RE: VLAN Question

From: David Gillett (gillettdavid_at_fhda.edu)
Date: 08/20/03

  • Next message: Chris Ess: "Re: Any exploit of rpc.statd on Redhat 9 default setting?"
    To: "'Steven Williams'" <Steven.Williams@computershare.com.au>, <Security-basics@securityfocus.com>
    Date: Wed, 20 Aug 2003 09:44:07 -0700
    
    

    > It's clearly indicated by numerous sources including SAN's and some
    > penetration testing outfits that VLAN's can be compromised.

      Therefore, it's not a reliable security measure.

      On the other hand, I've seen it at a number of sites. Few places
    seem to be willing to dedicate a whole switch, cut off from their
    switch management VLAN, to provide 3-5 ports for an Internet segment.
    It's so much easier and cheaper to borrow the needed ports from an
    existing switch that's already part of the infrastructure.

      This is a good example of compromise on risk. While it's not
    completely reliable, an awful lot of enterprises judge the risk
    of compromise by this route to be low enough to justify the cost
    savings.

      (My impression -- and I haven't reviewed this lately -- is that
    most of the VLAN compromise techniques are much easier to do from
    inside the local network, and so there's little reason to target
    the Internet segment VLAN in preference over something more sensitive.)

    David Gillett

    > -----Original Message-----
    > From: Steven Williams [mailto:Steven.Williams@computershare.com.au]
    > Sent: August 20, 2003 00:09
    > To: Security-basics@securityfocus.com
    > Subject: VLAN Question
    >
    >
    > Hi all,
    >
    > I'm after some opinions of yours and your companies policy
    > regarding the use
    > of VLAN's as a method of isolating the internet to internal
    > VLAN's on the
    > same physical layer 2 / 3 switch and access controlled by ACL's or
    > firewalls.
    >
    > Would you or your company allow this, relying on permanant
    > FDB entries,
    > disabled MAC learning ability, Layer 2 VLAN only, no routing or IP
    > forwarding enabled or purely stick with a physical isolation
    > of a separate
    > switch etc.
    >
    > I've been told that Extreme switches implement VLAN's in
    > hardware ASICs and
    > are not vulnerable to the compromises and denial of service
    > attacks that
    > other vendors may be due to VLANs implemented in software.
    >
    > It's clearly indicated by numerous sources including SAN's and some
    > penetration testing outfits that VLAN's can be compromised.
    >
    > Any feedback would be greatly appreciated....
    >
    > Steve
    >
    > Steve Williams
    > Communications Support Engineer
    > Computershare Technology Services
    > Melbourne Australia
    > steven.williams@computershare.com.au
    > +61 3 9235 5651
    >
    > www.computershare.com
    >
    >
    >
    >
    > ---
    > This email and any files transmitted with it are solely
    > intended for the use of the addressee(s) and may contain
    > information that is confidential and privileged. If you
    > receive this email in error, please advise us by return email
    > immediately. Please also disregard the contents of the
    > email, delete it and destroy any copies immediately.
    > Computershare Limited and its subsidiaries do not accept
    > liability for the views expressed in the email or for the
    > consequences of any computer viruses that may be transmitted
    > with this email.
    > This email is also subject to copyright. No part of it
    > should be reproduced, adapted or transmitted without the
    > written consent of the copyright owner.
    >
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > --------------
    >

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Chris Ess: "Re: Any exploit of rpc.statd on Redhat 9 default setting?"