Mailinglist Archive: opensuse-security (616 mails)
| < Previous | Next > |
RE: [suse-security] What to do against ARP-Poisoning?
- From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
- Date: Wed, 20 Mar 2002 12:33:36 +0100
- Message-id: <96C102324EF9D411A49500306E06C8D1A56E30@xxxxxxxxxxxxxxxxx>
> > Now don't get me started on VLANs. Just this much: don't
> use VLANs to
> > 'separate' networks of (more or less substantially) different trust.
> > Instead, implement physical separation.
>
> Obviously physical separation would clearly be better but do
> you have any
> links to any information about the circumstances in which VLAN
> failure/overriding/etc. might occur and if there are
> weaknesses in any
> particular switch OSes? You've got me worried now :-)
I'm sorry, I don't have any specifics anymore after a recent crash
annihilated all of my browser bookmarks. I had read an article on the SANS
website in which they reported the results of one test of VLAN strength. The
flaws they found could be avoided by proper configuration. However,
http://www.google.com/search?q=sans+vlan+switch+security&sourceid=opera&num=
0&ie=utf-8&oe=utf-8 turns up quite a number of links and at least one
document that I don't know, so more may have happened.
Regardless, the security community pretty much agrees that VLANs aren't
meant to enforce security, the connection between VLANs and security that,
for one, Cisco mentions, is drawn when comparing a VLANed switch with a
non-VLANed one, not by comparison of VLANs versus physically distinct
switches. As such, the argument is highly misleading, IMHO.
It may well be that you won't find a lot of information on actual
vulnerabilities of existing VLAN implementations. Even if you would, they
should hopefully be fixed by now. However, it is probable that these
vulnerabilities were found more or less by chance, not by thorough means
such as a code audit. And as such, you have to assume that there'll be more
problems. As is always the case, if you can't find anything in the Bugtraq
archives on a certain product, that doesn't in any way mean the product is
free of vulnerabilities. It just means noone has bothered to look yet.
Tobias
> use VLANs to
> > 'separate' networks of (more or less substantially) different trust.
> > Instead, implement physical separation.
>
> Obviously physical separation would clearly be better but do
> you have any
> links to any information about the circumstances in which VLAN
> failure/overriding/etc. might occur and if there are
> weaknesses in any
> particular switch OSes? You've got me worried now :-)
I'm sorry, I don't have any specifics anymore after a recent crash
annihilated all of my browser bookmarks. I had read an article on the SANS
website in which they reported the results of one test of VLAN strength. The
flaws they found could be avoided by proper configuration. However,
http://www.google.com/search?q=sans+vlan+switch+security&sourceid=opera&num=
0&ie=utf-8&oe=utf-8 turns up quite a number of links and at least one
document that I don't know, so more may have happened.
Regardless, the security community pretty much agrees that VLANs aren't
meant to enforce security, the connection between VLANs and security that,
for one, Cisco mentions, is drawn when comparing a VLANed switch with a
non-VLANed one, not by comparison of VLANs versus physically distinct
switches. As such, the argument is highly misleading, IMHO.
It may well be that you won't find a lot of information on actual
vulnerabilities of existing VLAN implementations. Even if you would, they
should hopefully be fixed by now. However, it is probable that these
vulnerabilities were found more or less by chance, not by thorough means
such as a code audit. And as such, you have to assume that there'll be more
problems. As is always the case, if you can't find anything in the Bugtraq
archives on a certain product, that doesn't in any way mean the product is
free of vulnerabilities. It just means noone has bothered to look yet.
Tobias
| < Previous | Next > |