I understand the logic behind what you say however in my opinion this is
strictly theoretical. There has to be a level of trust that a device will
function correctly otherwise why invest money in it. I'm not saying that a
switch will always function correctly and that the situations you mentioned
are not possible however, as stated before, no network is secure and no
network is risk free. Back to the original subject, I still have never seen
or heard of a way to "hop" across VLAN's without access to an intermediary
device using normal (non-trunked) switch ports and a properly configured
switch. I've read of numerous security vulnerabilities varying from DoS
attacks to manipulation of 802.1q frames however none of these situations
involve the situation mentioned. From a technical perspective based on real
world environments I see no reason why a single switch can't be used.
VLAN's have been deployed on switches in the field for sometime now and I
feel that they are reasonably secure and worth the risk vs cost factor in
most situations. I've worked in Professional Services for Cisco in the past
and we deployed numerous designs that included a 6509 containing both
internal and external VLAN switch ports seperated by a firewall. Granted,
the implications of a possible malfunction or security exploit is greater
when using a single device to seperate internal and external networks
however that is a risk that must be weighed against other sometimes more
important factors (cost). I respect your opinion that it is worth the cost
however I've never seen a technical reason to support VLAN insecurity.
Cheers,
-Michael
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 09, 2001 12:20 PM
To: [EMAIL PROTECTED]; Michael Cohen
Subject: RE: security opinions please [7:3666]
Michael,
The history of the information security field is littered with accounts
of exploits that seemed "impossible" before they were actually
implemented. Before TCP sequence number prediction began to
be implemented, many people considered it a theoretical
vulnerability that wasn't worth considering. Now it is has been so
widely used that almost every vendor has implemented proper
sequence number randomization.
There are also long lists of software bugs that seemed small when
they were found, but when they occured under certain conditions
produced complete system compromises.
You may say, "how does this allow me to compromise a switch?",
and I answer that the point is not that I can tell you how to
compromise it. The point is that IF the switch is compromised it
could be catastrophic. If you use multiple switches and the switch
is compromised, the damage is far less significant.
All software is buggy. That's not an opinion, that's the way it is.
Following Murphy's logic, software will always fail in a way that is
the most damaging to your implementation. The corollary is that
the less software you rely on the better off you are. This is
especially true with regard to security perimeters.
For example, what if a bug occured under certain network
conditions that caused a switch to lose its VLAN configuration,
even though the config showed they were there? Would it be
noticed immediately? How long would it take to notice it? Can a
vendor tell me a failure of this type can never happen? Suppose
the failure was more insidious and only occured sporadically for
several minutes at a time, now how long could it take to find? etc.
etc. The problem is that a defender has to defend against all
possible attacks, the attacker only has to find one hole.
At the end of the day, it's a question of the amount of risk that an
organization is willing to accept for a certain cost. IMHO, the cost
of a few extra switches on the perimeter vs being one fat finger or
bug away from having an internal port on the external network is far
worth the extra expense.
Regards,
Kent
On 8 May 2001, at 17:48, Michael Cohen wrote:
> How does one go upon "penetrating" the internal VLAN on a switch while
> only having access to the external VLAN and not traversing the PIX in
> the middle? I have heard the response from numerous security engineers
> that anything is possible however I guess I'm a novice because I have
> never seen nor heard of this being done in the situation mentioned
> above. I attribute the idea of physically seperating these networks
> (even though VLAN based seperation is just as effective) as security
> paranoia. This isn't necessarily a bad thing, after all that's what
> security guys are paid for, however I don't see a technical reason why
> you can't have these VLANs connected to the same box as long as a
> properly configured firewall logically seperates them.
>
> -Michael Cohen CCIE #6080
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Carroll Kong Sent: Tuesday, May 08, 2001 3:44 PM To:
> [EMAIL PROTECTED] Subject: Re: security opinions please [7:3666]
>
>
> At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote:
> >Let me lay out the basic topology of a network first:
> >
> >A 6500 has several VLANS configured on it. Among these are an
> >external internet vlan, a dmz, and several internal vlans. The
> >internal vlans are routed by an MSFC in the 6500. Routing between
> >the internal, dmz, and external are handled by a firewall external to
> >the 6500.
> >
> >Are there any security issues with having all of these VLANS in the
> >same box? Someone in our organization is concerned that someone can
> >hack the switch just because the connection from the internet is
> >plugged into it. The switch's management address is on one of the
> >internal vlans, and an access list is on the telnet access that
> >restricts access from only the internal vlans.
>
> Oh boy, the big security button. IF you really want to be secure, you
> are NOT going to be using VLANs at all. You want hard, cold, old
> fashioned separate layer 2 networks, by HARDWARE. However, realize
> security is really a layering process and hopefully warding off
> attackers of a particular experience level by making the task seem
> like "too much trouble", or "beyond their ability." A true pro can
> penetrate "VLAN" based security. A novice and probably most
> intermediates, will not. You decide and weigh out your costs in
> choosing the far less flexible hard switches on the side method, or
> using the far more flexible Catalyst VLAN style.
>
> That is the security cost analysis you must do. i.e. If you are
> guarding the Fort Knox of the computer realm, I'd probably go
> hardcore. If you are not, you may want to stick with VLANs. Security
> is always a balance between convenience and security. :( The sad
> truth is, the ultimate security is, the wire cutters. (and perhaps a
> Faraday Cage if wireless takes off). :)
>
>
>
> -Carroll Kong
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html Report misconduct and
> Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3827&t=3666
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
