I suppose we'll have to agree to disagree. :-)
My last words on the subject:
1) All vulnerabilities are theoretical until they are exploited, and
then its too late. We have to accept that software will contain bugs
of varying degrees of harm. It is understood by the networking
community that every device deployed has the potential to
malfunction. This is a problem, but as we must move packets from
point A to point B we don't really have much choice but to deploy
and mitigate risk.
2) Small incremental costs in hardware/software are almost always
worth the investment if they increase security by even a modest
amount. Small switches are cheap, recovering from compromises
is not, even in the best case scenario.
3) Just because something is deployed, even widely deployed,
doesn't mean its secure or even wise. Within the past few years,
exploits have been found in the way thousands of firewalls and web
servers were deployed, using exploits that I'm sure at the time were
considered "theoretical". ;-)
Regards,
Kent
On 9 May 2001, at 11:10, Michael Cohen wrote:
> I understand the logic behind what you say however in my opinion this
> is strictly theoretical. There has to be a level of trust that a
> device will function correctly otherwise why invest money in it. I'm
> not saying that a switch will always function correctly and that the
> situations you mentioned are not possible however, as stated before,
> no network is secure and no network is risk free. Back to the
> original subject, I still have never seen or heard of a way to "hop"
> across VLAN's without access to an intermediary device using normal
> (non-trunked) switch ports and a properly configured switch. I've
> read of numerous security vulnerabilities varying from DoS attacks to
> manipulation of 802.1q frames however none of these situations involve
> the situation mentioned. From a technical perspective based on real
> world environments I see no reason why a single switch can't be used.
> VLAN's have been deployed on switches in the field for sometime now
> and I feel that they are reasonably secure and worth the risk vs cost
> factor in most situations. I've worked in Professional Services for
> Cisco in the past and we deployed numerous designs that included a
> 6509 containing both internal and external VLAN switch ports seperated
> by a firewall. Granted, the implications of a possible malfunction or
> security exploit is greater when using a single device to seperate
> internal and external networks however that is a risk that must be
> weighed against other sometimes more important factors (cost). I
> respect your opinion that it is worth the cost however I've never seen
> a technical reason to support VLAN insecurity.
>
> Cheers,
>
> -Michael
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, May 09, 2001 12:20 PM
> To: [EMAIL PROTECTED]; Michael Cohen
> Subject: RE: security opinions please [7:3666]
>
>
> Michael,
>
> The history of the information security field is littered with
> accounts of exploits that seemed "impossible" before they were
> actually implemented. Before TCP sequence number prediction began to
> be implemented, many people considered it a theoretical vulnerability
> that wasn't worth considering. Now it is has been so widely used that
> almost every vendor has implemented proper sequence number
> randomization.
>
> There are also long lists of software bugs that seemed small when they
> were found, but when they occured under certain conditions produced
> complete system compromises.
>
> You may say, "how does this allow me to compromise a switch?",
> and I answer that the point is not that I can tell you how to
> compromise it. The point is that IF the switch is compromised it
> could be catastrophic. If you use multiple switches and the switch is
> compromised, the damage is far less significant.
>
> All software is buggy. That's not an opinion, that's the way it is.
> Following Murphy's logic, software will always fail in a way that is
> the most damaging to your implementation. The corollary is that the
> less software you rely on the better off you are. This is especially
> true with regard to security perimeters.
>
> For example, what if a bug occured under certain network
> conditions that caused a switch to lose its VLAN configuration,
> even though the config showed they were there? Would it be
> noticed immediately? How long would it take to notice it? Can a
> vendor tell me a failure of this type can never happen? Suppose the
> failure was more insidious and only occured sporadically for several
> minutes at a time, now how long could it take to find? etc. etc. The
> problem is that a defender has to defend against all possible attacks,
> the attacker only has to find one hole.
>
> At the end of the day, it's a question of the amount of risk that an
> organization is willing to accept for a certain cost. IMHO, the cost
> of a few extra switches on the perimeter vs being one fat finger or
> bug away from having an internal port on the external network is far
> worth the extra expense.
>
> Regards,
> Kent
>
> On 8 May 2001, at 17:48, Michael Cohen wrote:
>
> > How does one go upon "penetrating" the internal VLAN on a switch
> > while only having access to the external VLAN and not traversing the
> > PIX in the middle? I have heard the response from numerous security
> > engineers that anything is possible however I guess I'm a novice
> > because I have never seen nor heard of this being done in the
> > situation mentioned above. I attribute the idea of physically
> > seperating these networks (even though VLAN based seperation is just
> > as effective) as security paranoia. This isn't necessarily a bad
> > thing, after all that's what security guys are paid for, however I
> > don't see a technical reason why you can't have these VLANs
> > connected to the same box as long as a properly configured firewall
> > logically seperates them.
> >
> > -Michael Cohen CCIE #6080
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf
> > Of Carroll Kong Sent: Tuesday, May 08, 2001 3:44 PM To:
> > [EMAIL PROTECTED] Subject: Re: security opinions please [7:3666]
> >
> >
> > At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote:
> > >Let me lay out the basic topology of a network first:
> > >
> > >A 6500 has several VLANS configured on it. Among these are an
> > >external internet vlan, a dmz, and several internal vlans. The
> > >internal vlans are routed by an MSFC in the 6500. Routing between
> > >the internal, dmz, and external are handled by a firewall external
> > >to the 6500.
> > >
> > >Are there any security issues with having all of these VLANS in the
> > >same box? Someone in our organization is concerned that someone
> > >can hack the switch just because the connection from the internet
> > >is plugged into it. The switch's management address is on one of
> > >the internal vlans, and an access list is on the telnet access that
> > >restricts access from only the internal vlans.
> >
> > Oh boy, the big security button. IF you really want to be secure,
> > you are NOT going to be using VLANs at all. You want hard, cold,
> > old fashioned separate layer 2 networks, by HARDWARE. However,
> > realize security is really a layering process and hopefully warding
> > off attackers of a particular experience level by making the task
> > seem like "too much trouble", or "beyond their ability." A true pro
> > can penetrate "VLAN" based security. A novice and probably most
> > intermediates, will not. You decide and weigh out your costs in
> > choosing the far less flexible hard switches on the side method, or
> > using the far more flexible Catalyst VLAN style.
> >
> > That is the security cost analysis you must do. i.e. If you are
> > guarding the Fort Knox of the computer realm, I'd probably go
> > hardcore. If you are not, you may want to stick with VLANs.
> > Security is always a balance between convenience and security. :(
> > The sad truth is, the ultimate security is, the wire cutters. (and
> > perhaps a Faraday Cage if wireless takes off). :)
> >
> >
> >
> > -Carroll Kong
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to
> > [EMAIL PROTECTED] FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html Report misconduct and
> > Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html Report misconduct and
> Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3853&t=3666
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
