[Wylug-help] VLANs and security

[Jim Jackson]

On Wed, 12 May 2004, Phil Driscoll wrote:

> On Wednesday 12 May 2004 11:50, Jim Jackson wrote:
>
> > I'd be interested in what your search threw up - give me a few refs and
> > I'll indicate if they are real concerns.
> I'm not at the machine where I did the original search so I can't give you an
> exhaustive list from the browser history, but a quick google again yields
> these links which I read yesterday.
>
> http://www.securityfocus.com/bid/615/discussion/

This highlights a way to possibly subvert VLAN trunking to get a packet
from from one VLAN to another - but not in reverse. On susceptible
equipment it could be used to mount a DOS.

I can see many ways in which switch manufacturers can make it impossible
to do this. Though it appears that Cisco in 2002 were issuing best
practice to mitigate this at th eir bootcamps

 - always use a dedicated VLAN ID for all truck ports
 - disable unused ports and put them on an unused VLAN
 - Be paranoid: do NOT use VLAN 1
 - set all user ports to non-trucnking

This last is a no brainer - the rest depends on your paranoia level.

> http://www.sans.org/resources/idfaq/vlan.php

fairly old. Despite this and other stuff on using VLAN hopping - including
public domain code being available, I've never come across any ref to VLAN
hopping having been used as an exploit, or even suspicions of it.

> I also read plenty of reports on bugtraq regarding vulnerabilities especially
> in cicso kit - just about all of them had software fixes available, but it
> didn't fill me with confidence!

Remember VLAN implementations are pretty recent - bugs exist. There are
probably less bugs than in virtually any firewall you install!

If you were subbing for the pentagon then maybe you'd be right to be ultra
cautious - but I'd say get a sense of proportion.

Jim