ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: Making unidirectional VLAN and PVLAN jumping bidirectional



ïÔ×ÅÔ cisco - ÔÁÍ ÅÓÔØ ÓÓÙÌËÁ ÎÁ ÐÅÒ×ÏÉÓÔÏÞÎÉË


> -----Original Message-----
> From: Clayton Kossmeyer [mailto:ckossmey@xxxxxxxxx] 
> Sent: Tuesday, December 20, 2005 1:26 AM
> To: full-disclosure@xxxxxxxxxxxxxxxxx; 
> bugtraq@xxxxxxxxxxxxxxxxx; info@xxxxxxxxxx
> Cc: psirt@xxxxxxxxx
> Subject: Re: Making unidirectional VLAN and PVLAN jumping 
> bidirectional
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Cisco Response
> ==============
> 
> This is Cisco PSIRT's response to the statements made by Arhont
> Ltd. in their message: Making unidirectional VLAN and PVLAN jumping
> bidirectional, posted on 2005-Dec-19. An archived version of the
> report can be found here:
> 
> http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/
> 040333.html
> 
> Cisco confirms the statements made.
> 
> We would like to thank Arhont Ltd. for reporting this issue to us.
> 
> We greatly appreciate the opportunity to work with researchers on
> security vulnerabilities, and welcome the opportunity to review and
> assist in product reports.
> 
> Additional Information
> ======================
> 
> Cisco is aware of VLAN spoofing attacks and recommends that customers
> apply best practices where possible to reduce the impact of such
> attacks on their networks. Many best practices are discussed 
> in Cisco's
> SAFE Blueprint for Layer 2 security:
> 
> http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/
> networking_solutions_white_paper09186a008014870f.shtml
> 
> As mentioned in the Arhont advisory, this is a protocol issue with
> 802.1q VLANS, and not a vendor-specific issue. However, there are
> techniques available on Cisco devices that may allow you to 
> reduce your
> exposure to the mentioned attacks.
> 
> The Cisco SAFE Blueprint for Layer 2 security discusses double tagging
> attacks here:
> 
> http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/
> networking_solutions_white_paper09186a008014870f.shtml#wp1002270
> 
> The recommended configuration is to disable 802.1q trunking everywhere
> it is not required so that tagged frames are discarded on ports not
> configured for trunking.
> 
> The publication by Arhont also leverages an IP spoofing component to
> enable the attack. Cisco recommends IP anti-spoofing techniques and
> features such as Unicast Reverse Path Forwarding (uRPF) to guard
> against spoofed IP packets.
> 
> The Unicast Reverse Path Forwarding (Unicast RPF) feature helps to
> mitigate problems that are caused by spoofed IP source 
> addresses. It is
> available on Cisco routers and firewalls. For further details, please
> refer to:
> 
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios12
> 2/122cgcr
> /fsecur_c/fothersf/scfrpf.htm
> 
> By enabling Unicast Reverse Path Forwarding (uRPF), all 
> spoofed packets
> will be dropped at the first device. To enable uRPF, use the following
> commands.
> 
> router(config)# ip cef
> router(config)# interface
> router(config-if)# ip verify unicast reverse-path
> 
> Cisco Security Procedures
> =========================
> 
> Complete information on reporting security vulnerabilities in Cisco
> products, obtaining assistance with security incidents, and
> registering to receive security information from Cisco, is available
> on Cisco's worldwide website at
> http://www.cisco.com/en/US/products/products_security_vulnerab
> ility_policy.html. This
> includes instructions for press inquiries regarding Cisco security
> notices. All Cisco security advisories are available at
> http://www.cisco.com/go/psirt.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (SunOS)
> 
> iD8DBQFDpzDwEHa/Ybuq8nARAutnAJ9cFhTKVv8C5K4QcIWJiMYomuLnWgCeJU8Q
> Xd773GAB2i9O6ad8ZQ1+F9o=
> =toA7
> -----END PGP SIGNATURE-----
> 




 




Copyright © Lexa Software, 1996-2009.