Home > Information Security Magazine > Features > Switching Lanes
EMAIL THIS LICENSING & REPRINTS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

Switching Lanes
by Joel Snyder
Issue: Aug 2005
printer-friendly
licensing & reprints
< PREV PAGE   |   1  |   2  |   3  |   NEXT PAGE  >
Bits & Bolts
Learn how to leverage the VLAN as a security tool.

The virtual LAN (VLAN) capabilities of all modern LAN switches allow savvy network managers to create and distribute VoIP, mobile wireless and management networks without expensive equipment and infrastructures. But, can VLANs be used as security tools, and is it a good idea to make the VLAN barrier part of your security infrastructure? The answer is yes--with reservations.

Although VLANs themselves may not introduce security exposures, they do present the opportunity for attackers to have unprecedented access to the control plane of the network.

When VLANs are used as security barriers, your security infrastructure's "weak link" moves from the firewall to the switch, and, because switches aren't generally configured with security in mind, opportunities for mischief abound.

For example, suppose you wanted to distribute a wireless guest network. You can place all wireless users outside a separate wireless firewall and, using VLANs, mark certain switch ports as being on the "outside VLAN." Plug wireless gear into that port, and, if you've wired it back to the firewall, it's now logically separated from the rest of your network.

Without VLANs, the most an attacker might do to exploit a misconfigured switch would be to cause a DoS attack by shutting off specific ports. VLANs give the attacker potential access to the switch fabric inside the firewall.

Common VLAN Attacks

Frame tagging
Adding frame encapsulation or double encapsulation to packets to confuse the switch into thinking the frames belong on another VLAN.

DoS flood attacks
Attempting to flood MAC addresses in a switch, causing it to incorrectly forward packets. A similar attack is to flood the switch with random sets of packets, causing it to leak packets across VLANs.

MAC spoofing
Forging MAC addresses to make the switch believe you should be on a different VLAN, thus letting you go around a firewall.

Multicast flooding
Sending many multicast frames to cause the switch to incorrectly forward packets, perhaps as a DoS attack, an eavesdropping attack or a firewall work-around.

STP exploits
Inserting 802.1d spanning tree protocol frames to make the switch reconfigure topology and incorrectly forward frames. In extreme cases, this attack could cause the network to route all traffic through the affected switch, which would give the attacker the ability to eavesdrop on all network traffic.

ARP spoofing attacks
Sending spoofed ARP entries for real devices to cause the switch to forward packets across VLANsÑan attack typically used to bypass a firewall.

-JOEL SNYDER

Sealing Virtual Leaks
The most common fear in this environment is "VLAN hopping," where packets jump from the outside VLAN to other network segments. When packets leak, datagrams from one switch port appear on a port they shouldn't--either within the same or on a separate VLAN. While just getting packets to jump from one port to another doesn't necessarily offer unlimited access, it does open a hole in the network that gives the attacker the opportunity to wreak havoc. The goal of a VLAN attack is to control the switch's failure so that packets leak where the attacker directs them so he can exploit the weak spot.

Switch vendors have worked hard to overcome these problems and reverse the perception that switches are poor security barriers. For example, Cisco Systems hired the consulting firm @stake (now a division of Symantec) to test its switches and attempt to cause VLAN leakage. The widely publicized results concluded that the tested switches didn't leak packets, even when under intentional attack.

Similar results have been noted in our testing of Hewlett-Packard and Extreme Networks switches. Nevertheless, this improved reliability is only applicable to new switches. Not every VLAN-capable switch is going to behave the same way. For example, older but very popular Cisco 2924-series switches have been shown in our lab to be poor choices as security devices because of their propensity to leak packets across VLANs.

< PREV PAGE   |   1  |   2  |   3  |   NEXT PAGE  >




TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts