Vulnerability Development mailing list archives

Re: Cisco Catalyst switches

From: guthrie () BERBEE COM (Jeremy Guthrie)
Date: Wed, 14 Jun 2000 14:16:41 -0500


Cisco's own documentation talks a lot about VLAN security.  ISBN:
1-57870-094-9 ("Cisco Lan Switching") covers some very interesting problems
with their switches(and problems that would not be limited to just their
equipment).

The main concern with switches running VLANs is that switch management
interfaces need to be ISOLATED.  Kennedy Clark & Kevin Hamilton go to some
great lengths to constantly restate that an sc0 interface in a public VLAN is a
BAD idea.  Mainly the issue revolves around the CPU.  Since the CPU does a lot
of work, the CPU could be potentially bogged down by a packet flood.  Since the
processor would be too busy answering bogus TCP requests, the switch then
flattens out.  Obviously this is bad, this is why any manufacturer's switch's
administrative interface should be isolated(Can anyone say, "Spynet"?). Anywho,
this can also be a problem on a CPU overloaded switch.  Old cat 5ks use to
allow the 'show biga' to let admin's see if the processor dropped a frame on
all ports and forgot to send the excludes.  In other words, something like
this:  (assuming my understanding hasn't aged).    A frame that enters a Cat5K
backplane gets dumped to all ports on the switch.  It is then up to the
processor to tell all ports(minus the actual destination port) to drop the
frame.  Should the processor become overloaded, it cannot inform the ports to
drop the frame.  Yet again, a flat network but with n possible bridge loops.

VLan security is very functional.  However, switches are more likely to be
susceptible to non-secure VTP domains or having a 24 port switch be a VTP
server and not have the console secure.  etc.  How many switch administrators
have VTP running a MD5 hash?  For that matter, how many admins are also running
MD5 hashes on their routing protocols?

On Mon, 12 Jun 2000, hg/jb wrote:

Anyone out there doing fun things with a cisco catalyst?
I am interested in whether or not some one has found a way to go between
vpns, take over routing of a switch, or other reindeer games.
thanks
justbob


--
Jeremy M. Guthrie
Systems Engineer
Berbee
5520 Research Park Dr.
Madison, WI  53711
Phone:  608-298-1061

Berbee...putting the "E" in business

Current thread:

Cisco Catalyst switches hg/jb (Jun 12)
- Re: Cisco Catalyst switches Jeremy Guthrie (Jun 14)
- Solaris ufsroot exploit Job de Haas (Jun 14)
  - Exploit code for PalmOS Aviram Jenik (Jun 14)
- <Possible follow-ups>
- Re: Cisco Catalyst switches Matthew King (Jun 13)
  - Re: Cisco Catalyst switches Jay Tribick (Jun 13)
  - Re: Cisco Catalyst switches Andy Murren (Jun 13)
    - Re: Cisco Catalyst switches rpc (Jun 13)
  - Re: Cisco Catalyst switches Rostislav Opocensky (Jun 13)
- Re: Cisco Catalyst switches Saso (Jun 13)
  - Re: Cisco Catalyst switches Mudge (Jun 14)
    - Re: Cisco Catalyst switches Jeremy Guthrie (Jun 14)

(Thread continues...)