Re: Cisco Catalyst switches

[guthrie () BERBEE COM (Jeremy Guthrie)]

On Wed, 14 Jun 2000, Mudge wrote:
> Here are some attack vectors which we have used in the labs in the past.
> The switches talk one of a few limited ISL (Inter-Switch-Link) variants.
> Through this it is often possible to send user-add, user-move,
>  tag-bassed-flood, and spanning tree  announcements. Once a switch believes
>  you are actually another switch attached to it you win.

These can even be isolated.  Should you plan on not providing standard loops
in topology, in other words use FEC or GEC instead of a separate loop, you can
afford yourself the chance to turn off spanning tree.  VTP should be MD5
authenticated.  VPMS should be used to limit who and what can plug into the
network with a default action of disable.

> Various arp games can often times be quite useful. How does the switch in
> question handle gratuitous arps from directed broadcast addresses?
This can be solved by placing the administrative interface in its own
network.

> Then there are other games with vendor specific components such as cisco's
> CDP (Cisco Discovery Protocol) - again often times in an effort to
> say: "Hey, I'm another switch - get that in your head and let's start
> talking".
This should be turned off.  It is nice in practice, useless in the real world
for security.

> Cisco has introduced something they call a silent VLAN which is
> interesting and fun to play with, but often times the above attack vectors
> are still succesful.
Are you referring to private vlans?  If so, private vlans are not built for
switch isolation as they are designed for ASPs.  ASPs can't burn a vlan for
every little customer so they hack a VLAN into privately grouped ports.

> Keeping disparate security level components on the same device and
> infrastructure is often fine for keeping honest folks honest (ie, let's
> provide more separation between HR and R&D in a company) - but is often
> not the best direction to go when one of the components is an unknown.
> Folks would be wise in remembering that switches are still, largely,
> layer-2 devices and layer-2 has no notion of security. The VLANs were
> originally designed to minimize broadcast traffic - not provide security.
> Companies that locate systems at most ASP's should be aware of this - your
> competitor is often times a lot closer to your systems than you realize.
I would argu that a layer 2 device can have a good level of security applied.
Networking hardware such as switches aren't generally susceptible to
"Entrapment" style cracking simply by moving cables.  Someone's best attack is
going to be overloading CPUs of switches in hopes of flattening them out.
However, as long as administrative interfaces are in private networks, users
will have to figure out how to generate 24 gbps to flood the switch processor
on a Cisco 2948G.

Now while VLANs weren't originally designed to be a security measure so much as
a infrastructure feature, they do provide a reasonable level of security w/
proper planning.  Take any protocol written by man, and it is a security plain
and simple.  Apply the basic rule of, 'do I need this turned on'? and go from
there.

--
Jeremy M. Guthrie
Systems Engineer
Berbee
5520 Research Park Dr.
Madison, WI  53711
Phone:  608-298-1061

Berbee...putting the "E" in business