RE: [fw-wiz] Vlan's as effective security measures?
From: Melson, Paul (PMelson_at_sequoianet.com)
Date: 02/10/04
- Previous message: Dario Calia: "Re: [fw-wiz] Changes in How ARP is Handled between PIX OS 5.x and OS6.3?"
- Maybe in reply to: Ware, Larry: "[fw-wiz] Vlan's as effective security measures?"
- Next in thread: Brian Ford: "Re: Re: [fw-wiz] Vlan's as effective security measures?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <firewall-wizards@honor.icsalabs.com> Date: Tue, 10 Feb 2004 09:01:11 -0500
> -----Original Message-----
> 1. A surprising number of network devices' VLAN implementations
> will leak packets between VLANs under heavy loads, or in some
> cases randomly all the time.
> 2, Some switches have a single forwarding database which includes
> VLAN tags and a host presenting a carefully chosen MAC address
> can sometimes hijack traffic for a host on another VLAN.
> 3. Some switches flood ARP requests across VLANs.
> 4. Some switches flood all traffic under heavy load.
> 5. Few switches and routers have adequate configuration security.
>
> Don't depend on VLANs to guarantee the separation of two networks
> that *must* be separated. Your security is only as good as the
> weakest element in your infrastructure and the security of most
> switches (and to a lesser extent routers) is pretty weak.
I'd like to expand on what John said by stating that the proper use of VLANs can significantly improve security. For example, the use of Private VLANs can improve security on a firewall DMZ network. It's all about knowing where and why to use them as part of your access controls. There's a good white paper (though clearly Cisco-centric) on VLAN security available here:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml
Also, I'd like to add my subjective opinion about switch flooding, which is that most high-end switches cannot be stressed out by traffic arriving on a small number of ports. If a core switch within your organization leaks traffic because of packet flooding, this can often be cured by contacting the manufacturer for an updated software/firmware image. If it can't be fixed by software, well, you most likely got what you paid for.
PaulM
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Dario Calia: "Re: [fw-wiz] Changes in How ARP is Handled between PIX OS 5.x and OS6.3?"
- Maybe in reply to: Ware, Larry: "[fw-wiz] Vlan's as effective security measures?"
- Next in thread: Brian Ford: "Re: Re: [fw-wiz] Vlan's as effective security measures?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
