Firewall Wizards mailing list archives
RE: Re: Vlan's as effective security measures?
From: <hugh_fraser () dofasco ca>
Date: Fri, 13 Feb 2004 11:58:51 -0500
Regardless of the VLAN technology chosen, the basic reason for investing in this kind of technology is to manage bandwidth and isolate traffic, not provide security. As such, the vendors haven't invested a lot in security. But beyond that, there are basic authentication issues that make it difficult to implement a strong security solution based upon VLANs. Policies controlling access to VLANs depend upon some method of identifying the client, and it's usually either a MAC address or a switch port. MAC addresses are readily obtained and almost as easily forged as IP addresses, allowing access to a MAC-based VLAN. Port-based identification relies on restricted access to the ports themselves, or to the drop connected to the port. In both cases, bypassing the VLAN security isn't something that happens by accident, but if you're concerned about security you're planning for malicious activity. Newer technologies can do stronger authentication at the port, but aren't widely used. And it's possible to configure most networking infrastructure to alert you to unexpected changes if they occur, but this information is rarely incorporated into a security auditting system, and generally go un-noticed except by the network group when they're debugging problems. It requires extra diligence to ensure that VLANs provide anywhere near the security most people expect. In my experience, this extra diligence doesn't happen, and VLANs are incorrectly understood to provide secure channels.
-----Original Message----- From: Brian Ford [mailto:brford () cisco com] Sent: Thursday, February 12, 2004 1:14 PM To: firewall-wizards () honor icsalabs com Cc: jhall () ptavvs net; Ware, Larry Subject: Re: Re: [fw-wiz] Vlan's as effective security measures? John, And cars crash and cars burn and people are dying in cars all the time. And cars can be made to carry disease and explosives and kill many people with just one car and driver! So let's all abandon our cars and start walking to work every morning. If we're late the boss will understand because cars are dangerous. ;-) You should probably research the switch that you buy and use in order to make sure that it doesn't do these things. Your mileage may vary! Liberty for All, Brian At 12:00 PM 2/10/2004 -0500, firewall-wizards-request () honor icsalabs com wrote:Message: 4 Date: Mon, 09 Feb 2004 12:52:31 -0800 From: John Hall <jhall () ptavvs net> To: "Ware, Larry" <LWare () e-one com> Cc: "'firewall-wizards () honor icsalabs com'" <firewall-wizards () honor icsalabs com> Subject: Re: [fw-wiz] Vlan's as effective security measures? 1. A surprising number of network devices' VLAN implementations will leak packets between VLANs under heavy loads, or in some cases randomly all the time. 2, Some switches have a single forwarding database which includes VLAN tags and a host presenting a carefully chosen MAC address can sometimes hijack traffic for a host on anotherVLAN. 3. Someswitches flood ARP requests across VLANs. 4. Some switchesflood alltraffic under heavy load. 5. Few switches and routers have adequate configuration security. Don't depend on VLANs to guarantee the separation of twonetworks that*must* be separated. Your security is only as good as the weakest element in your infrastructure and the security of mostswitches (andto a lesser extent routers) is pretty weak. JMH Ware, Larry wrote:Forgive a long out of field, and now working on getting back up to speed firewall admin, but would someone care to educate meconcerningthe security issues related to VLAN's? I have lots ofthem, and needto know why a VLAN is not an effective adjunct to firewalland routersecurity policies. -larryBrian Ford Consulting Engineer, Security & Integrity Specialist Office of Strategic Technology Planning Cisco Systems Inc. http://www.cisco.com/go/safe/ The opinions expressed in this message are those of the author and not necessarily those of Cisco Systems, Inc.. This email address is transmitted from San Jose, California, U.S.A.. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Vlan's as effective security measures?, (continued)
- Re: Vlan's as effective security measures? Daniel Linder (Feb 12)
- Transparent proxying jm (Feb 12)
- Re: Transparent proxying Luke Butcher (Feb 12)
- Re: Transparent proxying kaptain (Feb 12)
- Re: Transparent proxying Ng Pheng Siong (Feb 13)
- RE: Vlan's as effective security measures? Melson, Paul (Feb 10)
- Re: Vlan's as effective security measures? Brian Ford (Feb 12)
- Re: Re: Vlan's as effective security measures? Brian Ford (Feb 12)
- Re: Vlan's as effective security measures? Todd Joseph (Feb 13)
- Re: Vlan's as effective security measures? Brian Ford (Feb 16)
- Re: Vlan's as effective security measures? Todd Joseph (Feb 13)
- RE: Re: Vlan's as effective security measures? hugh_fraser (Feb 16)
- Re: Vlan's as effective security measures? Jeremiah Cornelius (Feb 20)
- RE: Re: Vlan's as effective security measures? Brian Ford (Feb 16)
- RE: Re: Vlan's as effective security measures? hugh_fraser (Feb 20)