Re: [PEN-TEST] VLAN Security

From: Jason Brvenik (jbrvenikat_private)
Date: Wed Apr 18 2001 - 05:07:53 PDT

Next message: Cjk Jempi: "Re: [PEN-TEST] Web site password guessing over SSL"

Previous message: Nelson Brito: "Re: [PEN-TEST] Gathering Information using SMTP Servers"
Maybe in reply to: securenetworkat_private: "[PEN-TEST] VLAN Security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I would check out the thread on vuln-dev titled vlans started back on jan 17.
Several articles and tests were mentioned.

http://www.securityfocus.com/templates/archive.pike?list=82&tid=157174&threads=0&start=2001-04-15&end=2001-04-21&

A good summary of security and vlans with references can be found at
http://www.synfin.net/docs/switch_security.html

Jason.


-----Original Message-----
From: Jason Lewis [mailto:jlewisat_private]
Sent: Tuesday, April 17, 2001 8:40 PM
To: PEN-TESTat_private
Subject: Re: [PEN-TEST] VLAN Security


Have you read this?

http://www.sans.org/infosecFAQ/switchednet/switch_security.htm

I am looking for some other things I have read about security problems with
trunking protocols.  I will post to the list if I find them.

Something about running all my networks through one switch makes me nervous.
I have had to fight to get separate physical switches.  In the end, I won.
HA!  VLAN's have a place, but I don't think a network that requires a high
level of security is one of them.

Jason Lewis
http://www.rivalpath.com

-----Original Message-----
From: Penetration Testers [mailto:PEN-TESTat_private]On Behalf
Of securenetworkat_private
Sent: Tuesday, April 17, 2001 1:36 PM
To: PEN-TESTat_private
Subject: [PEN-TEST] VLAN Security


In advance of the obvious flaming the subject could receive (and deserves),
 I seeking verifiable replies to disprove that VLANs provide Security.

SCENARIO:

A very high-security (defined as Mission Critical per federal regulations)
project has a proposed situation that places security reliance on VLANs.

There are three security levels (1=lowest; 3=highest):
*Core network backbone provisioned with Cisco 550x switches. The Core
supports
multiple upstream Distribution networks. This is a Level 2 network.
*Distribution is provisioned with Cisco 2820 or similar (multiple modules,
 VLAN capable), with workgroups switches below (Bay 350/3Com3000 or
similar).
This is a single network upstream of the Distribution. This is a Level 3
network.
*In normal configuration, a firewall resides between the Core and
Distribution.

[=CORE=] - - [FW] - - [DIST-A]{switches}resources, etc.
 \
  \ - - - - - - - - - [FW} - - [DIST-B]{switches}resources, etc.

Closeup of a facility's DISTRIBUTION:

                 /-  workgroup switches {computers
------------/
[ DIST-A ] ----- workgroup switches {computers
------------
               \
                \-  workgroup switches {computers

All on same network, same VLAN (VLAN 0), same address space...

CONFIGURATION:

At times, management wants to support various configurations to support
interim development:

The Distribution network may be split into two independant networks: The
Distribution is configured for 2 VLANS.  Below is a suggested VLAN
configuration
to re-aggragate into 2 separate networks/VLANs.

VLAN1--> /-  workgroup switches {computers ** becomes "Net1" "**
-------------/
[ DIST-A ] --- VLAN1 -- workgroup switches {computers ** becomes "Net1"
**
-----------
                \
VLAN2--> \-  workgroup switches {computers ** becomes "Net2" **

*Aggregation of Net1 and Net2 is done solely by VLAN principles such as
802.1q or Cisco ISL.

*Dist switch will be configured to place Net1 devices in VLAN 1. Net1 is
configured for Level 3. The firewall joins VLAN1. Firewall isolates Net1
and provides NAT. Net1 uses 1918 private IP addresses.
*Dist switch will be configured to place Net2 devices in VLAN2. Net2  will
be configured for Level 2 (lower security, for development). The Core switch
joins VLAN 2. Net2 has public IP space and potential internet connectivity.
*In such configuration, "isolation" (i.e. firewall) must be maintained
between
Net1 and all lower networks (including Net2).

CHALLENGE:

Define scenarios which would allow a party traversing the Core to the Net2
or within the Net2 could bypass VLAN restriction and thereby gain access
to Net1 resources:
*MAC/ARP spoofing/manipulation attack
*dSniff or similar attack
*SNMP attack
*Switch hardware/OS attack
*DoS attack

If Risk is minimal, what designs/features would enhance/support VLAN1-VLAN2
configuration?:
* Subnet masking
* Switch or VLAN configuration
* Procure replacement for Distribution switches (better hardware?)

Evaluate Risk

What products are available to exploit?
How exploitable are threats to VLAN?

Testing facilities are available. Threats must be exploitable, and will
be perforned to verify.

Any other suggestions will be appreciated. I hope my  \__-__/  drawings
;-) and descriptions provide enough information.

Security Guy
Free, encrypted, secure Web-based email at www.hushmail.com

Next message: Cjk Jempi: "Re: [PEN-TEST] Web site password guessing over SSL"
Previous message: Nelson Brito: "Re: [PEN-TEST] Gathering Information using SMTP Servers"
Maybe in reply to: securenetworkat_private: "[PEN-TEST] VLAN Security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 08:43:10 PDT