Rob, you say - it's been a little while since we talked about Layer 2 Security (almost a week) - does that mean that we're done?
As always, if there are any errors in this diary, or if you'd like to comment with other examples of how you've seen PVLANs used, feel free to use the "comment" link. =============== Rob VandenBrink Metafore =============== |
Rob VandenBrink 578 Posts ISC Handler May 12th 2010 |
Thread locked Subscribe |
May 12th 2010 1 decade ago |
Rob clearly points out: "their only traffic path is via layer 3, to other subnets or to other isolated ports in that PVLAN."
He's correct, but beware not to overlook the last part of that sentence; you may end up with the two hosts in the topmost picture unexpectedly communicating with each other (via layer 3). This is what Cisco calls a "Private VLAN Attack" in http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39271 More detailed Cisco info w.r.t. PVLAN's can for example be found here: http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml |
Erik van Straten 129 Posts |
Quote |
May 12th 2010 1 decade ago |
How is this different than having two different VLANs? One for each host or community, then make the uplink port send frames tagged with the IEEE 802.1q headers to the router?
|
Erik van Straten 7 Posts |
Quote |
May 13th 2010 1 decade ago |
Rob, Thanks for the post, I find it stunningly clear and well depicted. (Haven't seen graphics in a post before, is this a new feature?) |
Erik van Straten 17 Posts |
Quote |
May 13th 2010 1 decade ago |
Speaking of layer 2 security, it surprises me that it seems noone knows that ARP poisoning is more powerful, more reliable, and works 100% of the time (even when the ARP entry is not in the table), and is somewhat more stealthy when sending spoofed ARP *requests*, instead of classic *replies*. I recently posted about this:
http://blog.zorinaq.com/?e=6 -mrb |
Erik van Straten 2 Posts |
Quote |
May 13th 2010 1 decade ago |
Re ARP poisoning - we've discussed this in previous diaries, with both a video (stealing admin passwords from RDP) and protections at the switch level
isc.sans.org/… isc.sans.org/… |
Rob VandenBrink 578 Posts ISC Handler |
Quote |
May 13th 2010 1 decade ago |
Re Jeremy's different VLANs question - the hosts in a Private VLAN are all on the same subnet, and have the same default gateway. The protections are all at layer 2. This is especially attractive for ISPs and Cloud-type providers. Using PVLANs can really conserve a lot of public addresses when compared with assigning routed blocks to each customer.
|
Rob VandenBrink 578 Posts ISC Handler |
Quote |
May 13th 2010 1 decade ago |
Rob: http://isc.sans.org/diary.html?storyid=7567 contains an incomplete description of ARP poisoning. Dynamic ARP Inspection blocks not only replies, but also requests. Because even requests can poison the cache. You proved the point I made in my blog post that not many people know this
![]() |
Rob VandenBrink 2 Posts |
Quote |
May 13th 2010 1 decade ago |
Good Catch - thanks for the correction !
These diaries on Layer 2 Sec are meant more to engage readers in discussion and raise awareness of network security features that folks might not be using but might find useful, not to substitute for complete documentation. The interception of ARP requests as well as replies when DAI is configured is well documented, usually right near the top of most vendor's docs on the subject. Cisco's explanation at cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/… for instance has verbage describing that both requests and replies are intercepted. That being said, however, after re-reading my diary, I see that i called out "arp responses" specifically - I'll update it tomorrow to a more generic "ARP packets" Thanks again ! |
Rob VandenBrink 578 Posts ISC Handler |
Quote |
May 13th 2010 1 decade ago |
Once technique I used in Snarp (a poison tool/relay, written 10 years ago for NT4) was not to use fake ARP requests or replies, but ICMP pings with fake ARP information. The targets happily updated their own MAC tables with the MAC addresses and IP addresses of the pings, thus poisoning the cache. This worked very well, especially on routers who could not be poisoned with ARP request/replies. Just focusing on ARP requests/replies is not enough when evaluating if a system is susceptible to poisoning.
|
Frank 24 Posts |
Quote |
May 15th 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!