Re: [fw-wiz] Vlan's as effective security measures?

From: Todd Joseph (todd_at_connactivity.connactivity.com)
Date: 02/13/04

  • Next message: kaptain: "RE: [fw-wiz] Transparent proxying"
    To: Brian Ford <brford@cisco.com>
    Date: Thu, 12 Feb 2004 18:26:50 -0500
    
    

    The Cisco bug DB has plenty of entries for switches with "bleeding
    VLAN" woes. Carefull driving your own car. :)

    VLANs are a cheap/convenient way of defining subnets and moving ports
    logically. A separate switch (or switches) for each subnet is a clear
    win over VLANs -- it just costs more (in hardware and cable/port
    management).

    Fortunately, there's still lots of cheap Cisco (and other) gear on
    Ebay - making it more $$ effective than some realize.

    Todd
    ----------------
    >John,
    >
    >And cars crash and cars burn and people are dying in cars all the
    >time. And cars can be made to carry disease and explosives and kill many
    >people with just one car and driver! So let's all abandon our cars and
    >start walking to work every morning. If we're late the boss will
    >understand because cars are dangerous. ;-)
    >
    >You should probably research the switch that you buy and use in order to
    >make sure that it doesn't do these things.
    >
    >Your mileage may vary!
    >
    >Liberty for All,
    >
    >Brian
    >
    >At 12:00 PM 2/10/2004 -0500, firewall-wizards-request@honor.icsalabs.com wrote
    >:
    >>Message: 4
    >>Date: Mon, 09 Feb 2004 12:52:31 -0800
    >>From: John Hall <jhall@ptavvs.net>
    >>To: "Ware, Larry" <LWare@e-one.com>
    >>Cc: "'firewall-wizards@honor.icsalabs.com'"
    >><firewall-wizards@honor.icsalabs.com>
    >>Subject: Re: [fw-wiz] Vlan's as effective security measures?
    >>
    >>
    >>1. A surprising number of network devices' VLAN implementations
    >> will leak packets between VLANs under heavy loads, or in some
    >> cases randomly all the time.
    >>2, Some switches have a single forwarding database which includes
    >> VLAN tags and a host presenting a carefully chosen MAC address
    >> can sometimes hijack traffic for a host on another VLAN.
    >>3. Some switches flood ARP requests across VLANs.
    >>4. Some switches flood all traffic under heavy load.
    >>5. Few switches and routers have adequate configuration security.
    >>
    >>Don't depend on VLANs to guarantee the separation of two networks
    >>that *must* be separated. Your security is only as good as the
    >>weakest element in your infrastructure and the security of most
    >>switches (and to a lesser extent routers) is pretty weak.
    >>
    >>JMH
    >>
    >>Ware, Larry wrote:
    >>
    >> >Forgive a long out of field, and now working on getting back up to speed
    >> >firewall admin, but would someone care to educate me concerning the securit
    >y
    >> >issues related to VLAN's? I have lots of them, and need to know why a VLAN
    >> >is not an effective adjunct to firewall and router security policies.
    >> >-larry
    >> >
    >
    >
    >Brian Ford
    >Consulting Engineer, Security & Integrity Specialist
    >Office of Strategic Technology Planning
    >Cisco Systems Inc.
    >http://www.cisco.com/go/safe/
    >
    >The opinions expressed in this message are those of the author and not
    >necessarily those of Cisco Systems, Inc..
    >
    >This email address is transmitted from San Jose, California, U.S.A..
    >
    >
    >_______________________________________________
    >firewall-wizards mailing list
    >firewall-wizards@honor.icsalabs.com
    >http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: kaptain: "RE: [fw-wiz] Transparent proxying"

    Relevant Pages

    • Re: VLANs confusing
      ... configuration of DAX switches on cisco network the VLANS doesnot work. ... Are you sure you mean to ask about VLANs? ... All switches are layer 2 devices. ...
      (Security-Basics)
    • Re: [fw-wiz] Vlans as effective security measures?
      ... We at Cisco have also done a lot to address the security issues of using ... VLANs were developed to address a specific design issue. ... >>And cars crash and cars burn and people are dying in cars all the ... >>Cisco Systems Inc. ...
      (Firewall-Wizards)
    • Connecting Cisco Catalyst 5500 to network introduces VLAN problems
      ... We bough a Cisco 5500 13-slot switch to connect to our current network existing of a couple of 2950 switches with +/- 10 VLANs. ...
      (comp.dcom.sys.cisco)
    • Re: IBM BladeCenter switch configurations
      ... switches. ... recommended configuration of the switches to be able to utilize at ... Consider BladeCenter switches as a normal Cisco switches. ... DATA-Only VLANs, and management traffic comes through management module. ...
      (comp.dcom.sys.cisco)
    • Re: VLANs management on Cisco 877.
      ... has anybody played with VLANs on Cisco 870 series? ... I'm trying to use VLANs on that device but I'm facing some problems. ... All references reported for switches and higher level routers don't apply ...
      (comp.dcom.sys.cisco)