RE: Firewall and VLAN security design

• Previous message: xyberpix: "Win2k Audit+AD settings"
• Maybe in reply to: Ahmed Ameen: "Firewall and VLAN security design"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 04 Nov 2004 09:00:53 +1000
To: <bsampsel@libertyactivist.org>, <security-basics@securityfocus.com>, <kj6loh@yahoo.com>

IMHO it's bad practice to segregate your trusted and untrusted networks
with VLANs. Use one switch for the external net and DMZ if you must, but
use a separate switch for your internal LAN.

@Stake security review of VLANs
http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.pdf

VLAN Features
http://www.cisco.com/univercd/cc/td/doc/product/lan/28201900/1928v8x/eescg8x/aleakyv.htm

Layer 2 -- The Weakest Link
http://www.cisco.com/en/US/about/ac123/ac114/ac173/ac222/about_cisco_packet_feature09186a0080142deb.html

There have been threads on this issue previously on the list
http://www.cotse.com/mailing-lists/bugtraq/1999/1397.html

cheers
Ivan

Ivan Coric, CISSP
IT Technical Security Officer
Information Technology
WorkCover Queensland
Ph: (07) 30066414 Fax: (07) 30066424
Email: ivan.coric@workcoverqld.com.au

>>> Jonathan Loh <kj6loh@yahoo.com> 4/11/2004 8:17:16 am >>>
Actually, I think cisco does. It just depends on how you comprehend
the
following statement. Taken from the CCNA course curriculum Semester 3
module 8
overview.

"VLANs can enhance scalability, security, and network management.
Routers in
VLAN topologies provide broadcast filtering, security, and traffic
flow
management."

Strictly speaking "can enhance" does no mean the same as "does
enhance".

--- Ivan Coric <ivan.coric@workcoverqld.com.au> wrote:

> I beg to differ, using VLANs to segregate your external and internal
> network is a bad idea.
>
> I don't think even Cisco recommends VLANs as a security mechanism
>
> http://www.sans.org/resources/idfaq/vlan.php
>
> http://www.spirit.com/Network/net0103.html
>
> http://www.terena.nl/conferences/tnc2003/programme/slides/s1c3.ppt
>
> http://www.sans.org/rr/whitepapers/networkdevs/1090.php
>
>
http://www.google.com.au/search?q=vlan+hopping&hl=en&lr=&start=10&sa=N

>
> cheers
> Ivan
>
>
>
>
> Ivan Coric, CISSP
> IT Technical Security Officer
> Information Technology
> WorkCover Queensland
> Ph: (07) 30066414 Fax: (07) 30066424
> Email: ivan.coric@workcoverqld.com.au
>
> >>> "Bryan S. Sampsel" <bsampsel@libertyactivist.org> 2/11/2004
2:56:11
> pm >>>
>
> >
> >> Is VLAN segmentation enough to segment between the internet, DMZ
> and
> >> the internal network, or should I also use different switches for
> >> each, and be connected through the firewall.
> >
> > This is a FAQ, and the usual answer is that no, VLAN separation
is
> not
> > a robust security barrier, an separate switches are recommended
where
> the
> > different subnets need separation for security reasons.
> >
>
> Actually, if you don't offer up your management interface to the
> publicly
> accessible side of things, the VLAN separation makes things function
> exactly like a physically separate switch. Without the routing
> between
> those VLANs, the traffic does not magically go from one VLAN to
> another
> and the ability to exploit/crack the switch is no greater than
having
> a
> separate switch in place. In fact, if you have a managed switch,
and
> do
> not logically isolate your management interface/IP, you're opening
up
> that
> standalone switch.
>
> If you're not crazy enough to put the management IP on the publicly
> accessible side, there is no risk unless you allow access through a
> firewall or other routing solution. This is a fundamental concept
of
> managed switches and VLANs.
>
> This is at least true of Foundry Networks and Cisco switches.
Mileage
> may
> vary. ;)
>
> Sincerely,
>
> Bryan S. Sampsel
> LibertyActivist.org
> FNCNE
>
>
>
>
>
>
>
***************************************************************************
> Messages included in this e-mail and any of its attachments are
those
> of the author unless specifically stated to represent WorkCover
Queensland.
> The contents of this message are to be used for the intended purpose
only and
> are to be kept confidential at all times.
> This message may contain privileged information directed only to the
intended
> addressee/s. Accidental receipt of this information should be
deleted
> promptly and the sender notified.
> This e-mail has been scanned by Sophos for known viruses.
> However, no warranty nor liability is implied in this respect.
>
**********************************************************************
>
>

                
__________________________________
Do you Yahoo!?
Check out the new Yahoo! Front Page.
www.yahoo.com
 

***************************************************************************
Messages included in this e-mail and any of its attachments are those
of the author unless specifically stated to represent WorkCover Queensland. The contents of this message are to be used for the intended purpose only and are to be kept confidential at all times.
This message may contain privileged information directed only to the intended addressee/s. Accidental receipt of this information should be deleted promptly and the sender notified.
This e-mail has been scanned by Sophos for known viruses.
However, no warranty nor liability is implied in this respect.
**********************************************************************

• Previous message: xyberpix: "Win2k Audit+AD settings"
• Maybe in reply to: Ahmed Ameen: "Firewall and VLAN security design"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]