GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: Security hazard?? [7:45731] posted 06/04/2002
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Also, doesn't the SANS Institute publish the papers that their 
certification candidates write? In other words, this may not have been 
written by a security guru. It may have been written by someone trying to 
pass the certification hurdles, one of which is the requirement to write a 
white paper. On the other hand, the testing seems quite valid (if old) and 
the paper is well written with good implications and recommendations (if a 
bit obvious). SANS is very strict, from what I hear.

Priscilla

At 02:39 PM 6/4/02, Rik Guyler wrote:
>Pete, bear in mind that this document is 2 years old.  The IOS version on
>the switch was 11.2.  Anybody care to speculate on how much has changed
>since 11.2?  How about the changes in Dot1Q since then?
>
>Nonetheless, I don't get a warm and fuzzy feeling with separating external
>and internal traffic with VLANs.  I like physical separation coupled with
>firewall protection.  I believe it's not just protecting what has been
>hacked already but minimizing what can be hacked in the future.
>
>Rik
>
>-----Original Message-----
>From: Peter van Oene [mailto:pvo@xxxxxxxxxxxx]
>Sent: Tuesday, June 04, 2002 1:18 PM
>To: cisco@xxxxxxxxxxxxxx
>Subject: RE: Security hazard?? [7:45731]
>
>
>Interesting indeed.  I hadn't seen that before. This is obviously an
>architecturally flawed implementation.  Ideally, the CAM (MAC) table should
>be fully isolated to prevent unwanted forwarding and ports not considered
>trunks shouldn't accept tagged packets.  I assume folks are working on
>this, but at this time, it would look like securing a topology of this
>nature requires some additional effort.
>
>Thanks for the link
>
>Pete
>
>
>At 12:31 PM 6/4/2002 -0400, Eric Rivard wrote:
> >if you do not have Ip routing on the VLANs you can still hope from one
VLAN
> >to another. See this artical for more info:
> >http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
> >
> >-----Original Message-----
> >From: Peter van Oene [mailto:pvo@xxxxxxxxxxxx]
> >Sent: Tuesday, June 04, 2002 8:41 AM
> >To: cisco@xxxxxxxxxxxxxx
> >Subject: RE: Security hazard?? [7:45731]
> >
> >
> >Assuming the untrusted VLAN offers no IP connectivity to it's control
> >engine (ie the routed aspects are not reachable therein) what
> >vulnerabilities exist here?   With no routing on the VLAN, I'm not exactly
> >sure how one gets from untrusted to trusted without traversing the
> >Firewall.  The only limitation I see here would be one of either poorly
> >implemented VLAN technology on the part of the vendor, and fat fingering
on
> >the part of the admimistrator.
> >
> >Pete
> >
> >
> >
> >
> >At 11:06 AM 6/4/2002 -0400, Robert A. McIntire wrote:
> > >If I understand what you're describing, it sounds like you've pretty
well
> > >by-passed the firewall.  As a general comment, it seems pointless to
have
>a
> > >firewall if you're not going to utilize it with sound network security
> > >design.
> > >I think I understand what you're trying to do, but you may want to
>rethink
> > >the reasoning.
> > >You're VLANs ( on the same devices ) are a very thin security veil
>between
> > >the trusted and untrusted networks.  Without a net diagram, we can only
> > >speculate.  But, I'm guessing that the most secure you can be with this
> > >physical config is to pin strong ACLs to the outside interfaces of the
>3640
> > >access routers.  You could also pin ACLs to the VLAN interfaces to
filter
> > >unwanted traffic.  What kind of capability do these switches have?  Have
>you
> > >considered the IOS firewall ( CBAC ) for the edge routers?
> > >
> > >I think a tech support call to your firewall vendor may be an
eye-opening
> > >experience.  Send them a diagram of what you've got and see if it's a
> > >network design scenario that they support.  I assume the 2 3640s are
>being
> > >used redundantly with HSRP?  If so, why not consider a second, redundant
> > >firewall and place them both in-line between the edge routers and the
> > >internal LANs?
> > >
> > >                 HTH,  Bob McIntire
> > >
> > >
> > >-----Original Message-----
> > >From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx]On Behalf Of
> > >Craig Columbus
> > >Sent: Tuesday, June 04, 2002 9:42 AM
> > >To: cisco@xxxxxxxxxxxxxx
> > >Subject: Re: Security hazard?? [7:45731]
> > >
> > >
> > >Do I understand you correctly that your 6808s have both internal
(secure)
> > >and external (unsecure) traffic on them, separated only by VLAN?
> > >
> > >At 09:30 PM 6/3/2002 -0400, you wrote:
> > > >All,
> > > >
> > > >We have two 3640's and two Extreme Black Diamond 6808's (aka 6509's).
> > > >The two 3640's are doing IBGP between them on each of their eth0's.  I
> > > >have created a vlan on the Extremes called 'unsecure'(there are only 2
> > > >ports on each Extreme in this vlan... one coming in from the 3640 and
> > > >the other going into the firewall).  I am getting some complaints from
> > > >the 'uppers' that bringing the 3640's into the Extreme's is a security
> > > >hazard.
> > > >
> > > >I am sure someone is now working on a way to hack from one vlan to the
> > > >next, but for now, I don't see the difference between putting a hub in
> > > >there and using a couple of ports on these monster
> > > >'almost-never-go-down' switches.  I just don't want another unmanaged
> > > >piece of equipment in the flow.
> > > >
> > > >Has anyone ever heard of this being a leak.  I worked in a datacenter
> > > >before and this is what we did with 6509's and we didn't blink!  I
know
> > > >these are Extreme switches... which is probably taboo in the group,
but
> > > >I am pretty sure this would be platform independent... right????
> > > >
> > > >Thanks,
> > > >
> > > >bk
________________________

Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45771&t=45731
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to abuse@xxxxxxxxxxxxxx