[VOIPSEC] Actual Attacks (VLANs)
Brian Boyter
boyter at swbell.net
Sun Feb 20 13:21:01 CST 2005
Right on, Russell...
A long time ago we learned that IP addresses could be spoofed and
therefore could not be relied upon for authentication.
Unfortunately, VLAN tags have no form of authentication, either....
Even worse, VLAN tags also indicate the priority of the packet....
So not only can VLAN tags be spoofed, the attacking packets can be
given a higher priority than your normal traffic....
Brian
Russell Howe wrote:
>On Sat, Feb 19, 2005 at 09:46:56PM -0600, Christopher A. Martin wrote:
>
>
>>Endpoints will have to become robust enough to not only support VLAN tagging
>>but also association of specific applications to VLAN
>>
>>
>
>Then what happens when a device which does VLAN tagging gets
>compromised? Nothing to stop the malicious code from chatting on
>whichever VLAN it wishes, surely?
>
>If you move to making user devices VLAN aware, I don't see how you can
>use VLANs as an effective security mechanism. They may well add an
>element of obscurity, but security by obscurity isn't something to rely
>on.
>
>
>
More information about the Voipsec
mailing list