Re: port-based VLANs - security issues?

From: Walter Roberson (roberson@ibd.nrc-cnrc.gc.ca)
Date: 03/27/03 

From: roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson)
Date: 27 Mar 2003 07:54:49 GMT

In article <L9uga.18046$Gc61.742@news01.bloor.is.net.cable.rogers.com>,
Doug Fox <dfox168@hotmail.com> wrote:
:We are thinking to deploy port-based VLANs using Cisco switches 3500 or 4000
:to isolate data traffic to minimize data exposure or minimize security
:risks.

:Any pointers/comments are appreciated.

There were some security issues in older IOS releases with respect to
VLANs, but they were fixed somewhat over a year ago; suggest you
look through the Cisco Field Service Bulletins. There's a well-known
paper that showed that [when the paper was written] if you injected
packets with the wrong VLAN tag you could sometimes get your data
transported.

Generally speaking, there is a security issue possible with
VLANs under high traffic loads when "protocol based" VLANs are in use.
If an attacker is on the same segment as a switch, then the attacker
can send out many forged ARP packets, enough to fill up the MAC tables
of the switch.

If the attacker now sends out ARP inquiry packets, the
switch has to either A) drop the packets; or B) drop one of the
existing entries; or C) leave the table full and flood the ARP
inquiry to all ports that might belong to any of the protocol-based
VLANs.

 If it A) drops the packets, then the attacker has just DoS'd the
switch for all legitimate traffic until some of the entries expire.

If it B) drops one of the entries, then it might well end up dropping
one of the useful entries, and if the attacker continues to flood in
new entries it might be difficult for the legitimate entries to get
back in, so again it's DoS'd.

If it C) floods the packets to all possible ports, then the attacker
can probe machines on other VLANs. 

-- 
   "WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG"
    WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG.   (GEB)

Relevant Pages

  • Re: port-based VLANs - security issues?
    ... VLANs, but they were fixed somewhat over a year ago; ... If an attacker is on the same segment as a switch, ... switch for all legitimate traffic until some of the entries expire. ...
    (alt.computer.security)
  • Re: probably an easy routing question, so please help
    ... I've just realized that VLANs don't just divide subnets, ... router) I won't need to use a Layer 3 switch at all. ... both /28s are configured on the same Enet port, with proxy ARP enabled. ...
    (comp.dcom.sys.cisco)
  • Re: Switch Redundancy question !!
    ... switch) with respect to L3 default gateway for each of the VLANs ... I know STP is the solution for L2 redundancy & HSRP ... Sh int status will show port as routed when it is configured for use as ...
    (comp.dcom.sys.cisco)
  • RE: Firewall and VLAN security design
    ... use a separate switch for your internal LAN. ... @Stake security review of VLANs ... IT Technical Security Officer ... "VLANs can enhance scalability, security, and network management. ...
    (Security-Basics)
  • RE: Clueless firewall configuration ?
    ... attacker has access to your core switch. ... between the vlans (oh and we are a big production site that relies on ... Does anyone care to comment on the security issues a setup as this ... Download FREE whitepaper on how a managed service ...
    (Pen-Test)