Have you read this? http://www.sans.org/infosecFAQ/switchednet/switch_security.htm I am looking for some other things I have read about security problems with trunking protocols. I will post to the list if I find them. Something about running all my networks through one switch makes me nervous. I have had to fight to get separate physical switches. In the end, I won. HA! VLAN's have a place, but I don't think a network that requires a high level of security is one of them. Jason Lewis http://www.rivalpath.com -----Original Message----- From: Penetration Testers [mailto:PEN-TESTat_private]On Behalf Of securenetworkat_private Sent: Tuesday, April 17, 2001 1:36 PM To: PEN-TESTat_private Subject: [PEN-TEST] VLAN Security In advance of the obvious flaming the subject could receive (and deserves), I seeking verifiable replies to disprove that VLANs provide Security. SCENARIO: A very high-security (defined as Mission Critical per federal regulations) project has a proposed situation that places security reliance on VLANs. There are three security levels (1=lowest; 3=highest): *Core network backbone provisioned with Cisco 550x switches. The Core supports multiple upstream Distribution networks. This is a Level 2 network. *Distribution is provisioned with Cisco 2820 or similar (multiple modules, VLAN capable), with workgroups switches below (Bay 350/3Com3000 or similar). This is a single network upstream of the Distribution. This is a Level 3 network. *In normal configuration, a firewall resides between the Core and Distribution. [=CORE=] - - [FW] - - [DIST-A]{switches}resources, etc. \ \ - - - - - - - - - [FW} - - [DIST-B]{switches}resources, etc. Closeup of a facility's DISTRIBUTION: /- workgroup switches {computers ------------/ [ DIST-A ] ----- workgroup switches {computers ------------ \ \- workgroup switches {computers All on same network, same VLAN (VLAN 0), same address space... CONFIGURATION: At times, management wants to support various configurations to support interim development: The Distribution network may be split into two independant networks: The Distribution is configured for 2 VLANS. Below is a suggested VLAN configuration to re-aggragate into 2 separate networks/VLANs. VLAN1--> /- workgroup switches {computers ** becomes "Net1" "** -------------/ [ DIST-A ] --- VLAN1 -- workgroup switches {computers ** becomes "Net1" ** ----------- \ VLAN2--> \- workgroup switches {computers ** becomes "Net2" ** *Aggregation of Net1 and Net2 is done solely by VLAN principles such as 802.1q or Cisco ISL. *Dist switch will be configured to place Net1 devices in VLAN 1. Net1 is configured for Level 3. The firewall joins VLAN1. Firewall isolates Net1 and provides NAT. Net1 uses 1918 private IP addresses. *Dist switch will be configured to place Net2 devices in VLAN2. Net2 will be configured for Level 2 (lower security, for development). The Core switch joins VLAN 2. Net2 has public IP space and potential internet connectivity. *In such configuration, "isolation" (i.e. firewall) must be maintained between Net1 and all lower networks (including Net2). CHALLENGE: Define scenarios which would allow a party traversing the Core to the Net2 or within the Net2 could bypass VLAN restriction and thereby gain access to Net1 resources: *MAC/ARP spoofing/manipulation attack *dSniff or similar attack *SNMP attack *Switch hardware/OS attack *DoS attack If Risk is minimal, what designs/features would enhance/support VLAN1-VLAN2 configuration?: * Subnet masking * Switch or VLAN configuration * Procure replacement for Distribution switches (better hardware?) Evaluate Risk What products are available to exploit? How exploitable are threats to VLAN? Testing facilities are available. Threats must be exploitable, and will be perforned to verify. Any other suggestions will be appreciated. I hope my \__-__/ drawings ;-) and descriptions provide enough information. Security Guy Free, encrypted, secure Web-based email at www.hushmail.com
This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 18:41:36 PDT