VLANs. Here is a good link to read about them: http://www.cisco.com/warp/public/473/90.shtml . According to Cisco Private VLANs can only communicate with the router. As we know, VLANs work like a logical bridge. Hosts on any VLAN can communicate with other hosts on the same VLAN (a broadcast segment). The idea behind Private VLANs is to turn this broadcast segment in to non-broadcast segments within the same VLAN thus requiring a host to go through the router to communicate with another host on the same segment, thus allowing you to control hosts on a common segment.
I have not had any experience with PVLANs so I cannot comment on how secure they are, nor have a really researched them. Has anyone had experience implementing PVLANs? -----Original Message----- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 11:04 AM To: [EMAIL PROTECTED] Subject: RE: Security hazard?? [7:45731] My quick analysis of the VLAN testing published by SANs Institute: "In a default configuration it is possible to inject 802.1q frames into non-trunk ports on a switch and have these frames delivered to the destination." As Peter says, a non-trunk port shouldn't accept a tagged frame. Also, it appears from the testing that a trunk port accepts a frame with the tag already on it. It shouldn't do this? (Is there any case where it would need to do this???) These seems like things that Cisco could fix pretty easily. "It is possible to get 802.1q frames to hop from one VLAN to another if the frames are injected into a switch port belonging to the native VLAN of the trunk port. It is also necessary for the source and destination Ethernet devices to be on different switches." And "The attacker [must have ] access to a switch port on the same VLAN as the native VLAN of the trunk port." Sounds like another good reason to change the native VLAN from the default of 1 and not to use it for ports that attach end nodes. "Recommendations: Try not to use VLANs as a mechanism for enforcing security policy. They are great for segmenting networks, reducing broadcasts and collisions and so forth, but not as a security tool." I think that was already well known. VLANs aren't a very good security measure. Comments? Priscilla At 01:17 PM 6/4/02, Peter van Oene wrote: >Interesting indeed. I hadn't seen that before. This is obviously an >architecturally flawed implementation. Ideally, the CAM (MAC) table should >be fully isolated to prevent unwanted forwarding and ports not considered >trunks shouldn't accept tagged packets. I assume folks are working on >this, but at this time, it would look like securing a topology of this >nature requires some additional effort. > >Thanks for the link > >Pete > > >At 12:31 PM 6/4/2002 -0400, Eric Rivard wrote: > >if you do not have Ip routing on the VLANs you can still hope from one VLAN > >to another. See this artical for more info: > >http://www.sans.org/newlook/resources/IDFAQ/vlan.htm > > > >-----Original Message----- > >From: Peter van Oene [mailto:[EMAIL PROTECTED]] > >Sent: Tuesday, June 04, 2002 8:41 AM > >To: [EMAIL PROTECTED] > >Subject: RE: Security hazard?? [7:45731] > > > > > >Assuming the untrusted VLAN offers no IP connectivity to it's control > >engine (ie the routed aspects are not reachable therein) what > >vulnerabilities exist here? With no routing on the VLAN, I'm not exactly > >sure how one gets from untrusted to trusted without traversing the > >Firewall. The only limitation I see here would be one of either poorly > >implemented VLAN technology on the part of the vendor, and fat fingering on > >the part of the admimistrator. > > > >Pete > > > > > > > > > >At 11:06 AM 6/4/2002 -0400, Robert A. McIntire wrote: > > >If I understand what you're describing, it sounds like you've pretty well > > >by-passed the firewall. As a general comment, it seems pointless to have >a > > >firewall if you're not going to utilize it with sound network security > > >design. > > >I think I understand what you're trying to do, but you may want to rethink > > >the reasoning. > > >You're VLANs ( on the same devices ) are a very thin security veil between > > >the trusted and untrusted networks. Without a net diagram, we can only > > >speculate. But, I'm guessing that the most secure you can be with this > > >physical config is to pin strong ACLs to the outside interfaces of the >3640 > > >access routers. You could also pin ACLs to the VLAN interfaces to filter > > >unwanted traffic. What kind of capability do these switches have? Have >you > > >considered the IOS firewall ( CBAC ) for the edge routers? > > > > > >I think a tech support call to your firewall vendor may be an eye-opening > > >experience. Send them a diagram of what you've got and see if it's a > > >network design scenario that they support. I assume the 2 3640s are being > > >used redundantly with HSRP? If so, why not consider a second, redundant > > >firewall and place them both in-line between the edge routers and the > > >internal LANs? > > > > > > HTH, Bob McIntire > > > > > > > > >-----Original Message----- > > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > > >Craig Columbus > > >Sent: Tuesday, June 04, 2002 9:42 AM > > >To: [EMAIL PROTECTED] > > >Subject: Re: Security hazard?? [7:45731] > > > > > > > > >Do I understand you correctly that your 6808s have both internal (secure) > > >and external (unsecure) traffic on them, separated only by VLAN? > > > > > >At 09:30 PM 6/3/2002 -0400, you wrote: > > > >All, > > > > > > > >We have two 3640's and two Extreme Black Diamond 6808's (aka 6509's). > > > >The two 3640's are doing IBGP between them on each of their eth0's. I > > > >have created a vlan on the Extremes called 'unsecure'(there are only 2 > > > >ports on each Extreme in this vlan... one coming in from the 3640 and > > > >the other going into the firewall). I am getting some complaints from > > > >the 'uppers' that bringing the 3640's into the Extreme's is a security > > > >hazard. > > > > > > > >I am sure someone is now working on a way to hack from one vlan to the > > > >next, but for now, I don't see the difference between putting a hub in > > > >there and using a couple of ports on these monster > > > >'almost-never-go-down' switches. I just don't want another unmanaged > > > >piece of equipment in the flow. > > > > > > > >Has anyone ever heard of this being a leak. I worked in a datacenter > > > >before and this is what we did with 6509's and we didn't blink! I know > > > >these are Extreme switches... which is probably taboo in the group, but > > > >I am pretty sure this would be platform independent... right???? > > > > > > > >Thanks, > > > > > > > >bk ________________________ Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45770&t=45731 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
