Educause Security Discussion mailing list archives
Re: Untrusted VLANs on Core Gear
From: Glenn Forbes Fleming Larratt <gl89 () CORNELL EDU>
Date: Wed, 7 Feb 2007 14:18:10 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes (to the "run screaming" question). I made the argument recently in another forum that: } 1. In a design that includes a firewall appliance of any sort, it's a } violation of default-deny to use VLAN's, rather than distinct hardware, } to segregate networks on different sides of the firewall. Even though } there are no known (to me) failure modes of VLAN switches that would } allow effective bridged connectivity between nominally separated } networks, the possibility that such a failure mode could exist justifies } the physical separation. } } 2. Buying/creating a firewall appliance and then using VLAN's to } separate the networks on different sides of it is "silver-bullet" } design; to get defense in depth, physical separation is indicated. } } Given the relative cost of firewall appliances (whether in dollars or } sweat) vs. networking hardware, any cost savings is false anyway. The one reason (other than personal hubris) I quote my previous argument is that another participant pointed to documented failure modes of VLAN switches that *would* allow effective bridge connectivity, i.e. bypassing of your firewall. The links he provided were: http://www.sans.org/reading_room/whitepapers/networkdevs/1090.php http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39832 (not sure why the link points to the "Conclusions" in the paper) Hope this helps, - -- Glenn Forbes Fleming Larratt Cornell University IT Security Office On Wed, 7 Feb 2007, jkaftan wrote:
We are looking to create a fully redundant internet connection. I was thinking about using my core switch to provide layer 2 for this setup. Specifically I was going to create an Untrust VLAN that my edge routers and Firewalls would connect to. Fundamentally I do not see an issue as VLANs are supposed to be the same thing as having separate switches (broadcast domains). However another way to look at it is that I have potential bad guys actually "touching" my core gear. Does this make anyone want to run screaming into the night?
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFFyiX3Lyw7nZwiKgQRAjRfAKCjjFv01jTsICiLcgqZtDqLlSk7jQCeJ1/H zUpt7wv7EUaiXJAjDG2hoaE= =INKh -----END PGP SIGNATURE-----
Current thread:
- Untrusted VLANs on Core Gear jkaftan (Feb 07)
- <Possible follow-ups>
- Re: Untrusted VLANs on Core Gear Glenn Forbes Fleming Larratt (Feb 07)
- Re: Untrusted VLANs on Core Gear HALL, NATHANIEL D. (Feb 07)
- Re: Untrusted VLANs on Core Gear John Ladwig (Feb 07)
- Re: Untrusted VLANs on Core Gear Raw, Randy (Feb 08)
- Re: Untrusted VLANs on Core Gear Michael Sinatra (Feb 08)
- Re: Untrusted VLANs on Core Gear David C. Smith (Feb 08)
- Re: Untrusted VLANs on Core Gear David LaPorte (Feb 08)
- Re: Untrusted VLANs on Core Gear jkaftan (Feb 08)
- Re: Untrusted VLANs on Core Gear David Gillett (Feb 12)