Re: Cisco Catalyst issues

[Jason Axley <jason.axley () attws com>]

When talking about how secure this is, you have to ask what the
authentication requirements are for a network element to know that an ISL
or regular IP packet is legitimate:  IP and ethernet are completely
unauthenticated (ignoring IPSec).  Anyone from any workstation can
potentially send any packet they want on the network.  What does the
switch do to validate that that packet is legitimate?  Nothing really.
You could advertise any ethernet MAC address and IP you want, thereby
modifying the internal MAC -> switch port table in the switch and actively
affecting layer 2 routing of packets.  Lots of fun is to be had!  

I hear so many people saying that they don't have to worry about sniffing
because they have a switched environment.  Why people insist on trusting
infrastructure to protect them, especially an infrastructure without
adequate authentication, is beyond me.

-Jason

AT&T Wireless Services
UNIX Security Operations Specialist

On Fri, 30 Oct 1998, Ryan Russell wrote:

> Date: Fri, 30 Oct 1998 12:37:20 -0800
> From: Ryan Russell <ryanr () sybase com>
> To: firewall-wizards () nfr net
> Subject: Cisco Catalyst issues
>
> A few people have sent me private e-mail asking what I know about Cisco
> Catalyst VLAN security.  Since I said something to begin with, let me
> elaborate a bit more.
>
> First off, the Catalysts I'm referring to are the 5000/5500 family.  I
> don't
> know what the differences are in the 2900 family or the 8500
> family.  I'll have some 8500s before too long.  My understanding
> of the 8500s is that they are very similar to 5500s with the RSM module,
> only faster.  The one difference with the 8500s I'm aware of is that
> the routing portion of them isn't quite a full IOS yet, similar to the
> 12000.  To be fair, I haven't laid hands on an 8500 or 2900 yet,
> so I can't speak with any authority there.
>
> If I write up something more formal, I'll let folks know, but here's
> the short version:
>
> - CDP
> I've been able to get a Cat to believe there's another Cat of the
> same name, with the same MAC address running the same
> SW version and same IP address as itself out my Ethernet port,
> by simply replaying it's own CDP packets back at it.  This is mostly
> harmless... unless a network management station comes along
> looking for new Cisco devices... and sends me the SNMP
> passwords.
>
> -ISL
> By default, all ISL capable cards are in auto mode...which means
> they'll believe the other end of the wire when deciding whether to set
> up VLANS.  The intention of this is to allow ISL links to be set up from
> either end.  The also means that if I send ISL packets from my workstation,
> and claim a particular VLAN and MAC address, I get all that MAC addresses'
> traffic, and of course I can send to the other VLAN now.  This is supposed
> to be able to be turned off, haven't done any testing with it yet.
>
> -Etherchannel
> Same as above... default is auto mode... will let the other end set up
> trunking.
>
> There's lots of other things to try... spanning tree games, sending
> unsolicited
> ISL packets (even when it's turned off) writing exploits to attack the
> login
> prompt bug (may only be for the RSM module.. it's not clear from Cisco's
> advisories)  The list goes on.  Cisco doesn't QA them as if they were
> security devices, the won't claim they're good enough for seperating
> security domains, you should believe them.
>
> They really shouldn't be used to seperate security domains of different
> security requirements.
>
> I do plan to do more research into these areas, time permitting.  Sorry
> I don't have a cool exploit written to demonstrate, or an
> explicit advisory notice or anything.   If your Cisco rep is telling you
> it's good enough for security seperation, then they're ignorant of
> the issues, or lying.  I know there are people at Cisco that will
> tell you the Cats aren't good enough for different security domains.
>
>                               Ryan