Trunking (router + vlan) and security

0 pts.
Tags:
Cabling
Cisco
Firewalls
Forensics
Hardware
Hubs
Incident response
Intrusion management
Network security
Networking
Routers
Security
Switches
VPN
Wireless
We have a switch with two VLAN. One VLAN is on the firewall/Internet side, the other VLAN is on the LAN side. The switch is connected to a router, like this http://www.cisco.com/warp/public/473/50a.jpg The router is connected to an MPLS cloud through another router. The job of the router is to route the traffic from/to the LAN bound to the Internet and the traffic from/to the LAN bound to the MPLS cloud. I have not checked yet the router and switch config, but I do not really like it as all the traffic, Internet bound, MPLS bound, flow through the same interface at a certain point. I would like to have your feedback on this. There is no traffic initiated from the internet to the LAN (no server on the LAN), only outgoing traffic to the internet. However I am a bit afraid that the Internet connection could be exploited to jump in the MPLS cloud, but I have no idea how to do the risk analysis for that.
ASKED: October 26, 2005  5:53 AM
UPDATED: October 28, 2005  10:35 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Look at http://www.nsa.gov/snac and read the Switching and Routing STIGs. They cover the vulnerabilities and countermeasures for jumping over VLANs on a switch.

Essentially, you would send a packet(s) with two VLAN tags on it. The first would be the VLAN you’re on (like VLAN 10) and the second would be the VLAN you want to get to (like 20). When the switch strips off the first vlan tag, you can transverse over to the second VLAN inside the switch.

I have never tested this in the lab, but it makes sense. However, someone would have to know that it was setup that way or do a lot of testing to find out it’s configured that way. However, there is a proof of concept with VLAN hopping. The STIGs will tell you how to reduce the ability of hopping over the VLAN as well as other measures to securing the switch.

Of course, to eliminate the entire problem, buy and use another switch and don’t tie it to your internal VLAN architecture. However, there might be a compelling reason to do such outside of cost.

Hope this helps,
SF

Discuss This Question: 8  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Astronomer
    I have read some cisco documentation that says this is prefectly fine but I question the wisdom of putting a single network device on both sides of a firewall. If your switch is compromised your internal net is wide open. In our cisco classes they emphasized that switches were not security devices. When I designed our DMZ I was asked why we couldn't put all of the networks on a single switch just like I did in the test lab. After I explained the dangers, I was allowed to use a separate switch for each security zone. rt
    15 pointsBadges:
    report
  • Layer9
    Astronomer is correct about the risks of using a single switch divided by VLANS when one of the VLANS is connected to an Internet gateway. I can't tell you how many times during routine penetration tests we have compromised fairly secure networks with a Catalyst sitting exposed and unprotected. This risk can be minimized however by making sure you don't use an IANA registered address for the Switch Management address, and making sure you set a decent password on the switch. Also disabling the web management interface on the switch is a good idea. Also I looked at the generic diagram you referred to on Cisco's site, but I would like a little more detail before making any specific recommendations. I can however offer this thought. I would use a high speed packet filtering device between the MPLS endpoint router and the Internet router. I would set the rules to prohibit traffic from the Internet to the MPLS subnets. Also I would restrict the flow from the MPLS subnets to the Web through this packet filtering device. You can also restrict traffic from the internal LAN to the MPLS network using rules on the packet filter. A good suggestion for the device would be something like a PIX 535 with Gigabit support, or a Checkpoint Nokia appliance would be another good bet. Of course there are many others, these are just suggestions, but the important thing is for you to control traffic from the Internet to the MPLS network. You can also restrict this traffic on terminating routers, but a packet filtering device would perform better. Routers make lousy packet filters from a performance perspective. Chris Weber Layer9corp.com
    0 pointsBadges:
    report
  • Frelem
    Thanks all for your input. I have now enough information to continue by myself. F.
    0 pointsBadges:
    report
  • Frelem
    Thanks all for your input. I have now enough information to continue by myself. F.
    0 pointsBadges:
    report
  • Larrythethird
    To really be safe and secure, you should come into the router, go through a firewall to the DMZ and then through another firewall to you LAN switch. The DMZ itself need to be isolated from both sides to do a really secure job.
    0 pointsBadges:
    report
  • Larrythethird
    To really be safe and secure, you should come into the router, go through a firewall to the DMZ and then through another firewall to you LAN switch. The DMZ itself need to be isolated from both sides to do a really secure job.
    0 pointsBadges:
    report
  • Mlandes
    i would much prefer to work in an environment that all vlans are configures on a pix or checkpoint firewall on not rely on a router it is much easier to control - and you dont have to be bothered what so ever moti
    0 pointsBadges:
    report
  • Paul144hart
    The diagram doesn't have clear zone for secure and unsecure. I don't think you can assume there won't internet traffic probing you network. If ping were allowed in the 2621, someone could probe both VLAN1 and VLAN2. It would be better to create cascaded zones, inside of T-ing off the catalyst switch, and use something for protection of unwanted internet traffic. Imagine a tree with two branches, the connection to the MPLS and internet done at the end of the branches, not at the tree trunk.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following