RE: Re: [fw-wiz] Vlan's as effective security measures?

From: Brian Ford (brford_at_cisco.com)
Date: 02/13/04

  • Next message: ghsgdjwe5456c_at_yahoo.co.kr: "[fw-wiz] 〔광고〕마지막 찬스! 룸밀러형GPS 최저가판매/무료자료 신청하세요!@"
    To: hugh_fraser@dofasco.ca
    Date: Fri, 13 Feb 2004 13:44:05 -0500
    
    

    Hugh,

    Please see my comments in line:

    At 11:58 AM 2/13/2004 -0500, hugh_fraser@dofasco.ca wrote:
    >Regardless of the VLAN technology chosen, the basic reason for investing
    >in this kind of technology is to manage bandwidth and isolate traffic,
    >not provide security.

    I don't agree with your wording here. You seem to be implying that VLANs
    can not be made secure at all. In fact, VLAN technology can be
    secured. Whether or not the level of security achieved in a particular
    design provides acceptable risk is design issue that is reviewed all the time.

    > As such, the vendors haven't invested a lot in
    >security.

    That's a blanket statement that based on my own experience with my employer
    I would disagree with.

    >But beyond that, there are basic authentication issues that
    >make it difficult to implement a strong security solution based upon
    >VLANs.
    >
    >Policies controlling access to VLANs depend upon some method of
    >identifying the client, and it's usually either a MAC address or a
    >switch port.

    802.1X solutions can go far beyond this. We can examine credentials on the
    users computer or the users login to the network. Or we can just challenge
    them when they attempt to connect.

    >MAC addresses are readily obtained and almost as easily
    >forged as IP addresses, allowing access to a MAC-based VLAN. Port-based
    >identification relies on restricted access to the ports themselves, or
    >to the drop connected to the port.
    >
    >In both cases, bypassing the VLAN security isn't something that happens
    >by accident, but if you're concerned about security you're planning for
    >malicious activity. Newer technologies can do stronger authentication at
    >the port, but aren't widely used. And it's possible to configure most
    >networking infrastructure to alert you to unexpected changes if they
    >occur, but this information is rarely incorporated into a security
    >auditting system, and generally go un-noticed except by the network
    >group when they're debugging problems.
    >
    >It requires extra diligence to ensure that VLANs provide anywhere near
    >the security most people expect. In my experience, this extra diligence
    >doesn't happen, and VLANs are incorrectly understood to provide secure
    >channels.

    Diligence is the key. It's an important part of the network design process
    and should be exercised when using any feature.

    Liberty for All,

    Brian

    > > -----Original Message-----
    > > From: Brian Ford [mailto:brford@cisco.com]
    > > Sent: Thursday, February 12, 2004 1:14 PM
    > > To: firewall-wizards@honor.icsalabs.com
    > > Cc: jhall@ptavvs.net; Ware, Larry
    > > Subject: Re: Re: [fw-wiz] Vlan's as effective security measures?
    > >
    > >
    > > John,
    > >
    > > And cars crash and cars burn and people are dying in cars all the
    > > time. And cars can be made to carry disease and explosives
    > > and kill many
    > > people with just one car and driver! So let's all abandon our
    > > cars and
    > > start walking to work every morning. If we're late the boss will
    > > understand because cars are dangerous. ;-)
    > >
    > > You should probably research the switch that you buy and use
    > > in order to
    > > make sure that it doesn't do these things.
    > >
    > > Your mileage may vary!
    > >
    > > Liberty for All,
    > >
    > > Brian
    > >
    > > At 12:00 PM 2/10/2004 -0500,
    > > firewall-wizards-request@honor.icsalabs.com wrote:
    > > >Message: 4
    > > >Date: Mon, 09 Feb 2004 12:52:31 -0800
    > > >From: John Hall <jhall@ptavvs.net>
    > > >To: "Ware, Larry" <LWare@e-one.com>
    > > >Cc: "'firewall-wizards@honor.icsalabs.com'"
    > > ><firewall-wizards@honor.icsalabs.com>
    > > >Subject: Re: [fw-wiz] Vlan's as effective security measures?
    > > >
    > > >
    > > >1. A surprising number of network devices' VLAN implementations
    > > > will leak packets between VLANs under heavy loads, or in some
    > > > cases randomly all the time.
    > > >2, Some switches have a single forwarding database which includes
    > > > VLAN tags and a host presenting a carefully chosen MAC address
    > > > can sometimes hijack traffic for a host on another
    > > VLAN. 3. Some
    > > >switches flood ARP requests across VLANs. 4. Some switches
    > > flood all
    > > >traffic under heavy load. 5. Few switches and routers have adequate
    > > >configuration security.
    > > >
    > > >Don't depend on VLANs to guarantee the separation of two
    > > networks that
    > > >*must* be separated. Your security is only as good as the weakest
    > > >element in your infrastructure and the security of most
    > > switches (and
    > > >to a lesser extent routers) is pretty weak.
    > > >
    > > >JMH
    > > >
    > > >Ware, Larry wrote:
    > > >
    > > > >Forgive a long out of field, and now working on getting back up to
    > > > >speed firewall admin, but would someone care to educate me
    > > concerning
    > > > >the security issues related to VLAN's? I have lots of
    > > them, and need
    > > > >to know why a VLAN is not an effective adjunct to firewall
    > > and router
    > > > >security policies. -larry
    > > > >
    > >
    > >
    > > Brian Ford
    > > Consulting Engineer, Security & Integrity Specialist
    > > Office of Strategic Technology Planning
    > > Cisco Systems Inc.
    > > http://www.cisco.com/go/safe/
    > >
    > > The opinions expressed in this message are those of the
    > > author and not
    > > necessarily those of Cisco Systems, Inc..
    > >
    > > This email address is transmitted from San Jose, California, U.S.A..
    > >
    > >
    > > _______________________________________________
    > > firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
    > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    > >

    Brian Ford
    Consulting Engineer, Security & Integrity Specialist
    Office of Strategic Technology Planning
    Cisco Systems Inc.
    http://www.cisco.com/go/safe/

    The opinions expressed in this message are those of the author and not
    necessarily those of Cisco Systems, Inc..

    This email address is transmitted from San Jose, California, U.S.A..

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: ghsgdjwe5456c_at_yahoo.co.kr: "[fw-wiz] 〔광고〕마지막 찬스! 룸밀러형GPS 최저가판매/무료자료 신청하세요!@"

    Relevant Pages