances (whether in 
> dollars or } sweat) vs. networking hardware, any cost savings 
> is false anyway.
>
> The one reason (other than personal hubris) I quote my 
> previous argument is that another participant pointed to 
> documented failure modes of VLAN switches that *would* allow 
> effective bridge connectivity, i.e.
> bypassing
> of your firewall.
>
> The links he provided were:
>
> http://www.sans.org/reading_room/whitepapers/networkdevs/1090.php
>
> http://www.cisco.com/en/US/products/hw/switches/ps708/products
> _white_pap
> er09186a008013159f.shtml#wp39832
>
>   (not sure why the link points to the "Conclusions" in the paper)
>
> Hope this helps,
> - --
> Glenn Forbes Fleming Larratt
> Cornell University IT Security Office
>
> On Wed, 7 Feb 2007, jkaftan wrote:
>
> > We are looking to create a fully redundant internet 
> connection.  I was 
> > thinking about using my core switch to provide layer 2 for 
> this setup.
> > Specifically I was going to create an Untrust VLAN that my edge
> routers 
> > and Firewalls would connect to.
> >
> > Fundamentally I do not see an issue as VLANs are supposed to be the
> same 
> > thing as having separate switches (broadcast domains).  However
> another 
> > way to look at it is that I have potential bad guys actually
> "touching" 
> > my core gear.
> >
> > Does this make anyone want to run screaming into the night?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (MingW32)
>
> iD8DBQFFyiX3Lyw7nZwiKgQRAjRfAKCjjFv01jTsICiLcgqZtDqLlSk7jQCeJ1/H
> zUpt7wv7EUaiXJAjDG2hoaE=
> =INKh
> -----END PGP SIGNATURE-----