A Not So Related topic...
Has anyone here actually used VLAN hopping in a pen-test. Although I've
played with it in a lab I've never actually done in an audit as (at
least for me) I found it HEAVILY dependent upon terrible switch
configuration.
The .mil/.gov networks that I used to audit had fairly decent
configuration management so disabled VLAN1, blah blah blah...
On networks that didn't have all of that configuration management on the
infrastructure I'd have domain admin way before I even got close to
something like that.
Also another concern is these enterprise multi-layer switches - like we
had 4 6509 switches with redundant paths out. I just can't see doing
that kind of stuff and risking taking down the ENTIRE network.
What do you guyz think?
Joe
On Thu, 2006-10-05 at 14:14 -0400, Paul Melson wrote:
-----Original Message-----
Subject: Layer 3 and Firewall
Is it a BAD idea to have multiple logical segments of a Firewall connected
to the same physical switch?
It's not a good standard to adhere to because layer-2 VLANs can be hopped in
some cases by attacking the switch, but the level and type of vulnerability
will vary by implementation.
In fact, Check Point is designed so that you can have multiple virtual
interfaces on a single physical port by using 802.1q VLAN tagging.
The threat I see is if the network switch administrator wants to bypass
Firewall, he can just disconnect
the Firewall links and make the VLANs Layer 3 and there is no security.
After malicious activites he can
very well connect the Firewall and revert back to Layer 2.
This is a separate issue. If the switch admin is not in sync with the
firewall admin or cannot be trusted, then 1) yes this is a valid threat and
2) while a technical solution exists, the best solution to this specific
issue is to address these problems from a personnel perspective and either
reassign responsibility for those switches or replace the switch admin with
someone who is trustworthy.
Is that a valid threat ? Is it High risk ? What controls are possible ?
Are multiple physical switches
required.?
Probably the thing to do would be to research whether or not a workstation
on either VLAN can hop to the other with the current switch configuration.
You're going to want yersinia, Cain, arptools and another Cisco switch (a
2950 is fine for this) and see if you can flood or spoof your way to the
other VLAN. This is best done during a maintenance window or some time when
it's OK to disrupt the network.
PaulM
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
--
Joe McCray
Toll Free: 1-866-892-2132
Email: joe@learnsecurityonline.com
Web: https://www.learnsecurityonline.com
Learn Security Online, Inc.
* Security Games * Simulators
* Challenge Servers * Courses
* Hacking Competitions * Hacklab Access
signature.asc
Description: This is a digitally signed message part
