Re: how secure is a vlan

[JGrimshaw () ASAP com]

Hi Tigerblue,

VLANs are as secure as you make them, but come pretty secure as-is. 
Logically, they are treated as a separate physical network.  A device 
cannot connect to another network without the help of a routing device, be 
it a layer 3 switch that is routing for the vlan, an independent router 
(called Router-on-a-Stick), or perhaps a multi-homed machine such as a 
Windows server running RRAS and configured to route traffic. 

Better still, on the Cisco Catalyst 6000 series, one can create private 
VLANs, which prevent devices on the vlan from speaking to each other, and 
only to the default gateway port on the VLAN.  A good reason to do this is 
on a DMZ.  If a machine in the DMZ is compromised, it is still unable to 
speak to other machines on the DMZ, and only the default gateway port on 
the VLAN.

Also, most switches that support VLANs also support MAC Address based 
security and other features to further protect your VLAN.  I would check 
with documentation for your switch to see what features your switch 
supports, and if they make sense to implement.  How about access lists 
protecting your new VLAN? 

You will also discover that the broadcast domain is reduced, and there may 
be a significant drop in broadcast traffic.  Cutting a 1022 host subnet 
into four 254 host subnets reduces DHCP broadcasts and other such things 
immensely. 

But remember, if you decide to allow routing to and from this subnet, make 
sure you design a subnet scheme that makes sense!  The last thing you want 
are numbers pulled out of the air, or something copied out of a book. 
Check out http://www.faqs.org/rfcs/rfc1597.html for information on private 
IP addressing, it is invaluable if this is your first attempt at subnet 
design.

A place I once worked at used someone else's public IP address as their 
datacenter IP address.  Oops.  Then the private addresses were all decided 
by different departments.  Oops again.  It was a disaster rewriting all of 
the router and switch VLANs and rules, the firewall rules, printer 
addresses, load balancers, server addresses... talk about downtime!  Do it 
right the first time and you may be employed where you are at for a long 
time!



<tigerblue () puzzleapuma de> 
01/07/2004 04:02 AM

To
<security-basics () securityfocus com>
cc

Subject
how secure is a vlan







Hello Outthere,

I´m planing a reorganisation of our company network. I´m thinking about
a vlan to secure a part of the net. Is this technology as secure as
physical net ? Is there a way to break out of this virtual lan into
another part of the network ?

Best Regards

tigerblue

---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 

course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion 
Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course! 
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
----------------------------------------------------------------------------