Vulnerability Development mailing list archives
Re: Cisco Catalyst switches
From: guthrie () BERBEE COM (Jeremy Guthrie)
Date: Wed, 14 Jun 2000 23:30:05 -0500
On Wed, 14 Jun 2000, Mudge wrote:
Here are some attack vectors which we have used in the labs in the past. The switches talk one of a few limited ISL (Inter-Switch-Link) variants. Through this it is often possible to send user-add, user-move, tag-bassed-flood, and spanning tree announcements. Once a switch believes you are actually another switch attached to it you win.
These can even be isolated. Should you plan on not providing standard loops in topology, in other words use FEC or GEC instead of a separate loop, you can afford yourself the chance to turn off spanning tree. VTP should be MD5 authenticated. VPMS should be used to limit who and what can plug into the network with a default action of disable.
Various arp games can often times be quite useful. How does the switch in question handle gratuitous arps from directed broadcast addresses?
This can be solved by placing the administrative interface in its own network.
Then there are other games with vendor specific components such as cisco's CDP (Cisco Discovery Protocol) - again often times in an effort to say: "Hey, I'm another switch - get that in your head and let's start talking".
This should be turned off. It is nice in practice, useless in the real world for security.
Cisco has introduced something they call a silent VLAN which is interesting and fun to play with, but often times the above attack vectors are still succesful.
Are you referring to private vlans? If so, private vlans are not built for switch isolation as they are designed for ASPs. ASPs can't burn a vlan for every little customer so they hack a VLAN into privately grouped ports.
Keeping disparate security level components on the same device and infrastructure is often fine for keeping honest folks honest (ie, let's provide more separation between HR and R&D in a company) - but is often not the best direction to go when one of the components is an unknown. Folks would be wise in remembering that switches are still, largely, layer-2 devices and layer-2 has no notion of security. The VLANs were originally designed to minimize broadcast traffic - not provide security. Companies that locate systems at most ASP's should be aware of this - your competitor is often times a lot closer to your systems than you realize.
I would argu that a layer 2 device can have a good level of security applied. Networking hardware such as switches aren't generally susceptible to "Entrapment" style cracking simply by moving cables. Someone's best attack is going to be overloading CPUs of switches in hopes of flattening them out. However, as long as administrative interfaces are in private networks, users will have to figure out how to generate 24 gbps to flood the switch processor on a Cisco 2948G. Now while VLANs weren't originally designed to be a security measure so much as a infrastructure feature, they do provide a reasonable level of security w/ proper planning. Take any protocol written by man, and it is a security plain and simple. Apply the basic rule of, 'do I need this turned on'? and go from there. -- Jeremy M. Guthrie Systems Engineer Berbee 5520 Research Park Dr. Madison, WI 53711 Phone: 608-298-1061 Berbee...putting the "E" in business
Current thread:
- Re: Cisco Catalyst switches, (continued)
- Re: Cisco Catalyst switches Jeremy Guthrie (Jun 14)
- Solaris ufsroot exploit Job de Haas (Jun 14)
- Exploit code for PalmOS Aviram Jenik (Jun 14)
- Re: Cisco Catalyst switches Matthew King (Jun 13)
- Re: Cisco Catalyst switches Jay Tribick (Jun 13)
- Re: Cisco Catalyst switches Andy Murren (Jun 13)
- Re: Cisco Catalyst switches rpc (Jun 13)
- Re: Cisco Catalyst switches Rostislav Opocensky (Jun 13)
- Re: Cisco Catalyst switches Saso (Jun 13)
- Re: Cisco Catalyst switches Mudge (Jun 14)
- Re: Cisco Catalyst switches Jeremy Guthrie (Jun 14)
- Problems with: xcdroast, gatos, xkobo, xbill, iagno, ++ Elias Levy (Jun 14)
- Re: Cisco Catalyst switches Mudge (Jun 14)
- Re: Cisco Catalyst switches suid () SUID KG (Jun 13)
- Update on TopLayer Advisory nawk (Jun 13)
- Re: Cisco Catalyst switches Blue Boar (Jun 13)
- Re: Cisco Catalyst switches Martin Hamilton (Jun 14)