Re: [fw-wiz] Vlan's as effective security measures?

From: avraham shir-el (arthur sherman) (
Date: 02/11/04

  • Next message: Stephen D. B. Wolthusen: "[fw-wiz] Information Assurance and Security workshops"
    To: John Hall <>
    Date: Wed, 11 Feb 2004 15:58:07 +0200

    hi john,
    do you know to what extent the problems you mention are relavent
    for the ciso 2900xl, 3500xl and 2950 switches.
    i'm aware of the config sec weaknesses on these switches, but not aware of
    the extent to which the other issues are problems on these particular switches.
    > FROM - John Hall <>
    > WHEN - 9 February 2004, 12:52
    > SUBJ - Re: [fw-wiz] Vlan's as effective security measures?
    > TO -,
    > 1. A surprising number of network devices' VLAN implementations
    > will leak packets between VLANs under heavy loads, or in some
    > cases randomly all the time.
    > 2, Some switches have a single forwarding database which includes
    > VLAN tags and a host presenting a carefully chosen MAC address
    > can sometimes hijack traffic for a host on another VLAN.
    > 3. Some switches flood ARP requests across VLANs.
    > 4. Some switches flood all traffic under heavy load.
    > 5. Few switches and routers have adequate configuration security.
    > Don't depend on VLANs to guarantee the separation of two networks
    > that *must* be separated. Your security is only as good as the
    > weakest element in your infrastructure and the security of most
    > switches (and to a lesser extent routers) is pretty weak.
    > JMH
    > Ware, Larry wrote:
    > >Forgive a long out of field, and now working on getting back up to speed
    > >firewall admin, but would someone care to educate me concerning the security
    > >issues related to VLAN's? I have lots of them, and need to know why a VLAN
    > >is not an effective adjunct to firewall and router security policies.
    > >-larry
    > >
    > _______________________________________________
    > firewall-wizards mailing list
    firewall-wizards mailing list

  • Next message: Stephen D. B. Wolthusen: "[fw-wiz] Information Assurance and Security workshops"

    Relevant Pages

    • RE: Firewall and VLAN security design
      ... Because of the way that switches deal with broadcasts, ... The SAFE methodology calls for defence in depth and Private VLANS are one of ... Firewall and VLAN security design ... > This is a FAQ, and the usual answer is that no, VLAN separation is ...
    • Re: Single domain two IP subnets
      ... hardware or any of the complexities of "network hardward ... I never criticize anyone's typing as long as the words can ... Cisco ISL VLANS are history. ... Newer Cisco switches don't even support ISL ...
    • Re: [fw-wiz] Vlans as effective security measures?
      ... The Cisco bug DB has plenty of entries for switches with "bleeding ... VLANs are a cheap/convenient way of defining subnets and moving ports ... >And cars crash and cars burn and people are dying in cars all the ...
    • Re: vlan tags and ISA2004, what´s the story?
      ... >Well the switches are Layer2 Devices and VLANs are Layer3, ... the Switch port that the ISA plugs into with the Internal Interface ... The Router can be a hardware Router device, ...
    • RE: VLAN Question
      ... It's only your assertion that the ... motivation for VLANs was to split up large switches that I disagree with, ... numbers of ports. ...