Thread-topic: Making unidirectional VLAN and PVLAN jumping bidirectional
ïÔ×ÅÔ cisco - ÔÁÍ ÅÓÔØ ÓÓÙÌËÁ ÎÁ ÐÅÒ×ÏÉÓÔÏÞÎÉË
> -----Original Message-----
> From: Clayton Kossmeyer [mailto:ckossmey@xxxxxxxxx]
> Sent: Tuesday, December 20, 2005 1:26 AM
> To: full-disclosure@xxxxxxxxxxxxxxxxx;
> bugtraq@xxxxxxxxxxxxxxxxx; info@xxxxxxxxxx
> Cc: psirt@xxxxxxxxx
> Subject: Re: Making unidirectional VLAN and PVLAN jumping
> bidirectional
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Cisco Response
> ==============
>
> This is Cisco PSIRT's response to the statements made by Arhont
> Ltd. in their message: Making unidirectional VLAN and PVLAN jumping
> bidirectional, posted on 2005-Dec-19. An archived version of the
> report can be found here:
>
>
> 040333.html
>
> Cisco confirms the statements made.
>
> We would like to thank Arhont Ltd. for reporting this issue to us.
>
> We greatly appreciate the opportunity to work with researchers on
> security vulnerabilities, and welcome the opportunity to review and
> assist in product reports.
>
> Additional Information
> ======================
>
> Cisco is aware of VLAN spoofing attacks and recommends that customers
> apply best practices where possible to reduce the impact of such
> attacks on their networks. Many best practices are discussed
> in Cisco's
> SAFE Blueprint for Layer 2 security:
>
>
> networking_solutions_white_paper09186a008014870f.shtml
>
> As mentioned in the Arhont advisory, this is a protocol issue with
> 802.1q VLANS, and not a vendor-specific issue. However, there are
> techniques available on Cisco devices that may allow you to
> reduce your
> exposure to the mentioned attacks.
>
> The Cisco SAFE Blueprint for Layer 2 security discusses double tagging
> attacks here:
>
>
> networking_solutions_white_paper09186a008014870f.shtml#wp1002270
>
> The recommended configuration is to disable 802.1q trunking everywhere
> it is not required so that tagged frames are discarded on ports not
> configured for trunking.
>
> The publication by Arhont also leverages an IP spoofing component to
> enable the attack. Cisco recommends IP anti-spoofing techniques and
> features such as Unicast Reverse Path Forwarding (uRPF) to guard
> against spoofed IP packets.
>
> The Unicast Reverse Path Forwarding (Unicast RPF) feature helps to
> mitigate problems that are caused by spoofed IP source
> addresses. It is
> available on Cisco routers and firewalls. For further details, please
> refer to:
>
>
> 2/122cgcr
> /fsecur_c/fothersf/scfrpf.htm
>
> By enabling Unicast Reverse Path Forwarding (uRPF), all
> spoofed packets
> will be dropped at the first device. To enable uRPF, use the following
> commands.
>
> router(config)# ip cef
> router(config)# interface
> router(config-if)# ip verify unicast reverse-path
>
> Cisco Security Procedures
> =========================
>
> Complete information on reporting security vulnerabilities in Cisco
> products, obtaining assistance with security incidents, and
> registering to receive security information from Cisco, is available
> on Cisco's worldwide website at
>
> ility_policy.html. This
> includes instructions for press inquiries regarding Cisco security
> notices. All Cisco security advisories are available at
> .
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (SunOS)
>
> iD8DBQFDpzDwEHa/Ybuq8nARAutnAJ9cFhTKVv8C5K4QcIWJiMYomuLnWgCeJU8Q
> Xd773GAB2i9O6ad8ZQ1+F9o=
> =toA7
> -----END PGP SIGNATURE-----
>
