Re: Switch recommendations

On 8/25/2005 11:06 AM, Arthur Corliss wrote:

> On Thu, 25 Aug 2005, Adam bultman wrote:
>
>>Lots of people do. I'm not aware of too many things you can to do try
>>to skip over VLANs. At work, there's two switches, and about 7 VLANs.
>>If you aren't on the right vlan, you're stuck. You can't sniff traffic
>>on other vlans, period - ports on VLAN1 cannot talk to ports on VLAN2,
>>and you need a router to make them talk at all. They're pretty safe -
>>safe enough for lots of people to use them. Three legged firewalls
>>aren't always available or fast enough (our 5 legged firewall - the
>>imagestreams - were horrid with that many ports used)
>
> Agreed. Cisco has a decent intro to VLAN security:
>
> http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml
>
> As the paper points out there are ways to attack it, but with some good
> planning and explicit acls I have yet to see a reason why I wouldn't want to
> use them, even in DMZ applications.

The classic MAC flooding attack seems to now be handled (with some config
work up front) by Cisco "intelligent" switches, according to the article.
I assume that the problem still exists for "non-intelligent" ones.
Determining which ones are which is left as an exercise for the lurker. :)

MAC Flooding Attack

    This is not properly a network "attack" but more a limitation of the
    way all switches and bridges work. They possess a finite hardware
    learning table to store the source addresses of all received packets:
    when this table becomes full, the traffic that is directed to
    addresses that cannot be learned anymore will be permanently flooded.
    Packet flooding however is constrained within the VLAN of origin,
    therefore no VLAN hopping is permitted (as @ stake's report shows).

    This corner case behavior can be exploited by a malicious user that
    wants to turn the switch he or she is connected to into a dumb
    pseudo-hub and sniff all the flooded traffic. Several programs are
    available to perform this task: for example macof, part of the dsniff
    suite [4]. This weakness can then be exploited to perform an actual
    attack, like the ARP poisoning attack (see ARP Attacks for more
    details on the subject).

    On non intelligent switches this problem arises because a sender's L2
    identity is not checked, therefore the sender is allowed to
    impersonate an unlimited number of devices simply by counterfeiting
    packets.

    Cisco's switches support a variety of features whose only goal is to
    identify and control the identities of connected devices. The security
    principle on which they are based is very simple: authentication and
    accountability are critical for all untrusted devices.

    In particular, Port Security, 802.1x, and Dynamic VLANs are three
    features that can be used to constrain the connectivity of a device
    based on its user's login ID and based on the device's own MAC layer
    identification.

    With Port Security, for instance, preventing any MAC flooding attack
    becomes as simple as limiting the number of MAC addresses that can be
    used by a single port: the identification of the traffic of a device
    is thereby directly tied to its port of origin.

-royce

-- 
Royce D. Williams                                  - IP Engineering, ACS
personal: [first]@alaska.net                    - PGP: 3FC087DB/1776A531
work: [first.last]@acsalaska.net           - http://www.tycho.org/royce/
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.