Re: [fw-wiz] Firewalls and 802.1q trunking

From: Eric Vyncke (evyncke@cisco.com)
Date: 12/04/02


To: Steffen Kluge <kluge@fujitsu.com.au>
From: Eric Vyncke <evyncke@cisco.com>
Date: Wed Dec  4 12:39:17 2002

First, have a look at my IP address to remove possible bias ;-)

Second, @stakes made some extended research on VLAN hopping against a Catalyst switch. They were unable to actually hop between VLAN on a well configured switch. See their paper on:
http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/stake_wp.pdf

Having said this, I've seen two different points of view:

- misconfiguration happens: an Infosec or network operator can make a mistake in the VLAN configuration

- probabilty of faulty switch configuration by an educated network/infosec operator is less than the probability of a wrong cable patching in the datacom room by a uneducated engineer.

I guess that the decision really belongs to _your_ security policy and requirements.

Hope it helps

-eric

At 11:30 27/11/2002 +1100, Steffen Kluge wrote:
>Hi everyone,
>I'd like to solicit your opinion on the popular trend of
>equipping firewalls with (almost) arbitrary numbers of interfaces
>by means of VLAN trunking. Many FW vendors (including Nokia,
>NetScreen, and the like) are going down that path.
>
>My concern is that the "fan-out" boxes are typically run-of-the-mill
>switches, like Cisco Catalysts, that probably have been design without
>any security aspirations. I wouldn't be surprised if those switches
>could be attacked and tricked into leaking packets between VLANs.
>
>Are there any studies devoted to this issue, or reports of successful
>attacks against 802.1q separation that I should be aware of?
>
>In our environment we use firewalls with rather large numbers of
>interfaces (typically 15 ~ 25), mostly based on Xylan switches running
>FW-1. This product line has disappeared now and all alternative
>solutions seem to be relying on VLAN trunking.
>
>I'm not comfortable with the idea yet, but I wasn't comfortable with
>the Xylan switches in the beginning, either. I'd like to think I'm too
>paranoid, but then, that's my job...
>
>Cheers
>Steffen.
>
>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • VLANs over Geographical Boundaries
    ... "Don't use VLAN's for security". ... The colored lines indicate vlan separation. ... We like to control access as much as we can at the firewalls. ... physically that traffic hits the same switch ...
    (comp.security.firewalls)
  • Re: Catalyst 3750 with 2 vlans. Only vlan1 drop packet when ping
    ... when I ping to the ip onvlan1, about 10% come back with "Request ... Are you pinging the hsrp vlan 1 address, ... ping vlan 140's interface with no problems? ... how does the other switch know how to get ...
    (comp.dcom.sys.cisco)
  • Re: Catalyst 3750 with 2 vlans. Only vlan1 drop packet when ping
    ... when I ping to the ip onvlan1, about 10% come back with "Request ... Are you pinging the hsrp vlan 1 address, ... ping vlan 140's interface with no problems? ... how does the other switch know how to get ...
    (comp.dcom.sys.cisco)
  • Re: Need guidance on Cisco 6513 install
    ... having this switch set up on Tuesday by noon, ... The switch itself (and other future network hardware) will be on the ... but you can always choose another vlan number and same ... In a two core environment, ...
    (comp.dcom.sys.cisco)
  • Re: bond interface arp, vlan and trunk / network question
    ... So far vlan and trunking works as expected. ... The exact problem is that the bonding driver don't switch the ... interface because the mii-tool don't recognize that the connection ... No, from your configuration information, you're running the ARP ...
    (Linux-Kernel)