Re: [fw-wiz] VLAN Security

• Previous message: Carson Gaspar: "Re: [fw-wiz] VLAN Security"
• In reply to: Carson Gaspar: "Re: [fw-wiz] VLAN Security"
• Next in thread: Shimon Silberschlag: "Re: [fw-wiz] VLAN Security"
• Reply: Shimon Silberschlag: "Re: [fw-wiz] VLAN Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Tue, 8 Jun 2004 20:24:25 +0000

2004-06-08T19:25:51 Carson Gaspar:
> 2004-06-08T10:18:02-0700 Jeff Boles:
> >Anyone care to voice their consensus on contemporary
> >VLAN implementations as a security measure?
>
> I'm sort of a heretic in this crowd. I think VLANs are a very
> useful security implementation tool. [...] My policy is "one
> chassis, one trust level" [...]

I don't know how heretical that is today. For sure, we used to
say that VLANs aren't a security component --- when that was the
vendors' stance. Sometime in the last year or two vendors turned
around and last I heard, their stance was that correctly-configured
VLANs are supported by them as a security component, they're
believed to be leak-free and reports of leaks will be treated as
security bugs.

I'm glad of this; it makes possible a config that I like for certain
applications, what I call a fully-routed net, the next step up from
a fully-switched net. Instead of "every host gets a dedicated switch
port, no hubs" you go up to "every host gets a dedicated router
port, onto a firewall". Just give each switch port a separate vlan
and 802.1q the lot into the firewall[s]. One of these days I'm
looking forward to doing large tracts of business in-house nets that
way.

Even today, though, that's how I'd build out e.g. in-room network
jacks at a hotel, or laptop jacks at a conference.

-Bennett

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• application/pgp-signature attachment: stored

• Previous message: Carson Gaspar: "Re: [fw-wiz] VLAN Security"
• In reply to: Carson Gaspar: "Re: [fw-wiz] VLAN Security"
• Next in thread: Shimon Silberschlag: "Re: [fw-wiz] VLAN Security"
• Reply: Shimon Silberschlag: "Re: [fw-wiz] VLAN Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Re: [fw-wiz] Vlans as effective security measures? ... >>investing in this kind of technology is to manage bandwidth ... >>traffic, not provide security. ... Practically speaking, VLANs are usually used to control traffic, and are ... > users computer or the users login to the network. ... (Firewall-Wizards) RE: Clueless firewall configuration ? ... attacker has access to your core switch. ... between the vlans (oh and we are a big production site that relies on ... Does anyone care to comment on the security issues a setup as this ... Download FREE whitepaper on how a managed service ... (Pen-Test) RE: Clueless firewall configuration ? ... Senior IT Security Consultant ... between the vlans (oh and we are a big production site that relies on ... ports would not be on the core switch but on the access layer switches ... Download FREE whitepaper on how a managed service can ... (Pen-Test) Re: VLAN Security vs. Inter-VLAN Routing ... "VLANs address scalability, security, and network management" ... However, once you introduce inter-vlan routing, doesn't the security aspect ... to a computer in port 3/vlan 3. ... (comp.dcom.sys.cisco) VLAN Security vs. Inter-VLAN Routing ... "VLANs address scalability, security, and network management" ... However, once you introduce inter-vlan routing, doesn't the security aspect ... to a computer in port 3/vlan 3. ... (comp.dcom.sys.cisco)