Re: [fw-wiz] Firewalls and 802.1q trunking

From: Two Dog Flats (j3ff9ack@yahoo.com)
Date: 11/26/02 

From: Two Dog Flats <j3ff9ack@yahoo.com>
To: firewall-wizards@honor.icsalabs.com
Date: Tue Nov 26 20:40:01 2002

Having just addressed this topic a while ago, I found the following
study:

http://www.sans.org/newlook/resources/IDFAQ/vlan.htm

I have personally seen other brands of switches exhibit the same
behavior. Overall, VLANS are a great technology, but they shouldn't be
used for high-risk network segments. 

--
Jeff Pack
j3ff9ack@yahoo.com
--- Steffen Kluge <kluge@fujitsu.com.au> wrote:
> Hi everyone,
> I'd like to solicit your opinion on the popular trend of
> equipping firewalls with (almost) arbitrary numbers of interfaces
> by means of VLAN trunking. Many FW vendors (including Nokia,
> NetScreen, and the like) are going down that path.
> 
> My concern is that the "fan-out" boxes are typically run-of-the-mill
> switches, like Cisco Catalysts, that probably have been design
> without
> any security aspirations. I wouldn't be surprised if those switches
> could be attacked and tricked into leaking packets between VLANs.
> 
> Are there any studies devoted to this issue, or reports of successful
> attacks against 802.1q separation that I should be aware of?
> 
> In our environment we use firewalls with rather large numbers of
> interfaces (typically 15 ~ 25), mostly based on Xylan switches
> running
> FW-1. This product line has disappeared now and all alternative
> solutions seem to be relying on VLAN trunking.
> 
> I'm not comfortable with the idea yet, but I wasn't comfortable with
> the Xylan switches in the beginning, either. I'd like to think I'm
> too
> paranoid, but then, that's my job...
> 
> Cheers
> Steffen.
> 
> 
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Relevant Pages

  • RE: Firewall and VLAN security design
    ... Because of the way that switches deal with broadcasts, ... The SAFE methodology calls for defence in depth and Private VLANS are one of ... Firewall and VLAN security design ... > This is a FAQ, and the usual answer is that no, VLAN separation is ...
    (Security-Basics)
  • Re: Single domain two IP subnets
    ... hardware or any of the complexities of "network hardward ... I never criticize anyone's typing as long as the words can ... Cisco ISL VLANS are history. ... Newer Cisco switches don't even support ISL ...
    (microsoft.public.win2000.dns)
  • Re: [fw-wiz] Vlans as effective security measures?
    ... The Cisco bug DB has plenty of entries for switches with "bleeding ... VLANs are a cheap/convenient way of defining subnets and moving ports ... >And cars crash and cars burn and people are dying in cars all the ...
    (Firewall-Wizards)
  • Re: vlan tags and ISA2004, what´s the story?
    ... >Well the switches are Layer2 Devices and VLANs are Layer3, ... the Switch port that the ISA plugs into with the Internal Interface ... The Router can be a hardware Router device,...it ...
    (microsoft.public.isa.configuration)
  • RE: VLAN Question
    ... It's only your assertion that the ... motivation for VLANs was to split up large switches that I disagree with, ... numbers of ports. ...
    (Security-Basics)