[Wylug-help] VLANs and security
Rik Wade
rik at rikwade.com
Wed May 12 20:58:17 BST 2004
VLAN security is perfectly adequate for the majority of applications.
As Jim has already discussed, the means of cracking VLAN security is
intrusive and actually relatively tricky in terms of the level of
access required to end stations/network devices. I'd also question the
usefulness of this type of attack to all but the most technical and
dedicated cracker. It would surely be more simple to sneak in to the
administrator's office when (s)he is on lunch and read the password
from the post-it note on the monitor ;-)
However, if you're really concerned, you could look in to Private VLAN
(PVLAN) features offered by many Cisco switches. This offers much more
secure (and complex) VLAN configuration options. Your administration
overhead and skill requirements go up accordingly, however.
Security should be layered. VLAN segregation should be one component of
those layers. It may be worth your time to put more effort in to adding
or improving other layers in the model you implement. Don't under
estimate the human component either.
--
Rik Wade
On 12 May 2004, at 20:37, Robert Wood wrote:
> On Wednesday May 12 2004 16:20, Jim Jackson wrote:
>>> http://www.securityfocus.com/bid/615/discussion/
>>
>> This highlights a way to possibly subvert VLAN trunking to get a
>> packet
>> from from one VLAN to another - but not in reverse. On susceptible
>> equipment it could be used to mount a DOS.
>>
>> I can see many ways in which switch manufacturers can make it
>> impossible
>> to do this. Though it appears that Cisco in 2002 were issuing best
>> practice to mitigate this at th eir bootcamps
>>
>
> This is news to me having only implemented 802.1q VLANs with Extreme
> Networks
> kit... Their software had the option (set by default I believe) of
> dropping
> any 802.1q tagged frame on ingress from a non-trunk port.
>
> This should be fairly trivial to configure on any switch that allows
> filtering
> aka "access lists") by EtherType - 802.1Q uses 0x8100 by default (I
> think).
>
> Rob
>
> --
> Robert Wood <rob at rnwood.co.uk>
> http://www.rnwood.co.uk/
>
> "If you can't make something good,
> make something look good." - Bill Gates
>
> _______________________________________________
> Wylug-help mailing list
> Wylug-help at wylug.org.uk
> http://list.wylug.org.uk/mailman/listinfo/wylug-help
More information about the Wylug-help
mailing list