Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: VLANs as a security barrier (oh no, not again!)

From: Chris Cappuccio <chris () empnet com>
Date: Fri, 5 May 2000 15:44:36 -0700 (PDT)
On Mon, 1 May 2000, Bennett Todd wrote:

 | It's been discussed many times, and I've solidly held the side that
 | VLANs are a performance hack, not a security barrier.
 | 
 | But I think I may have found a setting where they might reasonably
 | work, and if so they'd for sure be bodaciously helpful in this
 | application.
 | 

You mean, like a co-location facility? ;)

There are several ways to use VLANs.  Most are for performance, only one is
useful for security.  Learning VLANs where stations can automatically make
themselves part of a particular VLAN are obviously not useful for
security.  Static VLANs where each port in a switch is forced to be part of a
particular VLAN are what you require to achieve security.  

Even with static VLANs, some switches allow VLAN tagged packets from any port
to reach the VLAN trunk port.  This defeats security because anyone can
pretend to be part of any VLAN.  I think older Cisco switches do this, or
incorrectly configured Cisco switches do this???  

 | In a discussion on another list, it emerged that it can be an
 | amazing help to park a really _really_ tightly-secured bastion host
 | on every last LAN on a large and complex net, specifically for
 | providing services to various network boxes on those LANs --- config
 | download for routers and switches, logging, time sync, whatever.
 | 
 | Naturally the ideal solution would be if you could buy a card for a
 | cheap PC that gave you say 32 or more 10baseT ports. Sadly you
 | can't:-).
 | 
 | But what if you set up a bastion with a few quad 100BaseT Znyx cards
 | in it, and ran 802.1Q for VLANs over all of them to switches. The
 | picture here is that the bastion wouldn't be routing between these
 | VLANs; it'd just use them to be locally present on every LAN.
 | 

This is exactly what the vlan(4) interface in OpenBSD 2.7 allows you to do..
(ported from FreeBSD..but the FreeBSD one isn't quite as useful as I've fixed
some bugs which the FreeBSD author has ignored)

 | Anybody know if any existing switch can do this? With this approach,
 | a switch could act like a box-o-ports, and the 100BaseT 802.1Q port
 | could act like a high-density port for placing a zillion interfaces
 | on a box.
 | 

Any switch that supports IEEE 802.1Q explicitly (like the Cisco Catalyst
Enterprise switches) will work....

-chris
Previous By Date Next
Previous By Thread Next

Current thread: