RE: [fw-wiz] Vlan's as effective security measures?
From: Melson, Paul (PMelson_at_sequoianet.com)
To: <firstname.lastname@example.org> Date: Tue, 10 Feb 2004 09:01:11 -0500
> -----Original Message-----
> 1. A surprising number of network devices' VLAN implementations
> will leak packets between VLANs under heavy loads, or in some
> cases randomly all the time.
> 2, Some switches have a single forwarding database which includes
> VLAN tags and a host presenting a carefully chosen MAC address
> can sometimes hijack traffic for a host on another VLAN.
> 3. Some switches flood ARP requests across VLANs.
> 4. Some switches flood all traffic under heavy load.
> 5. Few switches and routers have adequate configuration security.
> Don't depend on VLANs to guarantee the separation of two networks
> that *must* be separated. Your security is only as good as the
> weakest element in your infrastructure and the security of most
> switches (and to a lesser extent routers) is pretty weak.
I'd like to expand on what John said by stating that the proper use of VLANs can significantly improve security. For example, the use of Private VLANs can improve security on a firewall DMZ network. It's all about knowing where and why to use them as part of your access controls. There's a good white paper (though clearly Cisco-centric) on VLAN security available here:
Also, I'd like to add my subjective opinion about switch flooding, which is that most high-end switches cannot be stressed out by traffic arriving on a small number of ports. If a core switch within your organization leaks traffic because of packet flooding, this can often be cured by contacting the manufacturer for an updated software/firmware image. If it can't be fixed by software, well, you most likely got what you paid for.
firewall-wizards mailing list