Re: Re: [fw-wiz] Vlan's as effective security measures?

From: Brian Ford (brford_at_cisco.com)
Date: 02/12/04

  • Next message: Luke Butcher: "Re: [fw-wiz] Transparent proxying"
    To: firewall-wizards@honor.icsalabs.com
    Date: Thu, 12 Feb 2004 13:13:55 -0500
    
    

    John,

    And cars crash and cars burn and people are dying in cars all the
    time. And cars can be made to carry disease and explosives and kill many
    people with just one car and driver! So let's all abandon our cars and
    start walking to work every morning. If we're late the boss will
    understand because cars are dangerous. ;-)

    You should probably research the switch that you buy and use in order to
    make sure that it doesn't do these things.

    Your mileage may vary!

    Liberty for All,

    Brian

    At 12:00 PM 2/10/2004 -0500, firewall-wizards-request@honor.icsalabs.com wrote:
    >Message: 4
    >Date: Mon, 09 Feb 2004 12:52:31 -0800
    >From: John Hall <jhall@ptavvs.net>
    >To: "Ware, Larry" <LWare@e-one.com>
    >Cc: "'firewall-wizards@honor.icsalabs.com'"
    ><firewall-wizards@honor.icsalabs.com>
    >Subject: Re: [fw-wiz] Vlan's as effective security measures?
    >
    >
    >1. A surprising number of network devices' VLAN implementations
    > will leak packets between VLANs under heavy loads, or in some
    > cases randomly all the time.
    >2, Some switches have a single forwarding database which includes
    > VLAN tags and a host presenting a carefully chosen MAC address
    > can sometimes hijack traffic for a host on another VLAN.
    >3. Some switches flood ARP requests across VLANs.
    >4. Some switches flood all traffic under heavy load.
    >5. Few switches and routers have adequate configuration security.
    >
    >Don't depend on VLANs to guarantee the separation of two networks
    >that *must* be separated. Your security is only as good as the
    >weakest element in your infrastructure and the security of most
    >switches (and to a lesser extent routers) is pretty weak.
    >
    >JMH
    >
    >Ware, Larry wrote:
    >
    > >Forgive a long out of field, and now working on getting back up to speed
    > >firewall admin, but would someone care to educate me concerning the security
    > >issues related to VLAN's? I have lots of them, and need to know why a VLAN
    > >is not an effective adjunct to firewall and router security policies.
    > >-larry
    > >

    Brian Ford
    Consulting Engineer, Security & Integrity Specialist
    Office of Strategic Technology Planning
    Cisco Systems Inc.
    http://www.cisco.com/go/safe/

    The opinions expressed in this message are those of the author and not
    necessarily those of Cisco Systems, Inc..

    This email address is transmitted from San Jose, California, U.S.A..

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Luke Butcher: "Re: [fw-wiz] Transparent proxying"

    Relevant Pages

    • RE: Re: [fw-wiz] Vlans as effective security measures?
      ... Regardless of the VLAN technology chosen, ... not provide security. ... > And cars crash and cars burn and people are dying in cars all the ...
      (Firewall-Wizards)
    • Risks Digest 27.74
      ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... EU has secret plan for police to 'remote stop' cars ... Bad Domain Registrar Security Leads to Loss of Valuable Twitter Handle ...
      (comp.risks)
    • VLAN on Cisco Catalyst
      ... I am getting conflicting advice from various sources concerning VLAN security. ... I have several Catalyst 2950 switches in my network, running one VLAN with public access, and domain-controlled workstations on another. ...
      (comp.security.misc)
    • Re: VLAN on Cisco Catalyst
      ... I have several Catalyst 2950 switches in my network ... commanding higher security in the same physical space ... connected to other Catalysts are set to Trunk mode, and ports towards ... Most of the obvious vlan hopping attacks were ...
      (comp.security.misc)
    • Re: [Fedora] Seeing input on Securing the Linux system from intrusions and attacks.
      ... I didn't say anything about marketing hype either. ... Of course, security is important, but Red Hat Secure Linux would be a very different product, wouldn't you think? ... Does the fact that GM sells big cars, small cars, cheap cars & expensive cars mean there's anrthing wrong with any of them? ... Installing a service would imply all appropriate support packages - sendmail+spamassassin+mimedefang, and guidance on getting them up and running securely. ...
      (Fedora)