Security Basics mailing list archives
RE: VLAN Question
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 20 Aug 2003 09:44:07 -0700
It's clearly indicated by numerous sources including SAN's and some penetration testing outfits that VLAN's can be compromised.
Therefore, it's not a reliable security measure. On the other hand, I've seen it at a number of sites. Few places seem to be willing to dedicate a whole switch, cut off from their switch management VLAN, to provide 3-5 ports for an Internet segment. It's so much easier and cheaper to borrow the needed ports from an existing switch that's already part of the infrastructure. This is a good example of compromise on risk. While it's not completely reliable, an awful lot of enterprises judge the risk of compromise by this route to be low enough to justify the cost savings. (My impression -- and I haven't reviewed this lately -- is that most of the VLAN compromise techniques are much easier to do from inside the local network, and so there's little reason to target the Internet segment VLAN in preference over something more sensitive.) David Gillett
-----Original Message----- From: Steven Williams [mailto:Steven.Williams () computershare com au] Sent: August 20, 2003 00:09 To: Security-basics () securityfocus com Subject: VLAN Question Hi all, I'm after some opinions of yours and your companies policy regarding the use of VLAN's as a method of isolating the internet to internal VLAN's on the same physical layer 2 / 3 switch and access controlled by ACL's or firewalls. Would you or your company allow this, relying on permanant FDB entries, disabled MAC learning ability, Layer 2 VLAN only, no routing or IP forwarding enabled or purely stick with a physical isolation of a separate switch etc. I've been told that Extreme switches implement VLAN's in hardware ASICs and are not vulnerable to the compromises and denial of service attacks that other vendors may be due to VLANs implemented in software. It's clearly indicated by numerous sources including SAN's and some penetration testing outfits that VLAN's can be compromised. Any feedback would be greatly appreciated.... Steve Steve Williams Communications Support Engineer Computershare Technology Services Melbourne Australia steven.williams () computershare com au +61 3 9235 5651 www.computershare.com --- This email and any files transmitted with it are solely intended for the use of the addressee(s) and may contain information that is confidential and privileged. If you receive this email in error, please advise us by return email immediately. Please also disregard the contents of the email, delete it and destroy any copies immediately. Computershare Limited and its subsidiaries do not accept liability for the views expressed in the email or for the consequences of any computer viruses that may be transmitted with this email. This email is also subject to copyright. No part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner. -------------------------------------------------------------- ------------- -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- VLAN Question Steven Williams (Aug 20)
- RE: VLAN Question David Gillett (Aug 20)
- Re: VLAN Question Bennett Todd (Aug 20)
- RE: VLAN Question David Gillett (Aug 21)
- Re: VLAN Question Bennett Todd (Aug 21)
- RE: VLAN Question David Gillett (Aug 21)
- RE: VLAN Question David Gillett (Aug 21)
- <Possible follow-ups>
- RE: VLAN Question Meidinger Chris (Aug 22)
- RE: VLAN Question David Gillett (Aug 25)