[Wylug-help] VLANs and security

[Jim Jackson]

On Tue, 11 May 2004, Phil Driscoll wrote:

> It is widely understood that it not sensible to rely on a switch to prevent
> disclosure of information by packet sniffing since the switch can be fooled
> into sending data out on the wrong (or all) ports by a variety of means.
>
> However, most of the establishments I deal with in the course of my work
> (usually schools and education authorities) rely on VLANs to segregate
> traffic - e.g. to ensure that kids can't read or change information held
> about them on a school admin system.

Switch poisoning techniques are overplayed. Yes they are possible, but
they make themselves pretty obvious to any well managed network, as they
are very intrusive - your wonderful performance switched network suddenly
bewcomes essentially a shared ethernet with all packets being propagated
on all wires. People would notice, it is very intrusive, maintaining such
a situation for any extensive period so that you can sniff every packet on
the network and catch something important is not really doable - it's far
far easier to subvert the server containing the info, and probably less
detectable.


> I've never had any direct experience with VLANs, however I will shortly need
> to argue the toss with someone on the subject in relation to a setup which
> will be used by very bright kids who will no doubt enjoy cracking the systems
> on which they are working :) A quick google search for VLAN related
> vulnerabilities and exploits reveals enough problems to make me think that
> physically separate networks are a much better idea.

Using proper switches (Cisco and similar) maintains VLAN segregation even
udner table poisoning conditions. We use VLANs extensively at UoL.

I'd be interested in what your search threw up - give me a few refs and
I'll indicate if they are real concerns.

Jim