Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: vlan security ?

From: Ryan Russell <ryan () securityfocus com>
Date: Thu, 10 Aug 2000 12:02:35 -0700 (PDT)
Some folks have asked about what I know about VLANs.  I'm a little out of
date at the moment, I haven't had any to play with for some time.  Here's
a post I made some time ago with some speculations I made:

http://www.nfr.net/pipermail/firewall-wizards/1998-October/004101.html

The 802.1q issue (which came much later after the above post) is here:
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D615

Basically, under the right conditions, it will pass frames between VLANs
that are tagged just right with 802.1q trailers.  Cisco says it's because
the coloring comes at the end of the frame, and to use ISL instead.  From
what little I know about how the Cats work, it's because they pass frames
around in 48-bit chunks, and by the time it gets to the end of the frame,
the bulk of the frame is already in every port's transmit buffer.  The way
Cats work, the CPU is in charge of telling all the ports that they
*shouldn't* send a packet that they have already buffered.  (i.e., it's
fail-open.)  If you manage to spike the CPU, it won't have time to dump
that frame before it completes.  Since ISL colors at the beginning, the
CPU has several opertunities to dump the frame before it goes, minimizing
the problem.  Might still be possible, I don't know.

Not that this is for the older Cats.  Differing models or newer ones may
not have this issue.  The fact that they are fail-open isn't much
surprise, though.  The market would punish Cisco much worse for a switch
that dropped packets than it would for one that sends extra ones that
normally get ignored.  If you're security-conscious, they you just pay
Cisco for more boxes.  I bet they're heartbroken.

There have also been published buffer overflow vulnerabilities for the Cat
Login prompt.

I'm afraid I don't have a lot of tools to give people for getting between
VLANs.  You can get an ISL driver for Linux if you've got a TULIP chipset
Ethernet NIC.  You can play CDP back at the Cat pretty easily with
SnifferPro.  I bet they're some buffer overflow possibilities there.

If you go look at the thread for the note I referenced at the top, you'll
see suggestions for what to turn off in configuration.  Those are good
suggestions.  That might save you, but I don't think that's ever been
tested.

                                        Ryan


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: