RE: Firewall and VLAN security design

From: Jonathan Loh (kj6loh_at_yahoo.com)
Date: 11/03/04

  • Next message: Kelly Martin: "Re: SCP win2K3 to RH9 troubles" 
    Date: Wed, 3 Nov 2004 14:17:16 -0800 (PST)
To: Ivan Coric <ivan.coric@workcoverqld.com.au>, bsampsel@libertyactivist.org, security-basics@securityfocus.com

    Actually, I think cisco does. It just depends on how you comprehend the
    following statement. Taken from the CCNA course curriculum Semester 3 module 8
    overview.

    "VLANs can enhance scalability, security, and network management. Routers in
    VLAN topologies provide broadcast filtering, security, and traffic flow
    management."

    Strictly speaking "can enhance" does no mean the same as "does enhance".

    --- Ivan Coric <ivan.coric@workcoverqld.com.au> wrote:

    > I beg to differ, using VLANs to segregate your external and internal
    > network is a bad idea.
    >
    > I don't think even Cisco recommends VLANs as a security mechanism
    >
    > http://www.sans.org/resources/idfaq/vlan.php
    >
    > http://www.spirit.com/Network/net0103.html
    >
    > http://www.terena.nl/conferences/tnc2003/programme/slides/s1c3.ppt
    >
    > http://www.sans.org/rr/whitepapers/networkdevs/1090.php
    >
    > http://www.google.com.au/search?q=vlan+hopping&hl=en&lr=&start=10&sa=N
    >
    > cheers
    > Ivan
    >
    >
    >
    >
    > Ivan Coric, CISSP
    > IT Technical Security Officer
    > Information Technology
    > WorkCover Queensland
    > Ph: (07) 30066414 Fax: (07) 30066424
    > Email: ivan.coric@workcoverqld.com.au
    >
    > >>> "Bryan S. Sampsel" <bsampsel@libertyactivist.org> 2/11/2004 2:56:11
    > pm >>>
    >
    > >
    > >> Is VLAN segmentation enough to segment between the internet, DMZ
    > and
    > >> the internal network, or should I also use different switches for
    > >> each, and be connected through the firewall.
    > >
    > > This is a FAQ, and the usual answer is that no, VLAN separation is
    > not
    > > a robust security barrier, an separate switches are recommended where
    > the
    > > different subnets need separation for security reasons.
    > >
    >
    > Actually, if you don't offer up your management interface to the
    > publicly
    > accessible side of things, the VLAN separation makes things function
    > exactly like a physically separate switch. Without the routing
    > between
    > those VLANs, the traffic does not magically go from one VLAN to
    > another
    > and the ability to exploit/crack the switch is no greater than having
    > a
    > separate switch in place. In fact, if you have a managed switch, and
    > do
    > not logically isolate your management interface/IP, you're opening up
    > that
    > standalone switch.
    >
    > If you're not crazy enough to put the management IP on the publicly
    > accessible side, there is no risk unless you allow access through a
    > firewall or other routing solution. This is a fundamental concept of
    > managed switches and VLANs.
    >
    > This is at least true of Foundry Networks and Cisco switches. Mileage
    > may
    > vary. ;)
    >
    > Sincerely,
    >
    > Bryan S. Sampsel
    > LibertyActivist.org
    > FNCNE
    >
    >
    >
    >
    >
    >
    > ***************************************************************************
    > Messages included in this e-mail and any of its attachments are those
    > of the author unless specifically stated to represent WorkCover Queensland.
    > The contents of this message are to be used for the intended purpose only and
    > are to be kept confidential at all times.
    > This message may contain privileged information directed only to the intended
    > addressee/s. Accidental receipt of this information should be deleted
    > promptly and the sender notified.
    > This e-mail has been scanned by Sophos for known viruses.
    > However, no warranty nor liability is implied in this respect.
    > **********************************************************************
    >
    >

                    
    __________________________________
    Do you Yahoo!?
    Check out the new Yahoo! Front Page.
    www.yahoo.com
     

  • Next message: Kelly Martin: "Re: SCP win2K3 to RH9 troubles"

    Relevant Pages

    • Re: probably an easy routing question, so please help
      ... I've just realized that VLANs don't just divide subnets, ... router) I won't need to use a Layer 3 switch at all. ... both /28s are configured on the same Enet port, with proxy ARP enabled. ...
      (comp.dcom.sys.cisco)
    • Re: Switch Redundancy question !!
      ... switch) with respect to L3 default gateway for each of the VLANs ... I know STP is the solution for L2 redundancy & HSRP ... Sh int status will show port as routed when it is configured for use as ...
      (comp.dcom.sys.cisco)
    • RE: Firewall and VLAN security design
      ... use a separate switch for your internal LAN. ... @Stake security review of VLANs ... IT Technical Security Officer ... "VLANs can enhance scalability, security, and network management. ...
      (Security-Basics)
    • RE: Firewall and VLAN security design
      ... using VLANs to segregate your external and internal ... IT Technical Security Officer ... exactly like a physically separate switch. ...
      (Security-Basics)
    • RE: Clueless firewall configuration ?
      ... attacker has access to your core switch. ... between the vlans (oh and we are a big production site that relies on ... Does anyone care to comment on the security issues a setup as this ... Download FREE whitepaper on how a managed service ...
      (Pen-Test)