Educause Security Discussion mailing list archives
Re: Untrusted VLANs on Core Gear
From: David LaPorte <david_laporte () HARVARD EDU>
Date: Thu, 8 Feb 2007 12:35:45 -0500
Michael, Well said! I was going to draft something along these lines, but you beat me to it. We have based much of our data center and core network design around the Cisco 6500 platform and the firewall services module. Most of the issues are easily countered either right out of the box or with proper procedures and port settings. In my opinion, the flexibility of doing things "virtually" far outweighs the threat of easily countered VLAN-based attacks. As Michael mentions, the CAM and ARP-based attacks are applicable to any switched network. Dave Michael Sinatra wrote:
I think that "run screaming" is a serious overreaction in this case. Both dsniff and the vlan-traversal attacks are fairly old news (and I believe that the SANS paper cited is itself pretty old--I remember reading it, or something similar, years ago). Modern switches, like the cisco 6500, are able to effectively counter these attacks, at least to the point where the risks do not outweigh the serious network design and troubleshooting issues that arise from having separate equipment for every firewall. Moreover, cisco has staked a lot on their ability to provide virtualizable firewall services in their 6500 platform, so it's no surprise that they have been doing a lot of the research in vlan traversal attacks. There are basically two issues here: one is a vlan traversal that allows traffic to get across a vlan where it's not supposed to go. There are easy ways to defeat this (although the SANS document previously cited is very unclear and, in my reading, appears to advise you to do the wrong thing). Make sure you check with your switch vendor to get their best practice. To execute most vlan-traversal attacks, you must be physically on one of the layer-2 vlans. Getting there via some other L3 router doesn't count. So, imagine a topology where you have a room with two ISP routers, a switch with trusted and untrusted vlans, the interior router and the firewall. The attacker would have to be physically IN THAT ROOM to perform most vlan-traversal attacks or would have to root a machine that is physically IN THAT ROOM. If someone roots a machine there, you have other things to worry about other than vlan traversals. The other issue is sniffing, and Randy brings up a good point. But sniffing is an issue everywhere, even on switched networks with only one vlan. (I saw Dug Song demonstrate dsniff in 1999.) I don't believe that there is ever a location where the encryption of anything remotely sensitive is not warranted. "Behind my firewall" is NOT an exception. So, if you encrypt your data end-to-end using strong encryption (and you manage keys properly), you have much less to worry about anyway. So I don't think running screaming into the night is a good idea. I think that it is very possible to create a design based on your initial description and truly minimize the risk. (It's also possible to create a really insecure design with multiple switches.) So, you WILL have to think about the issues that each potential design raises and how to counteract those issues. But I find that it's much easier for me to think clearly about minimizing risk when I am not currently screaming, which is why I advise you not to do so. michael
-- David LaPorte, CISSP, CCNP Security Manager, Network and Server Systems Harvard University Information Systems ----------------------------------------------- Email: david_laporte () harvard edu PGP: 0x4DC3E508 4A1F058DB2B32FEF10A14F6BD370A6AD4DC3E508
Current thread:
- Untrusted VLANs on Core Gear jkaftan (Feb 07)
- <Possible follow-ups>
- Re: Untrusted VLANs on Core Gear Glenn Forbes Fleming Larratt (Feb 07)
- Re: Untrusted VLANs on Core Gear HALL, NATHANIEL D. (Feb 07)
- Re: Untrusted VLANs on Core Gear John Ladwig (Feb 07)
- Re: Untrusted VLANs on Core Gear Raw, Randy (Feb 08)
- Re: Untrusted VLANs on Core Gear Michael Sinatra (Feb 08)
- Re: Untrusted VLANs on Core Gear David C. Smith (Feb 08)
- Re: Untrusted VLANs on Core Gear David LaPorte (Feb 08)
- Re: Untrusted VLANs on Core Gear jkaftan (Feb 08)
- Re: Untrusted VLANs on Core Gear David Gillett (Feb 12)