Vulnerability Development mailing list archives

Re: Vlans

From: Dom De Vitto <dom () DEVITTO COM>
Date: Thu, 18 Jan 2001 23:03:32 -0000

Read a Cisco book and it'll say that switches are for reducing collision
domains, and vlans are to break up broadcast domains and ease management.

Notice I don't mention of security.  Because a stream of new devices on 
a non 'locked-down' switch port (and 99% of switches have 100% of ports unlocked)
will fill the mac->port table and the switch will start sending to all ports.

If you're lucky the supervisor card will delete the packets from inappropriate
vlans, but if the supervisor is busy, e.g. too busy to get around to checking
all the ports the packet may be already sent.

The reason for this design ? Speed.  Check the Cisco docs - speed, speed, speed.
(It's the same for routers, VPN concentrators, PIXes, Cisco are mad about throughput)

Consequently vlans aren't secure, in general.  You may be able to 'harden'
a switch, but it's a lot of work because a switch isn't the 'tool for the job'.

Check out www.deja.com and search for cisco security catalyst flood,
that should give the few good articles I recall, and they reference others.

Dom
PS. Cisco sales boys will only mention the above when you tell them
security is foremost, then they try and sell you a switch per vlan - cunning eh?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  Dom De Vitto                              Secure Technologies Ltd. 
  mailto:dom devitto.com                         Mob. 07971 589 201  
  http://www.devitto.com                         Fax. 08700 548 750  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 

 | -----Original Message-----
 | From: VULN-DEV List [mailto:VULN-DEV () securityfocus com]On Behalf Of Tim
 | Salus
 | Sent: 17 January 2001 17:02
 | To: VULN-DEV () securityfocus com
 | Subject: Vlans
 | 
 | 
 | I am not certain if this is the place to ask this and if not please let
 | me know where to send it.
 | 
 | I have a client who has the following configuration
 | 
 | Internet -> router -> firewall -> load balancer
 | 
 | The connection from the router to the firewall is on a switch and the
 | connection from the inside interface of the firewall is on the same
 | switch. The separation is done using VLANS.
 | 
 | I was taught this is bad due to 802.1q tagging and VLAN hopping using
 | tagged packets. The problem is I can find very little information on
 | this to prove my point.
 | 
 | Also what if there is no 802.1q trunking being done. Is there still a
 | problem with this?
 | 
 | Is there an exploit to get around the firewall and do server flooding by
 | jumping VLANS.
 | 
 | No one can get on the firewall segment so what I need to know is can
 | anyone on the internet cause a problem with this type of configuration.
 | 
 | Thanks in advance
 | 
 | Timothy L. Salus

Current thread:

Vlans Tim Salus (Jan 17)
- Re: Vlans Tony Soprano (Jan 18)
- Re: Vlans Dom De Vitto (Jan 18)
  - Re: Vlans Tim Salus (Jan 18)
- Re: Vlans Aaron D. Turner (Jan 18)
- Re: Vlans John Kinsella (Jan 18)
  - Re: Vlans Samuel Patton (Jan 19)
  - Re: Vlans Aaron D. Turner (Jan 22)
    - Re: Vlans John Kinsella (Jan 21)
    - Re: Vlans Dom De Vitto (Jan 22)
    - Re: Vlans Dan Kaminsky (Jan 22)
- Re: Vlans Akatosh (Jan 18)
- Re: Vlans Lincoln Yeoh (Jan 22)

(Thread continues...)