Firewall Wizards mailing list archives
Re: Cisco Catalyst issues
From: Jason Axley <jason.axley () attws com>
Date: Mon, 2 Nov 1998 22:31:14 -0800 (PST)
When talking about how secure this is, you have to ask what the authentication requirements are for a network element to know that an ISL or regular IP packet is legitimate: IP and ethernet are completely unauthenticated (ignoring IPSec). Anyone from any workstation can potentially send any packet they want on the network. What does the switch do to validate that that packet is legitimate? Nothing really. You could advertise any ethernet MAC address and IP you want, thereby modifying the internal MAC -> switch port table in the switch and actively affecting layer 2 routing of packets. Lots of fun is to be had! I hear so many people saying that they don't have to worry about sniffing because they have a switched environment. Why people insist on trusting infrastructure to protect them, especially an infrastructure without adequate authentication, is beyond me. -Jason AT&T Wireless Services UNIX Security Operations Specialist On Fri, 30 Oct 1998, Ryan Russell wrote:
Date: Fri, 30 Oct 1998 12:37:20 -0800 From: Ryan Russell <ryanr () sybase com> To: firewall-wizards () nfr net Subject: Cisco Catalyst issues A few people have sent me private e-mail asking what I know about Cisco Catalyst VLAN security. Since I said something to begin with, let me elaborate a bit more. First off, the Catalysts I'm referring to are the 5000/5500 family. I don't know what the differences are in the 2900 family or the 8500 family. I'll have some 8500s before too long. My understanding of the 8500s is that they are very similar to 5500s with the RSM module, only faster. The one difference with the 8500s I'm aware of is that the routing portion of them isn't quite a full IOS yet, similar to the 12000. To be fair, I haven't laid hands on an 8500 or 2900 yet, so I can't speak with any authority there. If I write up something more formal, I'll let folks know, but here's the short version: - CDP I've been able to get a Cat to believe there's another Cat of the same name, with the same MAC address running the same SW version and same IP address as itself out my Ethernet port, by simply replaying it's own CDP packets back at it. This is mostly harmless... unless a network management station comes along looking for new Cisco devices... and sends me the SNMP passwords. -ISL By default, all ISL capable cards are in auto mode...which means they'll believe the other end of the wire when deciding whether to set up VLANS. The intention of this is to allow ISL links to be set up from either end. The also means that if I send ISL packets from my workstation, and claim a particular VLAN and MAC address, I get all that MAC addresses' traffic, and of course I can send to the other VLAN now. This is supposed to be able to be turned off, haven't done any testing with it yet. -Etherchannel Same as above... default is auto mode... will let the other end set up trunking. There's lots of other things to try... spanning tree games, sending unsolicited ISL packets (even when it's turned off) writing exploits to attack the login prompt bug (may only be for the RSM module.. it's not clear from Cisco's advisories) The list goes on. Cisco doesn't QA them as if they were security devices, the won't claim they're good enough for seperating security domains, you should believe them. They really shouldn't be used to seperate security domains of different security requirements. I do plan to do more research into these areas, time permitting. Sorry I don't have a cool exploit written to demonstrate, or an explicit advisory notice or anything. If your Cisco rep is telling you it's good enough for security seperation, then they're ignorant of the issues, or lying. I know there are people at Cisco that will tell you the Cats aren't good enough for different security domains. Ryan
Current thread:
- Cisco Catalyst issues Ryan Russell (Nov 02)
- Re: Cisco Catalyst issues Jason Axley (Nov 07)
- <Possible follow-ups>
- Re: Cisco Catalyst issues Jan . Bervar (Nov 07)
- Re: Cisco Catalyst issues Ryan Russell (Nov 07)