[ previous ] [ next ] [ threads ]
 From:  Robert Rich <rrich at gstisecurity dot com>
 To:  Claude Morin <klodefactor at gmail dot com>, =?utf-8?Q?_=E2=80=A2?= =?utf-8?Q?_=E2=80=A2?= <googl3meister at gmail dot com>
 Cc:  thomas at sprinzing dot org, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] VLAN woes
 Date:  Wed, 29 Jun 2005 06:04:37 -0400
While the googl3meister may be somewhat overstating the ease of (successfully) attacking switched
networks, he's right on the money with the appropriate use of them.  It is possible to configure
most (enterprise class) switches to prevent many of the known attacks against them, but that assumes
that a) someone has configured them completely and correctly, b) there are no flaws in the switching
implementation (software or hardware) and c) everyone is willing to put up with the overhead
required to assure points a and b.

Port-based VLAN membership doesn't really do anything for you because it doesn't explicitly prevent
the switch from handling frames tagged with the appropriate header as though they were emitted on
the VLAN specified in the header.

For a quick litmus test, look at your architecture and replace all of your switches with hubs. 
Still comfy?  If yes, you're ok.  If no, don't do it.

All of the above, of course, is applicable when actually protecting important assets.  Using VLANs
in a firewall architecture is an excellent way to learn more about both and test the technical
feasability of an architecture in a _lab_ environment.

----- Original Message -----
From: Claude Morin <klodefactor at gmail dot com>
To: ⢠⢠<googl3meister at gmail dot com>
Cc: thomas at sprinzing dot org, m0n0wall at lists dot m0n0 dot ch
Sent: Wed, 29 Jun 2005 11:25:22 -0400
Subject: Re: [m0n0wall] VLAN woes

> On 6/28/05, ⢠⢠<googl3meister at gmail dot com> wrote:
> VLANs are the not
> answer. They reduce the collision domain and provide
> the ability to
> significantly increase port density in large networks.
> Any one can use packet
> rewriting software to insert the appropriate
> vlan tags/sniff from the
> wire.

I'm just starting to look at VLANs, so perhaps this is naive, but isn't
> that 
true only in the case of MAC-based VLAN membership? Without having
> actually 
tried it yet, it seems to me that a port-based VLAN wouldn't be
> subject to 
an ARP poisoning attack, as long as the attacker is on a different
> VLAN. 
Please be gentle with me if I'm wrong ;-)

Having said that, I agree
> completely that wireless should never be on the 
LAN segment; I always put it on
> an isolated NIC, and require a VPN 
connection to the m0n0wall, in addition to
> WEP/WPA/WPA2 . Since he can't 
have more than three NICs (LAN, WAN, DMZ),
> couldn't he put the wireless in 
the DMZ, on a different, port-based