VLANs

VLANs are virtual LAN environments created logically (as opposed to physically) in network switching equipment. They are very common in modern networks and an absolutely fantastic way to improve quality of service in a big network. However, a VLAN is no substitute for real physical separation between firewalled segments. This is due to the fact that there are all sorts of different methods available to defeat the compartmentalization of a VLAN or switched network. One such tool is called dsniff (http://www.monkey.org/~dugsong/dsniff/), and we have used it many times to demonstrate how Layer 2 logical compartmentalization is not appropriate for firewall environments.

For example, we were performing a vulnerability assessment on a very large banking client. They had, by far, the most fantastic, heavily compartmentalized, paranoid wire diagram we had ever seen: multiple layers of firewalls, NIDS (network-based intrusion detection), and HIDS (host-based intrusion detection) all over the place, which looked absolutely fantastic on paper. However, what they failed to recognize was that the "compartmentalization" was really all logical. The entire five-layer (no jokedual-connected, 10 firewalls protecting 20 systems) system was really two switches. We broke into their edge router, which was connected to the management network (also logical) and from there proceeded to spoof our way onto every VLAN, bypassing all five layers of firewalls. I doubt a single one of our packets ever even touched them. NIDS, of course, rarely can detect the symptoms of such an attack, and the HIDS...well, they all logged to the management systemwhich was the first system we were able to compromise.

As for a How To on how we did all of this...well, you'll have to wait for our next book!