Re: [fw-wiz] Vlan's as effective security measures?

• Previous message: Yachera, Stanley: "RE: [fw-wiz] Transparent proxying"
• In reply to: Brian Ford: "Re: Re: [fw-wiz] Vlan's as effective security measures?"
• Next in thread: Brian Ford: "Re: [fw-wiz] Vlan's as effective security measures?"
• Maybe reply: hugh_fraser_at_dofasco.ca: "RE: Re: [fw-wiz] Vlan's as effective security measures?"
• Reply: Brian Ford: "Re: [fw-wiz] Vlan's as effective security measures?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Brian Ford <brford@cisco.com>
Date: Thu, 12 Feb 2004 18:26:50 -0500

The Cisco bug DB has plenty of entries for switches with "bleeding
VLAN" woes. Carefull driving your own car. :)

VLANs are a cheap/convenient way of defining subnets and moving ports
logically. A separate switch (or switches) for each subnet is a clear
win over VLANs -- it just costs more (in hardware and cable/port
management).

Fortunately, there's still lots of cheap Cisco (and other) gear on
Ebay - making it more $$ effective than some realize.

Todd
----------------
>John,
>
>And cars crash and cars burn and people are dying in cars all the
>time. And cars can be made to carry disease and explosives and kill many
>people with just one car and driver! So let's all abandon our cars and
>start walking to work every morning. If we're late the boss will
>understand because cars are dangerous. ;-)
>
>You should probably research the switch that you buy and use in order to
>make sure that it doesn't do these things.
>
>Your mileage may vary!
>
>Liberty for All,
>
>Brian
>
>At 12:00 PM 2/10/2004 -0500, firewall-wizards-request@honor.icsalabs.com wrote
>:
>>Message: 4
>>Date: Mon, 09 Feb 2004 12:52:31 -0800
>>From: John Hall <jhall@ptavvs.net>
>>To: "Ware, Larry" <LWare@e-one.com>
>>Cc: "'firewall-wizards@honor.icsalabs.com'"
>><firewall-wizards@honor.icsalabs.com>
>>Subject: Re: [fw-wiz] Vlan's as effective security measures?
>>
>>
>>1. A surprising number of network devices' VLAN implementations
>> will leak packets between VLANs under heavy loads, or in some
>> cases randomly all the time.
>>2, Some switches have a single forwarding database which includes
>> VLAN tags and a host presenting a carefully chosen MAC address
>> can sometimes hijack traffic for a host on another VLAN.
>>3. Some switches flood ARP requests across VLANs.
>>4. Some switches flood all traffic under heavy load.
>>5. Few switches and routers have adequate configuration security.
>>
>>Don't depend on VLANs to guarantee the separation of two networks
>>that *must* be separated. Your security is only as good as the
>>weakest element in your infrastructure and the security of most
>>switches (and to a lesser extent routers) is pretty weak.
>>
>>JMH
>>
>>Ware, Larry wrote:
>>
>> >Forgive a long out of field, and now working on getting back up to speed
>> >firewall admin, but would someone care to educate me concerning the securit
>y
>> >issues related to VLAN's? I have lots of them, and need to know why a VLAN
>> >is not an effective adjunct to firewall and router security policies.
>> >-larry
>> >
>
>
>Brian Ford
>Consulting Engineer, Security & Integrity Specialist
>Office of Strategic Technology Planning
>Cisco Systems Inc.
>http://www.cisco.com/go/safe/
>
>The opinions expressed in this message are those of the author and not
>necessarily those of Cisco Systems, Inc..
>
>This email address is transmitted from San Jose, California, U.S.A..
>
>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Yachera, Stanley: "RE: [fw-wiz] Transparent proxying"
• In reply to: Brian Ford: "Re: Re: [fw-wiz] Vlan's as effective security measures?"
• Next in thread: Brian Ford: "Re: [fw-wiz] Vlan's as effective security measures?"
• Maybe reply: hugh_fraser_at_dofasco.ca: "RE: Re: [fw-wiz] Vlan's as effective security measures?"
• Reply: Brian Ford: "Re: [fw-wiz] Vlan's as effective security measures?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]