Bugtraq mailing list archives
Re: VLAN Security
From: dol () EAST RU (Basil V. Dolmatov)
Date: Fri, 3 Sep 1999 11:42:03 +0400
On Wed, 1 Sep 1999 bugtraq () SIS ALPHAWEST COM AU wrote:
To Bugtraq, We have recently conducted some testing into the security of the implementation of VLANs on a pair of Cisco Catalyst 2900 series switches and we feel that the results of this testing might be of some value to the readers. Testing basically involved injecting 802.1q frames with forged VLAN identifiers into the switch in an attempt to get the frame to jump VLANs. A brief background is included below for those that might not be too familiar with VLANs. Others should skip to the end for the results.
[skip]
Findings ======== We found that under specific conditions it was possible to inject frames into one VLAN and have them 'hop' to a different VLAN. This is a serious concern if the VLAN mechanism is being used to maintain a security gradient between two network segments. This has been discussed with Cisco and we believe that it is an issue with the 802.1q specification rather than an implementation issue.
That _is_ the point... 802.1q specifications were made wide deliberately in order to incorporate maximum of existent vendor-specific VLAN inplementaions panopticum... You may find after thorough reading of 802.1q specification that VLANless network _is_ still 802.1q compliant... Giggle... Sad one...
The trunk port, along with all the other ports, must be assigned to a VLAN. If some non-trunk ports on the switch share the same VLAN as the trunk port, then it is possible to inject modified 802.1q frames into these non-trunk ports, and have the frames hop to other VLANs on another switch.
Yes... This tecnology is used sometimes in 802.1q networks deliberately in order to put given server in different VLANs simultaneously, even if switch does not allow multi-VLAN operation.
Recommendations =============== Try not to use VLANs as a mechanism for enforcing security policy. They are great for segmenting networks, reducing broadcasts and collisions and so forth, but not as a security tool. If you MUST use them in a security context, ensure that the trunking ports have a unique native VLAN number.
I would spell it as: "Try not to use 802.1q VLANs as a..." If you have Cisco equipment at hand, you can use ISL for VLANs and trunking, which has no peculiarities mentioned in your posting...
-------------------------------------- Basil (Vasily) Dolmatov CCNP-Security, CCDA East Connection ISP, Moscow, Russia. (http://www.east.ru)
Current thread:
- VLAN Security bugtraq () SIS ALPHAWEST COM AU (Sep 01)
- Re: VLAN Security Tilman Schmidt (Sep 02)
- Re: VLAN Security Basil V. Dolmatov (Sep 03)
- Re: VLAN Security Stefan Stefanov (Sep 03)
- Re: VLAN Security Lisa Napier (Sep 08)
- Internet Gambling Exploit Gary McGraw (Sep 03)
- Re: VLAN Security Strange (Sep 03)
- the morning after: VLAN Security llynch () JORSM COM (Sep 07)
- Re: VLAN Security Jason Lutz (Sep 07)
- <Possible follow-ups>
- Re: VLAN Security David Taylor (Sep 07)
- Re: VLAN Security Roche-Kelly, Edmund B. (Sep 08)
- Re: VLAN Security LEPAGE, YVES (Sep 08)