Re: Just say no to VLANS

Le lundi 21 mai 2007 à 12:26 -0500, Tsu a écrit :
> First, Don't use VLAN's as your primary layer of security. It is
> trivial step to hop onto other VLANs.

Yes, if you configure your switches and APs like an dumbass, then, yes
it is. If you follow guidelines, then no, it's not.

> If you do use VLAN's as part of a layered solution make sure your
> public side net work is using VLAN 1.

Yes... You mean _the_ VLAN 1 ? The default VLAN for _all_ signalisation
traffic at Cisco ? Like STP, VTP and stuff ? The one you're likely to
find trunks native VLAN on, so you can do double dot1q encapsulation ?
The one every single guideline tells you not to use ? Sure, great idea.

> Since all flat (non VLAN) networks use a default VLAN1 then a
> casual attacker wouldn't immediately suspect that VLANs are being used
> as a security measure. However, if the wireless traffic is on VLAN 20
> then you have tipped the attacker that you are using VLANs to segment
> your traffic.

I don't know about your configuration, but my Wi-Fi network is using
VLANs and does not export dot1q tagging, nor signalisation like DTP. So
I really don't know how an attacker could see whether he's a on a VLAN
or not, and guess which one.

OK. So, yes, if you don't know how to configure a VLAN enabled switch,
which may not be trivial, I completely agree, don't use VLANs. Like if
you don't know how to use $feature, then don't use $feature, $feature
being whatever you want.

My 0.02EUR.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
SyScan'07: 2 days of WiFi training and practice in Singapore
http://syscan.org/reg_training.html