Re: [fw-wiz] Vlan's as effective security measures?

From: Brian Ford (brford_at_cisco.com)
Date: 02/12/04

  • Next message: Brian Ford: "Re: Re: [fw-wiz] Vlan's as effective security measures?"
    To: firewall-wizards@honor.icsalabs.com
    Date: Thu, 12 Feb 2004 13:06:26 -0500
    
    

    Larry,

    If you search some of the presentations that have been given at conferences
    like DefCon or BlackHat (or Cisco Networkers) over the past 2 years you'll
    find the scoop about the security of VLANs. We should all say thank you
    to Dug Song.

    At the end of your message you quoted something about:

    >the claim that nothing can possibly
    > > > leak across a blade enclosure
    > > > backplane sounds a lot like the old claims about VLANs being
    > > > effective security devices

    Just to be clear but based on my own experience with switches if you are
    looking at leaks from "blade enclosure backplanes" you might as well start
    looking for leakage from PCI slot connectors and PCB boards. There is no
    comparison between switch physical back plane architecture and VLAN security.

    If you are concerned about protecting the back plane of a switch then use
    steel doors, good locks, and a good physical security policy.

    Liberty for All,

    Brian

    At 12:00 PM 2/10/2004 -0500, firewall-wizards-request@honor.icsalabs.com wrote:
    >Message: 3
    >From: "Ware, Larry" <LWare@e-one.com>
    >To: "'firewall-wizards@honor.icsalabs.com'"
    ><firewall-wizards@honor.icsalabs.com>
    >Date: Mon, 9 Feb 2004 14:00:48 -0500
    >Subject: [fw-wiz] Vlan's as effective security measures?
    >
    >Forgive a long out of field, and now working on getting back up to speed
    >firewall admin, but would someone care to educate me concerning the security
    >issues related to VLAN's? I have lots of them, and need to know why a VLAN
    >is not an effective adjunct to firewall and router security policies.
    >-larry
    >
    > > -----Original Message-----
    >
    ><snip>
    > > >
    > > > My immediate response is no - the claim that nothing can possibly
    > > > leak across a blade enclosure
    > > > backplane sounds a lot like the old claims about VLANs being
    > > > effective security devices -
    ><snip>
    >

    Brian Ford
    Consulting Engineer, Security & Integrity Specialist
    Office of Strategic Technology Planning
    Cisco Systems Inc.
    http://www.cisco.com/go/safe/

    The opinions expressed in this message are those of the author and not
    necessarily those of Cisco Systems, Inc..

    This email address is transmitted from San Jose, California, U.S.A..

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Brian Ford: "Re: Re: [fw-wiz] Vlan's as effective security measures?"

    Relevant Pages

    • RE: suggestions on a good firewall
      ... Cisco does not do ... BTW I never said I disliked Checkpoint, ... suggestions on a good firewall ... standards (Open Platform for Security) Is brought to you by Checkpoint ...
      (Security-Basics)
    • Re: ISA and Separating Networks
      ... > You need the switch to connect all the "outsides" together to the inside ... > of the cisco router. ... > firewall and SBS) will be using a private IP range, ...
      (microsoft.public.backoffice.smallbiz2000)
    • RE: suggestions on a good firewall
      ... Netscreen or Cisco PIX. ... suggestions on a good firewall ... Software firewalls such as those that run on Linux, ... Bottom line - if you really know what you are doing from a security ...
      (Security-Basics)
    • RE: suggestions on a good firewall
      ... Netscreen or Cisco PIX. ... suggestions on a good firewall ... Software firewalls such as those that run on Linux, ... Bottom line - if you really know what you are doing from a security ...
      (Security-Basics)
    • Re: Re[2]: suggestions on a good firewall
      ... >> Why is Linux or the others in this thread a bad idea as a firewall. ... >> netgear or raptor or one of those type of LINUX based firewall systems. ... >> Linux being the less cost and Cisco being the most. ... I like BSD a lot more, regarding security, ...
      (Security-Basics)