Educause Security Discussion mailing list archives
Re: Untrusted VLANs on Core Gear
From: "HALL, NATHANIEL D." <halln () OTC EDU>
Date: Wed, 7 Feb 2007 13:33:02 -0600
I have had similar questions before. I asked other GIAC alumni and I was referred to DSniff by Dug Song. http://www.monkey.org/~dugsong/dsniff/ -- Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA Network Security System Administrator OTC Computer Networking Office: (417) 447-7535 -----Original Message----- From: Glenn Forbes Fleming Larratt [mailto:gl89 () CORNELL EDU] Sent: Wednesday, February 07, 2007 1:18 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Untrusted VLANs on Core Gear -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes (to the "run screaming" question). I made the argument recently in another forum that: } 1. In a design that includes a firewall appliance of any sort, it's a } violation of default-deny to use VLAN's, rather than distinct hardware, } to segregate networks on different sides of the firewall. Even though } there are no known (to me) failure modes of VLAN switches that would } allow effective bridged connectivity between nominally separated } networks, the possibility that such a failure mode could exist justifies } the physical separation. } } 2. Buying/creating a firewall appliance and then using VLAN's to } separate the networks on different sides of it is "silver-bullet" } design; to get defense in depth, physical separation is indicated. } } Given the relative cost of firewall appliances (whether in dollars or } sweat) vs. networking hardware, any cost savings is false anyway. The one reason (other than personal hubris) I quote my previous argument is that another participant pointed to documented failure modes of VLAN switches that *would* allow effective bridge connectivity, i.e. bypassing of your firewall. The links he provided were: http://www.sans.org/reading_room/whitepapers/networkdevs/1090.php http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_pap er09186a008013159f.shtml#wp39832 (not sure why the link points to the "Conclusions" in the paper) Hope this helps, - -- Glenn Forbes Fleming Larratt Cornell University IT Security Office On Wed, 7 Feb 2007, jkaftan wrote:
We are looking to create a fully redundant internet connection. I was thinking about using my core switch to provide layer 2 for this setup. Specifically I was going to create an Untrust VLAN that my edge
routers
and Firewalls would connect to. Fundamentally I do not see an issue as VLANs are supposed to be the
same
thing as having separate switches (broadcast domains). However
another
way to look at it is that I have potential bad guys actually
"touching"
my core gear. Does this make anyone want to run screaming into the night?
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFFyiX3Lyw7nZwiKgQRAjRfAKCjjFv01jTsICiLcgqZtDqLlSk7jQCeJ1/H zUpt7wv7EUaiXJAjDG2hoaE= =INKh -----END PGP SIGNATURE-----
Current thread:
- Untrusted VLANs on Core Gear jkaftan (Feb 07)
- <Possible follow-ups>
- Re: Untrusted VLANs on Core Gear Glenn Forbes Fleming Larratt (Feb 07)
- Re: Untrusted VLANs on Core Gear HALL, NATHANIEL D. (Feb 07)
- Re: Untrusted VLANs on Core Gear John Ladwig (Feb 07)
- Re: Untrusted VLANs on Core Gear Raw, Randy (Feb 08)
- Re: Untrusted VLANs on Core Gear Michael Sinatra (Feb 08)
- Re: Untrusted VLANs on Core Gear David C. Smith (Feb 08)
- Re: Untrusted VLANs on Core Gear David LaPorte (Feb 08)
- Re: Untrusted VLANs on Core Gear jkaftan (Feb 08)
- Re: Untrusted VLANs on Core Gear David Gillett (Feb 12)