Contribute  :  Advanced Search  :  Site Statistics  :  Directory  :  Calendar  :  Links  :  Polls  :  About Us  :  The Staff  
Topsight.net Discussions on computers and beyond

advanced search 

Sections

Home
Announcements (19/0)
Useful Info (10/0)
Spy vs. Spy (8/0)
Software (13/0)
Security (41/0)
Security 2 me (6/0)
Radio Frequency (3/0)
Reviews (7/0)
Rants (28/0)
Privacy (6/0)
Microsoft (44/0)
Linux (16/0)
Interesting Stuff (49/0)
Hacking (27/0)
General (22/0)
Funny Stuff (17/0)
Apple (29/0)
US Politics (12/0)

User Functions

:

:

Don't have an account yet? Sign up as a New User
Lost your password?

What’s New

STORIES

No new stories

COMMENTS last 2 days

No new comments

LINKS last 2 weeks

No recent new links
Welcome to Topsight.net
Tuesday, May 13 2008 @ 09:01 AM EDT
   

Using Vlans to protect your network? Think again.

Wednesday, February 18 2004 @ 08:35 PM EST
Contributed by: William Reyor
Views: 2,102
HackingMy local college is working to implement a new voice over IP system. The system uses HP switches to route all VOIP traffic over a separate VLAN then normal network traffic for both security and compatibility. But what I’ve realized is that like IPV4 VLANS work by reading tags that are attached to each packet by the switch and like IPV4 source addressing these tags can be easily spoofed. Switches that support VLANS typically have trunking ports that have access to all VLANS for the purpose of routing traffic to other switches. With older switches the default policy was to set so that all ports could potentially be set to trunking mode which means that any system on VLAN 1 could access traffic on VLAN 2 so long as the proper tags were attached this means that an attacking host could potentially reroute and sniff traffic on different VLAN using ARP attacks (but we won’t get into that)(Once VOIP traffic can be sniffed, an attacker could listen in on any call occurring within the realm of the switch using freely available software). So what if the switch is setup so that user ports strip VLAN tagging? Well according to @stake research paid for by Cisco it is possible to double tag or encapsulate data or packets sent over the switch so that once again the user port functions like a trunking port once again negating all VLAN security. See below reference links for a better explanation.

References

Cisco - Layer 2 -- The Weakest Link
Ethernet: Layer 2 Security
Routing & Tunneling Protocol Attacks
Hacking Layer 2: Fun with Ethernet Switches

 

What's Related

Story Options

Using Vlans to protect your network? Think again. | 3 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Using Vlans to protect your network? Think again.
Authored by: logikal on Monday, February 23 2004 @ 06:42 AM EST
So much for thinking anything was designed with security in mind these days. I've heard of some people actually using VLAN's to implement a sort of semi-secure sub-lan that is isolated from the main LAN for quarantining infected Windows machines on a network while still allowing them to visit an update site (such as Windows Update) to grab patches and to antivirus vendors' websites to download the latest definitions without being able to spread their infection to anyone else on the same switch(es). So, if VLANs become common place and new viruses/worms/trojans take advantage of this, that means that using VLANs to isolate infected machines would no longer work unless a new and more secure method of doing VLANs comes out.
Using Vlans to protect your network? Think again.
Authored by: hacker-boy on Saturday, July 03 2004 @ 02:23 AM EDT
Shouldn't that be @Stake, instead of @Stack? ;-)
 Copyright © 2008 Topsight.net
 All trademarks and copyrights on this page are owned by their respective owners.		 Powered By Geeklog 
Created this page in 0.19 seconds