RE: [fw-wiz] VLAN Security

From: Melson, Paul (
Date: 06/08/04

  • Next message: Victor Williams: "Re: [fw-wiz] Putting MS servers behind firewalls"
    To: "Jeff Boles" <>, <>
    Date: Tue, 8 Jun 2004 15:05:16 -0400

    > -----Original Message-----
    > Anyone care to voice their consensus on contemporary
    > VLAN implementations as a security measure? I'm
    > looking at a WAN design using a newly rolled out
    > MetroEthernet product, and provider network is built
    > on catalyst switches and VLAN's. Every customer rides
    > a separate VLAN. The provider's intention is to also
    > provide ISP services across this cloud.

    The main issue for 802.1Q VLANs is that some implementations are
    susceptible to "hopping" attacks. The attacker has to know the proper
    802.1Q VLAN ID tag and the MAC address of the victim in order to hop
    VLANs, but this information is often much easier to come by than it
    ought to be. (Usually all you need is a read-only SNMP community.
    Sometimes not even that -- how many of your switches have a VLAN with an
    ID of '1'?)

    Some light reading:

    > Anybody care to voice an argument on on VLAN integrity
    > in the provider network?

    I wouldn't trust it if I didn't put it in and test it myself or see that
    it was analyzed and certified by a third party qualified to do so. That
    said, you may opt to mitigate these risks by using other access control,
    encryption, or authentication mechanisms. For instance, restricting
    traffic so that only IPSec tunnels can cross the cloud would negate the
    issue of whether or not the VLANs were secure.

    firewall-wizards mailing list

  • Next message: Victor Williams: "Re: [fw-wiz] Putting MS servers behind firewalls"