RE: [fw-wiz] VLAN Security

From: Melson, Paul (PMelson_at_sequoianet.com)
Date: 06/08/04

  • Next message: Victor Williams: "Re: [fw-wiz] Putting MS servers behind firewalls"
    To: "Jeff Boles" <bolesjb@yahoo.com>, <firewall-wizards@honor.icsalabs.com>
    Date: Tue, 8 Jun 2004 15:05:16 -0400
    
    

    > -----Original Message-----
    > Anyone care to voice their consensus on contemporary
    > VLAN implementations as a security measure? I'm
    > looking at a WAN design using a newly rolled out
    > MetroEthernet product, and provider network is built
    > on catalyst switches and VLAN's. Every customer rides
    > a separate VLAN. The provider's intention is to also
    > provide ISP services across this cloud.

    The main issue for 802.1Q VLANs is that some implementations are
    susceptible to "hopping" attacks. The attacker has to know the proper
    802.1Q VLAN ID tag and the MAC address of the victim in order to hop
    VLANs, but this information is often much easier to come by than it
    ought to be. (Usually all you need is a read-only SNMP community.
    Sometimes not even that -- how many of your switches have a VLAN with an
    ID of '1'?)

    Some light reading:
    http://www.sans.org/resources/idfaq/vlan.php
    http://www.phenoelit.de/stuff/18C3.pdf
    http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_pap
    er09186a008013159f.shtml

    > Anybody care to voice an argument on on VLAN integrity
    > in the provider network?

    I wouldn't trust it if I didn't put it in and test it myself or see that
    it was analyzed and certified by a third party qualified to do so. That
    said, you may opt to mitigate these risks by using other access control,
    encryption, or authentication mechanisms. For instance, restricting
    traffic so that only IPSec tunnels can cross the cloud would negate the
    issue of whether or not the VLANs were secure.

    PaulM
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Victor Williams: "Re: [fw-wiz] Putting MS servers behind firewalls"

    Relevant Pages

    • Re: Stopping Arp poison attacks
      ... In addition to the good suggestion you have already received on using Dynamic ARP Inspection on Cisco Catalyst switches, here is another one that I have recommended to clients (since it is so trivial to inject MiTM attacks). ... place all of your Administrative users in an "Administrative workstation" VLAN. ... You have an option to go with a managed service or an enterprise software. ...
      (Pen-Test)
    • Yersinia, a framework for layer 2 attacks
      ... Yersinia implements several attacks for the following protocols: ... Performing ARP spooing over VLAN Hopping ... allowing multiple users to launch multiple attacks ...
      (Pen-Test)
    • [Full-disclosure] Yersinia, a framework for layer 2 attacks
      ... Yersinia implements several attacks for the following protocols: ... Performing ARP spooing over VLAN Hopping ... allowing multiple users to launch multiple attacks ...
      (Full-Disclosure)