On Mar 25, 2007, at 1:44 PM, J.C. Roberts wrote:
On Sunday 25 March 2007 09:27, Jason Dixon wrote:
The topic was in regards to VLAN security. Arp-cache poisoning, or
spoofing (as I already mentioned) has nothing to do with VLANs.
Unless either of you have anything relevant to add with regards to
the OP's question about single-homed routing, I suggest we move on.
Strange... ? -As far as I know, arp-cache poisioning and spoofing are
still relevant even in VLANs (see below), and single homed routing
might compound the known problems, so the OP should do a bit of
reading
before accepting VLANs as an answer.
Title: "VLAN Security Guidelines"
http://www.corecom.com/external/livesecurity/vlansec.htm
[QUOTE]
VLAN switch configurations and deployments have been vulnerable to a
number of spoofing and man-in-the-middle attacks. The most well known
exploits include the following. (Links at the end of this article lead
to detailed descriptions.)
* MAC address spoofing
A LAN-only attack where the hijacker impersonates as the victim and
gateway by poisoning the switch and victim arp caches. This requires
the target to exist on the same logical/physical segment, since we
all know arp is non-routable. This can be mitigated, at least on the
switch, through ARP inspection.
* VLAN tag spoofing (where the attack computer falsely identifies
itself as a member of a VLAN by spoofing the IEEE 802.1q tag )
This is the VLAN hopping I referred to earlier. It is an old attack
used to force a misconfigured switch into trunk mode, and easily
thwarted by disabling DTP.
* ARP cache poisoning
See above.
* Connection hijacking following a successful ARP attack (see
HUNT)
[/QUOTE]
See above.
The sad part is even if all such issues have been addressed in
OpenBSD,
the attacker would go just after the switch which is probably not
running the latest and greatest firmware (assuming the vendor has
bothered to fix the issues and is still offering "support" for the
device and the admin has bothered to install it). There are probably
other ways to attack it...
Can we use OpenBSD to get around the vulnerable switch problem? How?
None of these issues have anything to do with OpenBSD. I'm not an
expert on non-Cisco switch features (and hardly an "expert" at that),
but these are all old attacks that should be manageable with modern
switches (i.e. anything newer than 2002). Check your switch
documentation to be certain.
(Hark! -I think I hear the infamous "wooshing" sound of a quickly
approaching clue stick)
I'm not sure of the date of this article, but it seems to cover all
of your questions.
http://www.cisco.com/en/US/products/hw/switches/ps708/
products_white_paper09186a008013159f.shtml
Since you know real world usage of VLANs far better than most (and
certainly better than me), your insights on using OpenBSD to properly
secure VLANs seem totally MetaBUGable!
VLANs really aren't the black magic most folks seem to think. Even
Gillian Anderson has mastered the art of packet switching.
http://www.routergod.com/gilliananderson/
http://www.routergod.com/gilliananderson/part2.html
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
