Vulnerability Development mailing list archives
Re: Vlans
From: Tony Soprano <almazana () MEDIAONE NET>
Date: Thu, 18 Jan 2001 05:32:21 -0500
Tim Salus wrote:
I am not certain if this is the place to ask this and if not please let me know where to send it. I have a client who has the following configuration Internet -> router -> firewall -> load balancer The connection from the router to the firewall is on a switch and the connection from the inside interface of the firewall is on the same switch. The separation is done using VLANS. I was taught this is bad due to 802.1q tagging and VLAN hopping using tagged packets. The problem is I can find very little information on this to prove my point. Also what if there is no 802.1q trunking being done. Is there still a problem with this? Is there an exploit to get around the firewall and do server flooding by jumping VLANS. No one can get on the firewall segment so what I need to know is can anyone on the internet cause a problem with this type of configuration. Thanks in advance Timothy L. Salus
Remember that a VLAN can be viewed as a seperate subnet. Since you must route between Subnets via layer three, so too must you do between VLANS. Remember that the Switch (with either 802.1q, or ISL) will strip off the VLAN header info, and typically will not pass trunk info over non-trunk configured ports. Since the Firewall interface is isolated, the firewall will make the packet forwarding decision based on your rule set.Since the only real players that are involved are the interfaces themselves, you can narrow down the hosts bits to 30 bits in some cases, so that no other hosts can spoof themselves into that VLAN/Subnet. If you are dilligent about security, and have multiple layers of ACL's starting at Area0, you can pretty much dictate which machines will participate in your VLAN implementation. Alex R. Almazan TAOS 5 Cambridge Center Cambridge MA 02142 aalmazan () taos com