On 8/25/2005 11:06 AM, Arthur Corliss wrote:
> On Thu, 25 Aug 2005, Adam bultman wrote:
>
>>Lots of people do. I'm not aware of too many things you can to do try
>>to skip over VLANs. At work, there's two switches, and about 7 VLANs.
>>If you aren't on the right vlan, you're stuck. You can't sniff traffic
>>on other vlans, period - ports on VLAN1 cannot talk to ports on VLAN2,
>>and you need a router to make them talk at all. They're pretty safe -
>>safe enough for lots of people to use them. Three legged firewalls
>>aren't always available or fast enough (our 5 legged firewall - the
>>imagestreams - were horrid with that many ports used)
>
> Agreed. Cisco has a decent intro to VLAN security:
>
> http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml
>
> As the paper points out there are ways to attack it, but with some good
> planning and explicit acls I have yet to see a reason why I wouldn't want to
> use them, even in DMZ applications.
The classic MAC flooding attack seems to now be handled (with some config
work up front) by Cisco "intelligent" switches, according to the article.
I assume that the problem still exists for "non-intelligent" ones.
Determining which ones are which is left as an exercise for the lurker. :)
MAC Flooding Attack
This is not properly a network "attack" but more a limitation of the
way all switches and bridges work. They possess a finite hardware
learning table to store the source addresses of all received packets:
when this table becomes full, the traffic that is directed to
addresses that cannot be learned anymore will be permanently flooded.
Packet flooding however is constrained within the VLAN of origin,
therefore no VLAN hopping is permitted (as @ stake's report shows).
This corner case behavior can be exploited by a malicious user that
wants to turn the switch he or she is connected to into a dumb
pseudo-hub and sniff all the flooded traffic. Several programs are
available to perform this task: for example macof, part of the dsniff
suite [4]. This weakness can then be exploited to perform an actual
attack, like the ARP poisoning attack (see ARP Attacks for more
details on the subject).
On non intelligent switches this problem arises because a sender's L2
identity is not checked, therefore the sender is allowed to
impersonate an unlimited number of devices simply by counterfeiting
packets.
Cisco's switches support a variety of features whose only goal is to
identify and control the identities of connected devices. The security
principle on which they are based is very simple: authentication and
accountability are critical for all untrusted devices.
In particular, Port Security, 802.1x, and Dynamic VLANs are three
features that can be used to constrain the connectivity of a device
based on its user's login ID and based on the device's own MAC layer
identification.
With Port Security, for instance, preventing any MAC flooding attack
becomes as simple as limiting the number of MAC addresses that can be
used by a single port: the identification of the traffic of a device
is thereby directly tied to its port of origin.
-royce
-- Royce D. Williams - IP Engineering, ACS personal: [first]@alaska.net - PGP: 3FC087DB/1776A531 work: [first.last]@acsalaska.net - http://www.tycho.org/royce/ --------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.Received on Thu Aug 25 14:41:56 2005
This archive was generated by hypermail 2.1.8 : Thu Aug 25 2005 - 14:41:56 AKDT