Firewall Wizards mailing list archives
RE: vlan security ?
From: Ryan Russell <ryan () securityfocus com>
Date: Thu, 10 Aug 2000 12:02:35 -0700 (PDT)
Some folks have asked about what I know about VLANs. I'm a little out of date at the moment, I haven't had any to play with for some time. Here's a post I made some time ago with some speculations I made: http://www.nfr.net/pipermail/firewall-wizards/1998-October/004101.html The 802.1q issue (which came much later after the above post) is here: http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D615 Basically, under the right conditions, it will pass frames between VLANs that are tagged just right with 802.1q trailers. Cisco says it's because the coloring comes at the end of the frame, and to use ISL instead. From what little I know about how the Cats work, it's because they pass frames around in 48-bit chunks, and by the time it gets to the end of the frame, the bulk of the frame is already in every port's transmit buffer. The way Cats work, the CPU is in charge of telling all the ports that they *shouldn't* send a packet that they have already buffered. (i.e., it's fail-open.) If you manage to spike the CPU, it won't have time to dump that frame before it completes. Since ISL colors at the beginning, the CPU has several opertunities to dump the frame before it goes, minimizing the problem. Might still be possible, I don't know. Not that this is for the older Cats. Differing models or newer ones may not have this issue. The fact that they are fail-open isn't much surprise, though. The market would punish Cisco much worse for a switch that dropped packets than it would for one that sends extra ones that normally get ignored. If you're security-conscious, they you just pay Cisco for more boxes. I bet they're heartbroken. There have also been published buffer overflow vulnerabilities for the Cat Login prompt. I'm afraid I don't have a lot of tools to give people for getting between VLANs. You can get an ISL driver for Linux if you've got a TULIP chipset Ethernet NIC. You can play CDP back at the Cat pretty easily with SnifferPro. I bet they're some buffer overflow possibilities there. If you go look at the thread for the note I referenced at the top, you'll see suggestions for what to turn off in configuration. Those are good suggestions. That might save you, but I don't think that's ever been tested. Ryan _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Re: vlan security ? Predrag Zivic (Aug 11)
- <Possible follow-ups>
- Re: vlan security ? Eric Hall (Aug 11)
- RE: vlan security ? Ryan Russell (Aug 11)
- Re: vlan security ? Jim Duncan (Aug 12)
- RE: vlan security ? trall (Aug 11)
- Re: vlan security ? Darren Reed (Aug 11)