RE: [fw-wiz] VLAN Security
From: Melson, Paul (PMelson_at_sequoianet.com)
To: "Jeff Boles" <firstname.lastname@example.org>, <email@example.com> Date: Tue, 8 Jun 2004 15:05:16 -0400
> -----Original Message-----
> Anyone care to voice their consensus on contemporary
> VLAN implementations as a security measure? I'm
> looking at a WAN design using a newly rolled out
> MetroEthernet product, and provider network is built
> on catalyst switches and VLAN's. Every customer rides
> a separate VLAN. The provider's intention is to also
> provide ISP services across this cloud.
The main issue for 802.1Q VLANs is that some implementations are
susceptible to "hopping" attacks. The attacker has to know the proper
802.1Q VLAN ID tag and the MAC address of the victim in order to hop
VLANs, but this information is often much easier to come by than it
ought to be. (Usually all you need is a read-only SNMP community.
Sometimes not even that -- how many of your switches have a VLAN with an
ID of '1'?)
Some light reading:
> Anybody care to voice an argument on on VLAN integrity
> in the provider network?
I wouldn't trust it if I didn't put it in and test it myself or see that
it was analyzed and certified by a third party qualified to do so. That
said, you may opt to mitigate these risks by using other access control,
encryption, or authentication mechanisms. For instance, restricting
traffic so that only IPSec tunnels can cross the cloud would negate the
issue of whether or not the VLANs were secure.
firewall-wizards mailing list