Re: [fw-wiz] Vlan's as effective security measures?
From: Todd Joseph (todd_at_connactivity.connactivity.com)
To: Brian Ford <firstname.lastname@example.org> Date: Thu, 12 Feb 2004 18:26:50 -0500
The Cisco bug DB has plenty of entries for switches with "bleeding
VLAN" woes. Carefull driving your own car. :)
VLANs are a cheap/convenient way of defining subnets and moving ports
logically. A separate switch (or switches) for each subnet is a clear
win over VLANs -- it just costs more (in hardware and cable/port
Fortunately, there's still lots of cheap Cisco (and other) gear on
Ebay - making it more $$ effective than some realize.
>And cars crash and cars burn and people are dying in cars all the
>time. And cars can be made to carry disease and explosives and kill many
>people with just one car and driver! So let's all abandon our cars and
>start walking to work every morning. If we're late the boss will
>understand because cars are dangerous. ;-)
>You should probably research the switch that you buy and use in order to
>make sure that it doesn't do these things.
>Your mileage may vary!
>Liberty for All,
>At 12:00 PM 2/10/2004 -0500, email@example.com wrote
>>Date: Mon, 09 Feb 2004 12:52:31 -0800
>>From: John Hall <firstname.lastname@example.org>
>>To: "Ware, Larry" <LWare@e-one.com>
>>Subject: Re: [fw-wiz] Vlan's as effective security measures?
>>1. A surprising number of network devices' VLAN implementations
>> will leak packets between VLANs under heavy loads, or in some
>> cases randomly all the time.
>>2, Some switches have a single forwarding database which includes
>> VLAN tags and a host presenting a carefully chosen MAC address
>> can sometimes hijack traffic for a host on another VLAN.
>>3. Some switches flood ARP requests across VLANs.
>>4. Some switches flood all traffic under heavy load.
>>5. Few switches and routers have adequate configuration security.
>>Don't depend on VLANs to guarantee the separation of two networks
>>that *must* be separated. Your security is only as good as the
>>weakest element in your infrastructure and the security of most
>>switches (and to a lesser extent routers) is pretty weak.
>>Ware, Larry wrote:
>> >Forgive a long out of field, and now working on getting back up to speed
>> >firewall admin, but would someone care to educate me concerning the securit
>> >issues related to VLAN's? I have lots of them, and need to know why a VLAN
>> >is not an effective adjunct to firewall and router security policies.
>Consulting Engineer, Security & Integrity Specialist
>Office of Strategic Technology Planning
>Cisco Systems Inc.
>The opinions expressed in this message are those of the author and not
>necessarily those of Cisco Systems, Inc..
>This email address is transmitted from San Jose, California, U.S.A..
>firewall-wizards mailing list
firewall-wizards mailing list