Re: [fw-wiz] VLAN Security

From: Shimon Silberschlag (shimons_at_bll.co.il)
Date: 06/23/04

  • Next message: Alex Bihlmaier: "[fw-wiz] Sun/Solaris Checkpoint FW-1 Question"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Wed, 23 Jun 2004 12:29:48 +0200
    
    

    Has anyone on the group witnessed or implemented such a setup (VLAN per
    server)?
    Can you describe what were the requirements and circumstances that drove you
    to such a design?
    Did you encounter any problems implementing it, and how were these problems
    mitigated?

    TIA,

    Shimon Silberschlag

    +972-3-9351572
    +972-51-207130

    2004-06-08T19:25:51 Carson Gaspar:
    > 2004-06-08T10:18:02-0700 Jeff Boles:
    > >Anyone care to voice their consensus on contemporary
    > >VLAN implementations as a security measure?
    >
    > I'm sort of a heretic in this crowd. I think VLANs are a very
    > useful security implementation tool. [...] My policy is "one
    > chassis, one trust level" [...]

    I don't know how heretical that is today. For sure, we used to
    say that VLANs aren't a security component --- when that was the
    vendors' stance. Sometime in the last year or two vendors turned
    around and last I heard, their stance was that correctly-configured
    VLANs are supported by them as a security component, they're
    believed to be leak-free and reports of leaks will be treated as
    security bugs.

    I'm glad of this; it makes possible a config that I like for certain
    applications, what I call a fully-routed net, the next step up from
    a fully-switched net. Instead of "every host gets a dedicated switch
    port, no hubs" you go up to "every host gets a dedicated router
    port, onto a firewall". Just give each switch port a separate vlan
    and 802.1q the lot into the firewall[s]. One of these days I'm
    looking forward to doing large tracts of business in-house nets that
    way.

    Even today, though, that's how I'd build out e.g. in-room network
    jacks at a hotel, or laptop jacks at a conference.

    -Bennett

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Alex Bihlmaier: "[fw-wiz] Sun/Solaris Checkpoint FW-1 Question"

    Relevant Pages

    • Re: ERS 8600, simple setup, IP, VLANs, etc.
      ... management port is just used to hang an IP address to. ... associated with an interface, such as a VLAN. ... fairly functionally homogenous network), but something that is ... or OS virtuallization - except that networks have been doing this kind of ...
      (comp.dcom.sys.nortel)
    • RE: IPS and Trunking
      ... 3Com/TippingPoint Intrusion Prevention Systems ... Supported VLAN ... I don't know what vendors support this capability, but it is certainly supported by Cisco sensors. ... You can plug an interface on a Cisco IPS sensor into a trunk port, and the sensor can treat each VLAN on the trunk separately. ...
      (Focus-IDS)
    • Re: Tagged and Untagged ports
      ... trunk that carries multiple VLANs 3,4,5,6 and is connected to another ... access port whose default VLAN is 3. ... and default vlan untagged on the other. ... switchport access vlan 101 ...
      (comp.dcom.sys.cisco)
    • Re: 3750 load balancing over dual links with seperated VLANs
      ... Is this even a WAN, ... replicated out on all other locations on the same port. ... Audio may not pass over the Video or Data VLAN, ... so if I understand this correctly, the problem is that you are getting all of the vlan subnets advertised on all of the EIGRP ASs? ...
      (comp.dcom.sys.cisco)
    • Re: native vlan question
      ... I think using "vlan dot1q tag native" should eliminate this question. ... not putting a tag on outbound packets form that VLAN on that port allows 2 ... At the switch the PC "stuff" is untagged and goes into the native VLAN, ...
      (comp.dcom.sys.cisco)