I disagree that a compromised security zone is game over. Security is built in layers. Those host in a compromised security zone should be hardened, have complex authentication requirements to get in them, etc. Just because a compromised host in a security zone can get at additional ports on the other hosts doesn't mean an attacker will be more successful.
He’s right from the host-centric perspective (assuming you actually believe those other hosts are hardened), but once you own a server in a security zone you can start having fun with intra-subnet attacks.
Here are just a few ideas (I’m positive decent pen-testers have dozens more):
- Spoof source IP addresses of other servers in the same security zone and execute denial-of-service attacks;
- Combine the above with ARP spoofing and you might be able to get where those other servers can go;
- Impersonate other servers in the same security zone with ARP spoofing to get access to the traffic sent within the security zone;
- For the ultimate win, ARP spoof the IP address of the first-hop router (most routers might object to that, try to claim back their IP address, and generate all sorts of log messages);
- Send ICMP redirects and persuade adjacent servers to pass traffic going to more secure zones to your server first;
- Become a DHCP server and try to force other servers to use your server as DNS server.
All these attacks can be mitigated with proper configuration of layer-2 switches. Would your ToR switches stop them?
Most of these attacks can also be stopped by the hypervisor virtual switches... assuming you bought the proper (more expensive) licenses. Are your vSwitches configured to use them?
However, the ultimate winner is: start sending IPv6 RA messages. Most of the adjacent servers will auto-configure themselves, and if they’re running Linux (and your data center is IPv6-ignorant) they’re probably missing ip6tables configuration, making them wide open. Even if that doesn’t work, you’ll still attract all IPv6 traffic (because you pretend to be a router) and you can push the DNS settings to most of the operating systems with Other Config Flag and DHCPv6.
I’m positive one could use this trick in most IPv6-ignorant environments (particularly the virtualized ones). Would it work in your data center? No, you don’t have to share the answer, if it happens to be “YES”, go and fix the problem.
Now that I mentioned IPv6 – you really can’t ignore IPv6 anymore. IPv6 security webinar has a great overview of IPv6 security implications and gotchas (check also other IPv6 webinars – you get all of them with the yearly subscription).