At 06:11 PM 5/8/01 -0400, Jacques Atlas wrote:
>On Tue, 8 May 2001, Michael Cohen wrote:
>
>|How does one go upon "penetrating" the internal VLAN on a switch while only
>|having access to the external VLAN and not traversing the PIX in the
middle?
>
>i would also be interted in finding out the theory behind this.
>
>|I have heard the response from numerous security engineers that anything is
>|possible however I guess I'm a novice because I have never seen nor heard
of
>|this being done in the situation mentioned above.
>
>did they give you proof ?
>
>|I attribute the idea of physically seperating these networks (even
>|though VLAN based seperation is just as effective) as security paranoia.
>
>there are also times when you can not afford to buy a decent switch for
>every service that you want and a large switch could give the best
>possible sollution.
>
>--
>jacques
Some quite nasty security issues with Switches....
Believe it or not, there is a way to sniff on a switch. :( So, enter
scenario 1, where you HAVE to assume the DMZ gets compromised. (Because
this happens, and is inevitable. If it didn't, why bother with a
DMZ?) The host can possibly sniff the network, I really hope you got ssh
enabled everywhere. SNMP is not encrypted yet (If I recall correctly), so,
that's another give away for more info. Fallacy #3 or so is to believe
that the internal network is safe, hence clear text is 'OK', well it's
not. :) Or, you can try to do "MAC Address Locking", which would stop
it. The basis of sniffing on a switch is basically ARP Forging. Do recall
the secure MAC Address Locking is somewhat inconvenient at times. But
worth it if you are the Security Ninja that they expect you to be! :)
Switches are vulnerable to IP DoSes due to management ips and snmp and what
not, you probably could setup ACLs to help stop that though. Oh yeah,
there was a bug with Windows XP and a Catalyst where I believe the Windows
XP box absolutely demolished the Catalyst. Cisco admitted the fault and
put up a security advisory. I suppose a DoS doesn't count as penetration,
but it sure is annoying.
"A frame that enters a Cat5K backplane gets dumped to all ports on the
switch. It is then up to the processor to tell all ports (minus the actual
destination port) to drop the frame. Should the processor become
overloaded, it cannot inform the ports to drop the frame"
Guthrie, Jeremy. ``Re: Cisco Catalyst switches.'' 14 June 2000. URL:
http://www.securityfocus.com/frames/?content=/templates/archive.pike(19
August 2000.)
Ah well, leaky ethernet packets aren't so hot for security either, and when
you can bust the layer 2 level, Pix or not, it's smooth sailing to the
internal network. VLAN Hopping! Although there is not any specific
implementation to do this, the possibility is quite frightening.
Oh yeah, if you do trunking, since ISL has no authentication, there might
be ways to claim particular VLANs and MAC addresses.
"Unfortunately, the ISL protocol has no authentication. This lack of
authentication allows an attack where a user spoofs ISL packets in order to
communicate with other VLANs that exist on the switch".
Russel, Ryan. ``Cisco Catalyst issues.'' 30 October 1998. URL:
http://lists.synfin.net/Archives/firewall-wizards/1998/Nov/msg00039.html
I am sure there are a ton of other nasty possibilities. Also, realize that
Cisco switch products are generally designed for performance (since
everyone loves zoom zoom zoom switches), they are not really designed for
security. I am not sure if they are really doing a high level security
audit on their switches for high levels of security. I guess you could
take the risk. But if follow the original axiom of security which is not
to trust anyone, why should I begin to trust the Cisco Catalyst?
However, with Security Axiom #2 or so being, If the security solution
brings about great "cost" (defined by inconvenience + price) in a
staggering proportion compared to the value of what is being protected, you
are doing yourself a disservice, it does not mean to just throw away all
Catalysts and slay the mighty VLAN Daemons inside! It just means,
seriously weigh the costs out yourself.
And admittedly, after doing the heavy duty research, you could do a fair
amount of work to secure the Catalyst to a "reasonable" degree, so it is
not as bad as I originally thought. However, the potential is there, good
luck with evaluating! And down with the HaX0rS and CraCkeRs! ;)
-Carroll Kong
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3719&t=3666
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]