Vulnerability Development mailing list archives
Re: Cisco Catalyst switches
From: guthrie () BERBEE COM (Jeremy Guthrie)
Date: Wed, 14 Jun 2000 14:16:41 -0500
Cisco's own documentation talks a lot about VLAN security. ISBN: 1-57870-094-9 ("Cisco Lan Switching") covers some very interesting problems with their switches(and problems that would not be limited to just their equipment). The main concern with switches running VLANs is that switch management interfaces need to be ISOLATED. Kennedy Clark & Kevin Hamilton go to some great lengths to constantly restate that an sc0 interface in a public VLAN is a BAD idea. Mainly the issue revolves around the CPU. Since the CPU does a lot of work, the CPU could be potentially bogged down by a packet flood. Since the processor would be too busy answering bogus TCP requests, the switch then flattens out. Obviously this is bad, this is why any manufacturer's switch's administrative interface should be isolated(Can anyone say, "Spynet"?). Anywho, this can also be a problem on a CPU overloaded switch. Old cat 5ks use to allow the 'show biga' to let admin's see if the processor dropped a frame on all ports and forgot to send the excludes. In other words, something like this: (assuming my understanding hasn't aged). A frame that enters a Cat5K backplane gets dumped to all ports on the switch. It is then up to the processor to tell all ports(minus the actual destination port) to drop the frame. Should the processor become overloaded, it cannot inform the ports to drop the frame. Yet again, a flat network but with n possible bridge loops. VLan security is very functional. However, switches are more likely to be susceptible to non-secure VTP domains or having a 24 port switch be a VTP server and not have the console secure. etc. How many switch administrators have VTP running a MD5 hash? For that matter, how many admins are also running MD5 hashes on their routing protocols? On Mon, 12 Jun 2000, hg/jb wrote:
Anyone out there doing fun things with a cisco catalyst? I am interested in whether or not some one has found a way to go between vpns, take over routing of a switch, or other reindeer games. thanks justbob
-- Jeremy M. Guthrie Systems Engineer Berbee 5520 Research Park Dr. Madison, WI 53711 Phone: 608-298-1061 Berbee...putting the "E" in business
Current thread:
- Cisco Catalyst switches hg/jb (Jun 12)
- Re: Cisco Catalyst switches Jeremy Guthrie (Jun 14)
- Solaris ufsroot exploit Job de Haas (Jun 14)
- Exploit code for PalmOS Aviram Jenik (Jun 14)
- <Possible follow-ups>
- Re: Cisco Catalyst switches Matthew King (Jun 13)
- Re: Cisco Catalyst switches Jay Tribick (Jun 13)
- Re: Cisco Catalyst switches Andy Murren (Jun 13)
- Re: Cisco Catalyst switches rpc (Jun 13)
- Re: Cisco Catalyst switches Rostislav Opocensky (Jun 13)
- Re: Cisco Catalyst switches Saso (Jun 13)
- Re: Cisco Catalyst switches Mudge (Jun 14)
- Re: Cisco Catalyst switches Jeremy Guthrie (Jun 14)
- Re: Cisco Catalyst switches Mudge (Jun 14)
(Thread continues...)