Re: Cisco Catalyst switches

[Saso () VSECUREIT NET (Saso)]

In message <3BE20D737CCE4C4589F5D72274652F200D67E1 () nacsvr05 nac cwo net au>, Ma
tthew King writes:
> Hi.

Hi,

> It would be interesting if there was a vulnerability that allowed you to
> break the VLAN definitions.. I know many companies that practically run
> their entire networks together into several Catalysts via VLANS :) Secure
> networks and public ones right next to each other.

And all those switches are conveniently joined together and share some
VLANs, so that people don't have to worry about getting longer UTP
cables. Been there, seen that.

Cisco still doesn't QA their Catalyst switches as security devices and
that should ring a bell with most clueful IT personnel. However, sad
truth is, that most abuse VLAN capability as security
feature. Sometimes, under heavier loads, VLANs can (and do) leak
packets.

> I thought that based on the nature of VLANS that they would not be
> susceptible to attack from the network layer because they switch traffic
> based on the port number, not on any content of the frame or packet? Still,
> it would be interesting :)

Switches switch packets depending on MAC address certain ports are
assigned, but not all Network Admins go the length to lock MAC
addresses to certain ports, leaving their switches susceptible to ARP
packet storms. And once switch's ARP table is filled, most tend to
fail-open, flooding all the ports with all the traffic that traverses
the switch.

Also, Ryan Russell wrote a short e-mail concerning Cisco's Catalyst
switches back in 1998
<http://www.nfr.net/firewall-wizards/mail-archive/1998/Nov/0036.html>.

IMHO, as much as I avoid using switch as a security device, I still
believe that _properly configured_, it can be reasonably secured against
most script kiddies. But it won't stop the determined attacker that
poses enough skills, clue and resources to break thru VLANs and get
the information they want. YMMV.

Regards,

Saso