Re: [PEN-TEST] VLAN Security

From: Jason Lewis (jlewisat_private)
Date: Tue Apr 17 2001 - 17:39:57 PDT

  • Next message: Steve Goldsby: "Re: [PEN-TEST] VLAN Security"

    Have you read this?
    
    http://www.sans.org/infosecFAQ/switchednet/switch_security.htm
    
    I am looking for some other things I have read about security problems with
    trunking protocols.  I will post to the list if I find them.
    
    Something about running all my networks through one switch makes me nervous.
    I have had to fight to get separate physical switches.  In the end, I won.
    HA!  VLAN's have a place, but I don't think a network that requires a high
    level of security is one of them.
    
    Jason Lewis
    http://www.rivalpath.com
    
    -----Original Message-----
    From: Penetration Testers [mailto:PEN-TESTat_private]On Behalf
    Of securenetworkat_private
    Sent: Tuesday, April 17, 2001 1:36 PM
    To: PEN-TESTat_private
    Subject: [PEN-TEST] VLAN Security
    
    
    In advance of the obvious flaming the subject could receive (and deserves),
     I seeking verifiable replies to disprove that VLANs provide Security.
    
    SCENARIO:
    
    A very high-security (defined as Mission Critical per federal regulations)
    project has a proposed situation that places security reliance on VLANs.
    
    There are three security levels (1=lowest; 3=highest):
    *Core network backbone provisioned with Cisco 550x switches. The Core
    supports
    multiple upstream Distribution networks. This is a Level 2 network.
    *Distribution is provisioned with Cisco 2820 or similar (multiple modules,
     VLAN capable), with workgroups switches below (Bay 350/3Com3000 or
    similar).
    This is a single network upstream of the Distribution. This is a Level 3
    network.
    *In normal configuration, a firewall resides between the Core and
    Distribution.
    
    [=CORE=] - - [FW] - - [DIST-A]{switches}resources, etc.
     \
      \ - - - - - - - - - [FW} - - [DIST-B]{switches}resources, etc.
    
    Closeup of a facility's DISTRIBUTION:
    
                     /-  workgroup switches {computers
    ------------/
    [ DIST-A ] ----- workgroup switches {computers
    ------------
                   \
                    \-  workgroup switches {computers
    
    All on same network, same VLAN (VLAN 0), same address space...
    
    CONFIGURATION:
    
    At times, management wants to support various configurations to support
    interim development:
    
    The Distribution network may be split into two independant networks: The
    Distribution is configured for 2 VLANS.  Below is a suggested VLAN
    configuration
    to re-aggragate into 2 separate networks/VLANs.
    
    VLAN1--> /-  workgroup switches {computers ** becomes "Net1" "**
    -------------/
    [ DIST-A ] --- VLAN1 -- workgroup switches {computers ** becomes "Net1"
    **
    -----------
                    \
    VLAN2--> \-  workgroup switches {computers ** becomes "Net2" **
    
    *Aggregation of Net1 and Net2 is done solely by VLAN principles such as
    802.1q or Cisco ISL.
    
    *Dist switch will be configured to place Net1 devices in VLAN 1. Net1 is
    configured for Level 3. The firewall joins VLAN1. Firewall isolates Net1
    and provides NAT. Net1 uses 1918 private IP addresses.
    *Dist switch will be configured to place Net2 devices in VLAN2. Net2  will
    be configured for Level 2 (lower security, for development). The Core switch
    joins VLAN 2. Net2 has public IP space and potential internet connectivity.
    *In such configuration, "isolation" (i.e. firewall) must be maintained
    between
    Net1 and all lower networks (including Net2).
    
    CHALLENGE:
    
    Define scenarios which would allow a party traversing the Core to the Net2
    or within the Net2 could bypass VLAN restriction and thereby gain access
    to Net1 resources:
    *MAC/ARP spoofing/manipulation attack
    *dSniff or similar attack
    *SNMP attack
    *Switch hardware/OS attack
    *DoS attack
    
    If Risk is minimal, what designs/features would enhance/support VLAN1-VLAN2
    configuration?:
    * Subnet masking
    * Switch or VLAN configuration
    * Procure replacement for Distribution switches (better hardware?)
    
    Evaluate Risk
    
    What products are available to exploit?
    How exploitable are threats to VLAN?
    
    Testing facilities are available. Threats must be exploitable, and will
    be perforned to verify.
    
    Any other suggestions will be appreciated. I hope my  \__-__/  drawings
    ;-) and descriptions provide enough information.
    
    Security Guy
    Free, encrypted, secure Web-based email at www.hushmail.com
    



    This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 18:41:36 PDT