Re: VLAN Security

From: Basil V. Dolmatov (dolat_private)
Date: Fri Sep 03 1999 - 00:42:03 PDT

Next message: Tim Dierks: "Re: NSA key in MSFT Crypto API"

Previous message: John Gilmore: "Re: NSA key in MSFT Crypto API"
Maybe in reply to: bugtraqat_private: "VLAN Security"
Next in thread: Strange: "Re: VLAN Security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 1 Sep 1999 bugtraqat_private wrote:

> To Bugtraq,
>
> We have recently conducted some testing into the security of the
> implementation of VLANs on a pair of Cisco Catalyst 2900 series
> switches and we feel that the results of this testing might be of some
> value to the readers.  Testing basically involved  injecting 802.1q
> frames with forged VLAN identifiers into the switch in an attempt to
> get the frame to jump VLANs.  A brief background is included below for
> those that might not be too familiar with VLANs.  Others should skip
> to the end for the results.
>
[skip]

> Findings
> ========
> We found that under specific conditions it was possible to inject
> frames into one VLAN and have them 'hop' to a different VLAN.  This is
> a serious concern if the VLAN mechanism is being used to maintain a
> security gradient between two network segments.  This has been
> discussed with Cisco and we believe that it is an issue with the
> 802.1q specification rather than an implementation issue.
>
That _is_ the point... 802.1q specifications were made wide deliberately
in order to incorporate maximum of existent vendor-specific VLAN inplementaions
panopticum...

You may find after thorough reading of 802.1q specification that VLANless
network _is_ still 802.1q compliant... Giggle... Sad one...

> The trunk port, along with all the other ports, must be assigned to a
> VLAN.  If some non-trunk ports on the switch share the same VLAN as
> the trunk port, then it is possible to inject modified 802.1q frames
> into these non-trunk ports, and have the frames hop to other VLANs on
> another switch.
>
Yes... This tecnology is used sometimes in 802.1q networks deliberately
in order to put given server in different VLANs simultaneously, even
if switch does not allow multi-VLAN operation.


>
> Recommendations
> ===============
> Try not to use VLANs as a mechanism for enforcing security policy.
> They are great for segmenting networks, reducing broadcasts and
> collisions and so forth, but not as a security tool.
>
> If you MUST use them in a security context, ensure that the trunking
> ports have a unique native VLAN number.
I would spell it as: "Try not to use 802.1q VLANs as a..."

If you have Cisco equipment at hand, you can use ISL for VLANs and trunking,
which has no peculiarities mentioned in your posting...

>

--------------------------------------
Basil (Vasily)  Dolmatov  CCNP-Security, CCDA
East Connection ISP, Moscow, Russia. (http://www.east.ru)

Next message: Tim Dierks: "Re: NSA key in MSFT Crypto API"
Previous message: John Gilmore: "Re: NSA key in MSFT Crypto API"
Maybe in reply to: bugtraqat_private: "VLAN Security"
Next in thread: Strange: "Re: VLAN Security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:01:45 PDT