|
|
RE: Just say no to VLANS: msg#00069security.wireless
Said more harshly than I would have, but your comments are all right on. I am so tired of hearing how 'easy' VLAN hopping is. JDP --------------------------------- Jason D Poley Network Tech GS ITS Network County of Santa Barbara 805.568.2680 jpoley-2iIxLe7yvIDrHIvYyRdpU/u6G/QBo+Zo@xxxxxxxxxxxxxxxx > -----Original Message----- > From: listbounce-o7tR/nIX9Vi1EmJ4MpGYnQC/G2K4zDHf@xxxxxxxxxxxxxxxx > [mailto:listbounce-o7tR/nIX9Vi1EmJ4MpGYnQC/G2K4zDHf@xxxxxxxxxxxxxxxx] > On Behalf Of Cedric Blancher > Sent: Monday, May 21, 2007 1:20 PM > To: Tsu > Cc: wifisec-o7tR/nIX9Vi1EmJ4MpGYnQC/G2K4zDHf@xxxxxxxxxxxxxxxx > Subject: Re: Just say no to VLANS > > Le lundi 21 mai 2007 à 12:26 -0500, Tsu a écrit : > > First, Don't use VLAN's as your primary layer of security. It is > > trivial step to hop onto other VLANs. > > Yes, if you configure your switches and APs like an dumbass, then, yes > it is. If you follow guidelines, then no, it's not. > > > If you do use VLAN's as part of a layered solution make sure your > > public side net work is using VLAN 1. > > Yes... You mean _the_ VLAN 1 ? The default VLAN for _all_ signalisation > traffic at Cisco ? Like STP, VTP and stuff ? The one you're likely to > find trunks native VLAN on, so you can do double dot1q encapsulation ? > The one every single guideline tells you not to use ? Sure, great idea. > > > Since all flat (non VLAN) networks use a default VLAN1 then a > > casual attacker wouldn't immediately suspect that VLANs are being used > > as a security measure. However, if the wireless traffic is on VLAN 20 > > then you have tipped the attacker that you are using VLANs to segment > > your traffic. > > I don't know about your configuration, but my Wi-Fi network is using > VLANs and does not export dot1q tagging, nor signalisation like DTP. So > I really don't know how an attacker could see whether he's a on a VLAN > or not, and guess which one. > > OK. So, yes, if you don't know how to configure a VLAN enabled switch, > which may not be trivial, I completely agree, don't use VLANs. Like if > you don't know how to use $feature, then don't use $feature, $feature > being whatever you want. > > My 0.02EUR. > > > -- > http://sid.rstack.org/ > PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE > SyScan'07: 2 days of WiFi training and practice in Singapore > http://syscan.org/reg_training.html >
|
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: Just say no to VLANS: 00069, Cedric Blancher |
|---|---|
| Next by Date: | Re: Just say no to VLANS: 00069, Stephen John Smoogen |
| Previous by Thread: | Re: Just say no to VLANSi: 00069, Cedric Blancher |
| Next by Thread: | Re: Just say no to VLANS: 00069, Stephen John Smoogen |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |
