Re: VLAN on Cisco Catalyst

In article <45048148$1@xxxxxxxxxxxxxxxxx>,
Keme <KEMEsixtwonullsix@xxxxxxxx> wrote:
I am getting conflicting advice from various sources concerning VLAN
security. I have several Catalyst 2950 switches in my network

I will now set up a network
commanding higher security in the same physical space

I get some warnings about the possibility of fixing a packet header to
make traffic cross over between VLANs. Is that possible if all
switchports have the communication explicitly set? (i.e.: ports
connected to other Catalysts are set to Trunk mode, and ports towards
the client side are set to access mode.) With no ports in auto mode, I'd
think that such "trunk spoofing" would fail.

Historically, there have been attacks (on some devices) in which
a packet that unexpectedly had an 802.1Q header was allowed to hop
to the target VLAN. Most of the obvious vlan hopping attacks were
repaired by (reputable) vendors (on their managed switches) quite
a few years ago. It might, however, still be possible on some switches
by flooding the ARP table: in case of switch overload, some switches
(especially lower-end ones) might flood to *all* ports, not just to
the ports that are part of the same VLAN.

I seem to recall there was an attack demonstrated (and fixed since)
against some of the more advanced layer 2 capabilities such as
packet-in-packet encapsulation, used for "private VLAN" functions
(in which there might be multiple layers of 802.1Q tags.)


The high security nodes are mostly self sufficient (only occasional need
for network) so DoS is probably not an issue. Eavesdropping and
intrusion could be critical, though.

If the work has anything to do with the military, or anything
to do with information that has legally been classified beyond
certain levels, then there are military or legal requirements on the
security mechanisms that must be put in place, and those may
require "air gaps" or other fairly strict interconnection restrictions.

Thus, why you are doing this might make an important difference.
A lot of personnel issues (e.g., not allowing people to see other's
salary) are *not* legally considered to require that level of security,
as is also the case for a lot of standard "keep our competitors
from finding out what we are doing" commercial security. But
EU customer privacy regulations are fairly strict, so ensure that
your choices are consistant with whatever level of customer information
you are holding internally.
.

Relevant Pages

  • VLAN on Cisco Catalyst
    ... I am getting conflicting advice from various sources concerning VLAN security. ... I have several Catalyst 2950 switches in my network, running one VLAN with public access, and domain-controlled workstations on another. ...
    (comp.security.misc)
  • Re: how to have reduntant IP on AIX Server 5.2
    ... Can both the ports of the adapter have same ip connected to two ... different ports on two different switches in the same VLAN. ... In a failover etherchannel configuration the network ports are ...
    (comp.unix.aix)
  • Re: [fw-wiz] Firewalls and 802.1q trunking
    ... >> any security aspirations. ... I wouldn't be surprised if those switches ... context as documentation leads to understanding the keys and weaknesses to ... Undocumented account vulnerability in Avaya P550R/P580/P880/P882 ...
    (Firewall-Wizards)
  • RE: rogue IP address
    ... Port-to-IP is nice to have on switches, ... find a MAC address that you can then track in the switch. ... > recognized corporate security certification track, ... This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization ...
    (Security-Basics)
  • Re: Testing Hubs and Switches
    ... > volunteers to test their hubs and switches for security venerabilities. ... Taranis relies on MAC spoofing to redirect network traffic. ... If you want a complete view of switches attacks, ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)