Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: VLAN Question

From: Bennett Todd <bet () rahul net>
Date: Wed, 20 Aug 2003 12:51:20 -0400
2003-08-20T03:09:24 Steven Williams:

I'm after some opinions of yours and your companies policy
regarding the use of VLAN's as a method of isolating the internet
to internal VLAN's on the same physical layer 2 / 3 switch and
access controlled by ACL's or firewalls.


There are several sides to this question.

Originally, VLANs were created solely to help mitigate the very high
cost of early switches. Switches were being sold in multiples of 16
or 32 ports, and they were vastly more expensive than hubs. To help
people get the most out of their switch investments, VLANs allowed
partitioning broadcast domains, to buy the performance advantages of
switch isolation while allowing multiple smaller networks to be
implemented on the same expensive switch. In this context, leakage
between vlans wasn't an issue as long as the amount of leakage
didn't cause a performance impact. vlans leaked. Minor leakage was
not considered a problem by the vendors. They weren't designed as
security partitions.

Customers started pressing vendors, and they've responded. I've
spoken with a Cisco engineer who said that properly, carefully
configured, current switches with current CatOS were not believed to
leak between vlans, and a finding that they could so leak would be
treated as a priority security bug. Cool says I, this enables
something I've wanted to have for some time. Combine switches with
vlans that are secure and 802.1q trunking, and you can have a
firewall with a ludicrous number of firewall ports --- it becomes
practical to consider building a fully-firewalled fully-routed
network, where every host has its own dedicated firewall port. Not
for everybody, perhaps, but I can think of places where it'd be
worth doing. Say, hotels offering network jacks in the rooms.

But there's another issue to consider. Even if the vlan
implementation is truly secure in the switch, sharing multiple vlans
representing different security domains on the same switch means
that a config error on that switch could compromise your isolation.
Config errors happen. Config errors that don't overtly break
anything are often not detected for a long time.

Switches are cheap. Use multiple switches unless there's a really
compelling engineering requirement to use multiple vlans on the same
switch.

-Bennett

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: