Firewall Wizards mailing list archives

Re: Vlan's as effective security measures?

From: John Hall <jhall () ptavvs net>
Date: Wed, 11 Feb 2004 17:55:03 -0800

I'm sorry, but most of my recent experience is with Extreme, Cisco 4xxx
and 65xx, and HP Procurve switches.  We don't have any of the switches
you list to experiment upon.

JMH

avraham shir-el (arthur sherman) wrote:

hi john,
do you know to what extent the problems you mention are relavent
for the ciso 2900xl, 3500xl and 2950 switches.
i'm aware of the config sec weaknesses on these switches, but not aware of
the extent to which the other issues are problems on these particular switches.
tnx
ams
   > FROM - John Hall <jhall () ptavvs net>
   > WHEN - 9 February 2004, 12:52
   > SUBJ - Re: [fw-wiz] Vlan's as effective security measures?
   > TO   - LWare () e-one com, firewall-wizards () honor icsalabs com

>>> 1. A surprising number of network devices' VLAN implementations

   >     will leak packets between VLANs under heavy loads, or in some
   >     cases randomly all the time.
   > 2,  Some switches have a single forwarding database which includes
   >     VLAN tags and a host presenting a carefully chosen MAC address
   >     can sometimes hijack traffic for a host on another VLAN.
   > 3.  Some switches flood ARP requests across VLANs.
   > 4.  Some switches flood all traffic under heavy load.
   > 5.  Few switches and routers have adequate configuration security.

>> Don't depend on VLANs to guarantee the separation of two networks

   > that *must* be separated.  Your security is only as good as the
   > weakest element in your infrastructure and the security of most
   > switches (and to a lesser extent routers) is pretty weak.

>> JMH>> Ware, Larry wrote:>> >Forgive a long out of field, and now working on getting back up to speed

   > >firewall admin, but would someone care to educate me concerning the security
   > >issues related to VLAN's? I have lots of them, and need to know why a VLAN
   > >is not an effective adjunct to firewall and router security policies.
   > >-larry
   > >
   > _______________________________________________
   > firewall-wizards mailing list
   > firewall-wizards () honor icsalabs com
   > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Vlan's as effective security measures? Ware, Larry (Feb 09)
- Re: Vlan's as effective security measures? John Hall (Feb 09)
  - Re: Vlan's as effective security measures? avraham shir-el (arthur sherman) (Feb 11)
    - Re: Vlan's as effective security measures? John Hall (Feb 12)
    - Re: Vlan's as effective security measures? Daniel Linder (Feb 12)
    - Transparent proxying jm (Feb 12)
    - Re: Transparent proxying Luke Butcher (Feb 12)
    - Re: Transparent proxying kaptain (Feb 12)
    - Re: Transparent proxying Ng Pheng Siong (Feb 13)
- <Possible follow-ups>
- RE: Vlan's as effective security measures? Melson, Paul (Feb 10)
- Re: Vlan's as effective security measures? Brian Ford (Feb 12)
- Re: Re: Vlan's as effective security measures? Brian Ford (Feb 12)
  - Re: Vlan's as effective security measures? Todd Joseph (Feb 13)
    - Re: Vlan's as effective security measures? Brian Ford (Feb 16)

(Thread continues...)