<get on high horse> The one thing that came up recently with us is the problem with VLAN hopping but it only appears to be a problem when you inject frames into a port belonging to the native VLAN of the trunk port. See http://www.sans.org/newlook/resources/IDFAQ/vlan.htm . This gave me the heebie-jeebies becuase one of the firewall products we like so much uses tagged VLANs to allow the creation of virtual systems. But it's a discrete case that can be overcome with the proper configuration. Other than that, the items listed in the below are pretty much "sometimes people don't set snmp community names" or "people can do DoS attacks against switches". Well yes, they can. And they can do the same thing against firewalls, routers, hosts, etc. I remind everyone that we're in the risk MITIGATION business, not the risk ELIMINATION business. Everything has it's place, even VLANs. Betting the farm on VLANS is akin to betting the farm on the firewall. It's bad practice. The biggest thing people forget when debating the 'perfect' solution is the cost factor. Let's look at firewalls. You can buy a Sidewinder (arguably the most secure firewall out there) for a bunch of money and pay someone big dollars to manage it (or get trained on it), and get not-so-good performance -- and you'll have bought yourself a degree of security (let's say "N" in this case). Or you can spread that same amount of money across a lower cost firewall, some Inrusion detection, some training and some security tools, and you'll have bought yourself a different degree of security (let's say "N+1"). Keep your eye on the ball. Think security in depth. </get on high horse> Steve Goldsby Integrated Computer Solutions Inc. www.integrate-u.com -----Original Message----- From: Penetration Testers [mailto:PEN-TESTat_private]On Behalf Of Jason Lewis Sent: Tuesday, April 17, 2001 5:40 PM To: PEN-TESTat_private Subject: Re: [PEN-TEST] VLAN Security Have you read this? http://www.sans.org/infosecFAQ/switchednet/switch_security.htm I am looking for some other things I have read about security problems with trunking protocols. I will post to the list if I find them. Something about running all my networks through one switch makes me nervous. I have had to fight to get separate physical switches. In the end, I won. HA! VLAN's have a place, but I don't think a network that requires a high level of security is one of them. Jason Lewis http://www.rivalpath.com -----Original Message----- From: Penetration Testers [mailto:PEN-TESTat_private]On Behalf Of securenetworkat_private Sent: Tuesday, April 17, 2001 1:36 PM To: PEN-TESTat_private Subject: [PEN-TEST] VLAN Security In advance of the obvious flaming the subject could receive (and deserves), I seeking verifiable replies to disprove that VLANs provide Security. SCENARIO: A very high-security (defined as Mission Critical per federal regulations) project has a proposed situation that places security reliance on VLANs. There are three security levels (1=lowest; 3=highest): *Core network backbone provisioned with Cisco 550x switches. The Core supports multiple upstream Distribution networks. This is a Level 2 network. *Distribution is provisioned with Cisco 2820 or similar (multiple modules, VLAN capable), with workgroups switches below (Bay 350/3Com3000 or similar). This is a single network upstream of the Distribution. This is a Level 3 network. *In normal configuration, a firewall resides between the Core and Distribution. [=CORE=] - - [FW] - - [DIST-A]{switches}resources, etc. \ \ - - - - - - - - - [FW} - - [DIST-B]{switches}resources, etc. Closeup of a facility's DISTRIBUTION: /- workgroup switches {computers ------------/ [ DIST-A ] ----- workgroup switches {computers ------------ \ \- workgroup switches {computers All on same network, same VLAN (VLAN 0), same address space... CONFIGURATION: At times, management wants to support various configurations to support interim development: The Distribution network may be split into two independant networks: The Distribution is configured for 2 VLANS. Below is a suggested VLAN configuration to re-aggragate into 2 separate networks/VLANs. VLAN1--> /- workgroup switches {computers ** becomes "Net1" "** -------------/ [ DIST-A ] --- VLAN1 -- workgroup switches {computers ** becomes "Net1" ** ----------- \ VLAN2--> \- workgroup switches {computers ** becomes "Net2" ** *Aggregation of Net1 and Net2 is done solely by VLAN principles such as 802.1q or Cisco ISL. *Dist switch will be configured to place Net1 devices in VLAN 1. Net1 is configured for Level 3. The firewall joins VLAN1. Firewall isolates Net1 and provides NAT. Net1 uses 1918 private IP addresses. *Dist switch will be configured to place Net2 devices in VLAN2. Net2 will be configured for Level 2 (lower security, for development). The Core switch joins VLAN 2. Net2 has public IP space and potential internet connectivity. *In such configuration, "isolation" (i.e. firewall) must be maintained between Net1 and all lower networks (including Net2). CHALLENGE: Define scenarios which would allow a party traversing the Core to the Net2 or within the Net2 could bypass VLAN restriction and thereby gain access to Net1 resources: *MAC/ARP spoofing/manipulation attack *dSniff or similar attack *SNMP attack *Switch hardware/OS attack *DoS attack If Risk is minimal, what designs/features would enhance/support VLAN1-VLAN2 configuration?: * Subnet masking * Switch or VLAN configuration * Procure replacement for Distribution switches (better hardware?) Evaluate Risk What products are available to exploit? How exploitable are threats to VLAN? Testing facilities are available. Threats must be exploitable, and will be perforned to verify. Any other suggestions will be appreciated. I hope my \__-__/ drawings ;-) and descriptions provide enough information. Security Guy Free, encrypted, secure Web-based email at www.hushmail.com
This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 19:41:46 PDT