RE: [fw-wiz] Vlan's as effective security measures?

From: Melson, Paul (PMelson_at_sequoianet.com)
Date: 02/10/04

  • Next message: Mike McNutt: "RE: [fw-wiz] Changes in How ARP is Handled between PIX OS 5.x and OS6.3?"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Tue, 10 Feb 2004 09:01:11 -0500
    
    

    > -----Original Message-----
    > 1. A surprising number of network devices' VLAN implementations
    > will leak packets between VLANs under heavy loads, or in some
    > cases randomly all the time.
    > 2, Some switches have a single forwarding database which includes
    > VLAN tags and a host presenting a carefully chosen MAC address
    > can sometimes hijack traffic for a host on another VLAN.
    > 3. Some switches flood ARP requests across VLANs.
    > 4. Some switches flood all traffic under heavy load.
    > 5. Few switches and routers have adequate configuration security.
    >
    > Don't depend on VLANs to guarantee the separation of two networks
    > that *must* be separated. Your security is only as good as the
    > weakest element in your infrastructure and the security of most
    > switches (and to a lesser extent routers) is pretty weak.

    I'd like to expand on what John said by stating that the proper use of VLANs can significantly improve security. For example, the use of Private VLANs can improve security on a firewall DMZ network. It's all about knowing where and why to use them as part of your access controls. There's a good white paper (though clearly Cisco-centric) on VLAN security available here:

    http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

    Also, I'd like to add my subjective opinion about switch flooding, which is that most high-end switches cannot be stressed out by traffic arriving on a small number of ports. If a core switch within your organization leaks traffic because of packet flooding, this can often be cured by contacting the manufacturer for an updated software/firmware image. If it can't be fixed by software, well, you most likely got what you paid for.

    PaulM
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Mike McNutt: "RE: [fw-wiz] Changes in How ARP is Handled between PIX OS 5.x and OS6.3?"

    Relevant Pages

    • Re: Configuring Cisco IPS High Bandwidth Using EtherChannel Load Balancing
      ... VLAN Pair mode uses one interface only and this is the only supported ... The ECLB feature allows you to load balance upto eight Cisco IPS ... All ports will be part of the same etherchannel ... All servers are connected to the backbone switches via another ...
      (Focus-IDS)
    • Re: MAC-based Ethernet VLANs
      ... Ethernet VLANs using Cisco 2900-series switches running IOS 12.1. ... to a VLAN with unrestricted network connectivity, ... get tagged as VLAN 10 upon ingress, if the source MAC address matches ...
      (comp.dcom.sys.cisco)
    • Re: VLAN IP and DHCP
      ... address at all since the switches will forward the traffic ... To permit remote switch management. ... Set up a VLAN for each floor plus wireless plus management. ... The servers need to be reachable by clients on all floors. ...
      (comp.dcom.sys.cisco)
    • Re: Solution for Resilient VLAN Trunk Bonding
      ... > solution for building a resilient VLAN interfaces over a VLAN trunk. ... > connected to two different switches. ... > them detects link failures. ...
      (freebsd-net)
    • Re: STP and high availability
      ... Spanning tree is so simple its invisible when it works, ... And if each vlan runs a instance of spanning ... This means the RTR interface is attached to the STP ... of switches from distribution down. ...
      (comp.dcom.sys.cisco)