Re: Just say no to VLANS

Le mardi 22 mai 2007 à 06:23 -0500, Tsu a écrit :
> Perhaps I'm a bit paranoid but I hop VLAN's all the time and
> demonstrate the technique often."

I'm really impressed by the total lack of knowledge of people you audit.
Clearly, I would really like you to hop VLANs on my setup. Really.

> I'm not going to trust my most sensitive data behind a single layer
> security solution of a VLAN. Why risk it? VLAN hopping/spoofing
> attacks aren't difficult. Maybe trivial is the wrong word but there
> are definite exploitable flaws. 

List them. What can you do against a network that:
        . have no DTP running
        . all station ports set to no dot1q
        . trunks set to dedicated VLANS
        . administrative interfaces on dedicated VLAN
        . All VTP, STP etc. running on dedicated inter-switches links

Now, there's a question of risk management. Some date indeed need to be
on physically separated networks. They are. Do all data need this ? I'm
not that sure. Do they cost more than what VLAN usage allows you to save
on exploitation costs ? Furthermore, what proves you that your
firewall/router is more likely to perform its task than your switch ?


Now, as for SANS paper, first, it was publisghed in 2000 (anything
since ?) and second, it only works against default configuration, in a
very specific situation which has a strong requirements I quote from the
paper:

1. The attacker has access to a switch port on the same VLAN as the
native VLAN of the trunk port
2. The target machine is on a different switch in the same trunk group.
3. The attacker knows the MAC address of the target machine.
4. Some layer 3 device exists to provide a connection from the target
VLAN back to the source VLAN.

And they forgot a fifth one: your port must accept dot1q traffic. But
requirement 4 is not mandatory if you don't need two ways traffic.

I do this demo all the time as well to illustrate the need for strong
layer 2 configurations, but get real, this is bullshit. At least, take a
valuable example, such as abusing DTP traffic so your port becomes a
trunk for all switch VLANs...

And as you like to read stuff, this a more "recent" presentation that's
worth reading:

        http://sid.rstack.org/arp-sk/doc/bh-us-02-convrey-switches.pdf

And finally, VLAN allows you flexibility and even security application
you can't get from a physically separated networks, such as identity
based security like VLAN assignment on authentication.


To conclude my point. Yes, physical security is more secure, but
security assumptions must be made of facts, and VLAN hoping being
trivial or easy is not a fact, and risk based decisions. In that
context, "don't use VLAN because it's trivial to hope" is just not
making sense for none of the two.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!