OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Cisco Catalyst switches
From: Mudge (mudgeL0PHT.COM)
Date: Wed Jun 14 2000 - 08:46:59 CDT

Here are some attack vectors which we have used in the labs in the past.

The switches talk one of a few limited ISL
(Inter-Switch-Link) variants. Through this it is often possible to send
user-add, user-move, tag-bassed-flood, and spanning tree
announcements. Once a switch believes you are actually another switch
attached to it you win.

Various arp games can often times be quite useful. How does the switch in
question handle gratuitous arps from directed broadcast addresses?

Then there are other games with vendor specific components such as cisco's
CDP (Cisco Discovery Protocol) - again often times in an effort to
say: "Hey, I'm another switch - get that in your head and let's start
talking".

Folks would be wise in remembering that switches are still, largely,
layer-2 devices and layer-2 has no notion of security. The VLANs were
originally designed to minimize broadcast traffic - not provide security.

Cisco has introduced something they call a silent VLAN which is
interesting and fun to play with, but often times the above attack vectors
are still succesful.

Keeping disparate security level components on the same device and
infrastructure is often fine for keeping honest folks honest (ie, let's
provide more separation between HR and R&D in a company) - but is often
not the best direction to go when one of the components is an unknown.

Companies that locate systems at most ASP's should be aware of this - your
competitor is often times a lot closer to your systems than you realize.

cheers,

.mudge

On Wed, 14 Jun 2000, Saso wrote:

> In message <3BE20D737CCE4C4589F5D72274652F200D67E1nacsvr05.nac.cwo.net.au>, Ma
> tthew King writes:
> >Hi.
>
> Hi,
>
> >
> >It would be interesting if there was a vulnerability that allowed you to
> >break the VLAN definitions.. I know many companies that practically run
> >their entire networks together into several Catalysts via VLANS :) Secure
> >networks and public ones right next to each other.
>
> And all those switches are conveniently joined together and share some
> VLANs, so that people don't have to worry about getting longer UTP
> cables. Been there, seen that.
>
> Cisco still doesn't QA their Catalyst switches as security devices and
> that should ring a bell with most clueful IT personnel. However, sad
> truth is, that most abuse VLAN capability as security
> feature. Sometimes, under heavier loads, VLANs can (and do) leak
> packets.
>
> >I thought that based on the nature of VLANS that they would not be
> >susceptible to attack from the network layer because they switch traffic
> >based on the port number, not on any content of the frame or packet? Still,
> >it would be interesting :)
>
> Switches switch packets depending on MAC address certain ports are
> assigned, but not all Network Admins go the length to lock MAC
> addresses to certain ports, leaving their switches susceptible to ARP
> packet storms. And once switch's ARP table is filled, most tend to
> fail-open, flooding all the ports with all the traffic that traverses
> the switch.
>
> Also, Ryan Russell wrote a short e-mail concerning Cisco's Catalyst
> switches back in 1998
> <http://www.nfr.net/firewall-wizards/mail-archive/1998/Nov/0036.html>.
>
> IMHO, as much as I avoid using switch as a security device, I still
> believe that _properly configured_, it can be reasonably secured against
> most script kiddies. But it won't stop the determined attacker that
> poses enough skills, clue and resources to break thru VLANs and get
> the information they want. YMMV.
>
> Regards,
>
> Saso
>