Re: VLAN as a DMZ

From: Bennett Todd (bet@rahul.net)
Date: 03/10/02


Date: Sun, 10 Mar 2002 12:13:33 -0500
From: Bennett Todd <bet@rahul.net>
To: Mike Shaw <mshaw@wwisp.com>


Note: Cisco's new-fangled private VLAN stuff may change this
picture, but....

some years ago, I bounced the question off a cisco engineer, and he
strongly agreed with this statement:

VLANs were divised when switch ports were exceedingly expensive, and
sold in units of 16 or more. At that point in time, allowing
customers to partition the switch to service multiple different LANS
made it much, much easier to approach 100.00% utilization of the
switch ports. They were not designed as security barriers. They were
designed as performance enhancements. As long as traffic doesn't
cross from VLAN to VLAN in the average case, occasional leaks don't
hurt anything. They were never designed nor implemented as security
barriers.

Now that said, it may still be reasonable for a DMZ to be a VLAN
on a switch with other VLANs. The other VLANs just need to have
comparable security profiles. E.g. perhaps multiple distinct DMZs
could share a switch, if all the hosts on them were comparably
hardened, and all the ingress/egress filtering and other external
screening were being done on a router outside that switch.

The key to the analysis is to draw your picture, then ask the
question "what harm could be done if an attacker could force the
switch to leak traffic, or to allow specific injected traffic, from
one VLAN to another". If the answer is, no problem, then go ahead
and share switches.

-Bennett






Relevant Pages

  • VLANs over Geographical Boundaries
    ... "Don't use VLAN's for security". ... The colored lines indicate vlan separation. ... We like to control access as much as we can at the firewalls. ... physically that traffic hits the same switch ...
    (comp.security.firewalls)
  • Re: Catalyst 3750 with 2 vlans. Only vlan1 drop packet when ping
    ... when I ping to the ip onvlan1, about 10% come back with "Request ... Are you pinging the hsrp vlan 1 address, ... ping vlan 140's interface with no problems? ... how does the other switch know how to get ...
    (comp.dcom.sys.cisco)
  • Re: Catalyst 3750 with 2 vlans. Only vlan1 drop packet when ping
    ... when I ping to the ip onvlan1, about 10% come back with "Request ... Are you pinging the hsrp vlan 1 address, ... ping vlan 140's interface with no problems? ... how does the other switch know how to get ...
    (comp.dcom.sys.cisco)
  • Re: Need guidance on Cisco 6513 install
    ... having this switch set up on Tuesday by noon, ... The switch itself (and other future network hardware) will be on the ... but you can always choose another vlan number and same ... In a two core environment, ...
    (comp.dcom.sys.cisco)
  • Re: bond interface arp, vlan and trunk / network question
    ... So far vlan and trunking works as expected. ... The exact problem is that the bonding driver don't switch the ... interface because the mii-tool don't recognize that the connection ... No, from your configuration information, you're running the ARP ...
    (Linux-Kernel)