VLANs over Geographical Boundaries



AKA "Is this stupid from a security standpoint"?

I know the mantra: "Don't use VLAN's for security". But I'm having
trouble understanding whether it applies to this particular design. I
proposed an alternate solution the problem I'm trying to solve in
another newsgroup, and I was told, "You should be using VLAN's".

The basics: We just added a second facility and want to increase our
redundancy. We have two hosts that are considered the end-all-be-all
of our business, without these, we're down. We have a nice high
availability configuration in place that requires they be on the same
lan segment. We have also have a nice high speed ethernet link between
the two facilities that accomplishes this goal, but it's caused a
number of issues as far as adding further redundancy to our network.

So, I have the following solution in mind. The advantages are
plentiful as far as saving money and easing expansion, but we have a
major concern about it: It somewhat relies on VLAN's to separate
traffic before it enters the firewall.

A diagram would probably help, and ASCII is insufficient, so I threw
this together:
http://www.monkeybox.org/cisco/Visio-VLAN-Proposal.pdf

Let me point out a couple things:
(1) The top left and top right areas are two distinct physical
locations. The gigabit ethernet line between the two is all we have to
work with (Well, other than a VPN backup, but that's not in the
diagram).
(2) The colored lines indicate vlan separation. Over the gigabit
connection, this would be a trunk, but the other links would likely be
individual fastethernet connections in a 'switchport mode access' type
of setup either to other links or the firewalls.
(3) This isn't everything on our network, though it shows the important
stuff. We like to control access as much as we can at the firewalls.
(4) The firewalls are checkpoints and would share state over a
dedicated sync vlan which isn't pictured. They'd be in a cluster
configuration.

The scariest part of this diagram is that the Internet traffic coming
in on one vlan would enter the same switch as the traffic we're trying
most to protect. That is, physically that traffic hits the same switch
before it is inspected by the firewall. Logically, though, it has to
go through a firewall, but is that enough? Additionally, my company is
of the opinion that you can't really trust your lan's, and they would
also hit the switches first. So if VLAN hopping is a realistic
problem, both Internet and LAN traffic could conceivably bypass the
firewalls through some evildoer chicanery.

If it vlan hopping can be mitigated to the point of "no known attacks",
then the advantages are many. There are cost savings, and really easy
ways to add further redundancy. It scales pretty well, and our single
points of failure actually go down compared to most alternate
solutions.

Is this a bad idea from a security standpoint? Any obvious problems
I'm overlooking? Is this sound from a security, stability, and
scalability point of view?

Any input would be appreciated.

Fred

.



Relevant Pages

  • Re: VLAN Segmentation for High Availability (was: HSRP on multilayer switches)
    ... Subject AKA "Is this stupid from a security standpoint"? ... The colored lines indicate vlan separation. ... We like to control access as much as we can at the firewalls. ...
    (comp.dcom.sys.cisco)
  • Re: [fw-wiz] Firewalls and 802.1q trunking
    ... @stakes made some extended research on VLAN hopping against a Catalyst switch. ... They were unable to actually hop between VLAN on a well configured switch. ... >equipping firewalls with arbitrary numbers of interfaces ...
    (Firewall-Wizards)
  • Re: Is VLAN still secure ?
    ... > a few months ago heard about some Vulnerabilitys about VLANŽ, a security ... > option from a Virtual Lan Emulation on 1 Switch to can handle the Traffic ... > secure as on different switches fpr diferent Networks. ... > build a DMZ on one Switch with an DMZ VLAN and a Secure VLAN. ...
    (comp.security.firewalls)
  • Re: VLAN as a DMZ
    ... Cisco's new-fangled private VLAN stuff may change this ... customers to partition the switch to service multiple different LANS ... They were not designed as security barriers. ... The key to the analysis is to draw your picture, ...
    (Security-Basics)
  • Norton Internet Worm Protection
    ... Security Center told me not to run several firewalls - ok. ... how can switch it off or uninstall? ... Petra ...
    (microsoft.public.windowsxp.security_admin)