a/vlancomments

Date:         Fri, 3 Sep 1999 22:02:39 -0500
From: Strange <strange@CULTURAL.COM>
Subject:      Re: VLAN Security
To: BUGTRAQ@SECURITYFOCUS.COM

The following is a stereo (2 Mikes) message [Mike S=strange@cultural.com -
Mike F=frantzen@expert.cc.purdue.edu]....

Taylor and Schupp wrote of their neat evaluation:
> We have recently conducted some testing into the security of the
> implementation of VLANs on a pair of Cisco Catalyst 2900 series
> switches and we feel that the results of this testing might be of some
> value to the readers.  Testing basically involved  injecting 802.1q

[. . .]

[Mike S:] While I think it's immensely useful that your study has debunked
in hard testing a common myth (that VLANs provide unbeatable isolation),
the limits of inter-switch VLAN isolation are discussed already in Cisco's
documentation.  See, e.g.:

http://www.cisco.com/univercd/cc/td/doc/product/lan/28201900/1928v8x/eescg8x/aleakyv.htm

Indeed, according to the document, all one needs to jump VLANs involving
more than one switch is the MAC of the target system.  Is that NOT the
case?

[Mike F:]
It likely filters out arp requests to the broadcast MAC and responds with
the MAC of the trunk end router.

[Mike S:]
Cisco also mentions "local VLAN isolation" on enterprise model switches,
and implies it prevents this escape behavior where only a single switch is
cut into multiple VLANs (our Cisco rep was unable to provide further
details).

[Mike F:]
I tested this feature on a 2924 Enterprise switch with a Cisco 2514 (IOS
12.0 IP Enterprise feature set) recently, and it appears indeed to provide
protection against directly writing to the MAC of the target.

To further confuse the reader, I must point out that the 802.10 frame spec
(for use on the trunk line) includes a boolean flag for fragmented ether
frames.  Cisco's documentation claims to ignore the fragmentation field...

I'm going roller blading now :)

[Mike S]:
Hmm.

 . . .

[Mike F]:
You may want to include that we threw 15bil [Mike S. -- yes, folks,
that's billion] packets against the 2924 vlan config and filtered on the
multicast MAC and nothing got through.  We did manage to watchdog reboot
the switch or router (can't remember which) but were unable to track it
down due to the length of time needed to send the packets.

[Mike S]:
The time-consuming part of a multi-billion semi-random packet series is
figuring out precisely what killed or froze what when.

[Mike F]:
really going blading now

[Mike S]:
And there you have it.

      -MS