Firewall Wizards mailing list archives
Re: Cisco Catalyst issues
From: Jan.Bervar () nil si
Date: Wed, 4 Nov 1998 20:06:03 +0100
A few people have sent me private e-mail asking what I know about Cisco Catalyst VLAN security. Since I said something to begin with, let me elaborate a bit more.
Ryan, just a couple of notes between your text below...
- CDP I've been able to get a Cat to believe there's another Cat of the same name, with the same MAC address running the same SW version and same IP address as itself out my Ethernet port, by simply replaying it's own CDP packets back at it. This is mostly harmless... unless a network management station comes along looking for new Cisco devices... and sends me the SNMP passwords.
Isn't CDP one of the first things to disable in a router if you are setting it up securely? Why not do the same in a switch? Getting the current SNMP passwords would be much easier by just sending gratitous ARPs towards the Cat polluting everyone's ARP cache. Posing as a new device is even simpler. No Cat specific things here...
-ISL By default, all ISL capable cards are in auto mode...which means they'll believe the other end of the wire when deciding whether to set up VLANS. The intention of this is to allow ISL links to be set up from either end. The also means that if I send ISL packets from my
workstation,
and claim a particular VLAN and MAC address, I get all that MAC addresses' traffic, and of course I can send to the other VLAN now. This is supposed to be able to be turned off, haven't done any testing with it yet.
This is analogous to running a L3 routing protocol with no authentication. You can easily reroute any traffic to yourself by spoofing routing traffic (host routes would be most effective as their effect would be more difficult to notice). On the other hand, if you can get access to a trunk port (which is hopefully not accesible to end users) you can do much more damage than playing with ISL or VTP (like sniffing all the traffic on that trunk).
-Etherchannel Same as above... default is auto mode... will let the other end set up trunking.
Ditto. Hey, all the L3 routing protocols default to no authentication.
There's lots of other things to try... spanning tree games, sending unsolicited ISL packets (even when it's turned off) writing exploits to attack the login
Turning off spanning tree at the leaf connections (end-users) is usually one of the first things to do if you want to have a stable switched network. It seems to me that these are really not Cat problems. If you take very elementary precautions like: - running ISL manually configured - running etherchannel manually configured - turning off CDP and all other unneccesary stuff - turning off spanning tree at leaf ports then you have a pretty tight box. If manageability/flexibility is your primary concern, don't do it. Setting up routers securely (in a firewall setup, for example) is an equally (un)demanding job: turning all the unnecessary things off and knowing what to trust. Best regards, Jan
Current thread:
- Cisco Catalyst issues Ryan Russell (Nov 02)
- Re: Cisco Catalyst issues Jason Axley (Nov 07)
- <Possible follow-ups>
- Re: Cisco Catalyst issues Jan . Bervar (Nov 07)
- Re: Cisco Catalyst issues Ryan Russell (Nov 07)