RE: VLAN Question

["David Gillett" <gillettdavid () fhda edu>]

> It's clearly indicated by numerous sources including SAN's and some
> penetration testing outfits that VLAN's can be compromised. 

  Therefore, it's not a reliable security measure.

  On the other hand, I've seen it at a number of sites.  Few places 
seem to be willing to dedicate a whole switch, cut off from their
switch management VLAN, to provide 3-5 ports for an Internet segment.
It's so much easier and cheaper to borrow the needed ports from an
existing switch that's already part of the infrastructure.

  This is a good example of compromise on risk.  While it's not
completely reliable, an awful lot of enterprises judge the risk
of compromise by this route to be low enough to justify the cost
savings.

  (My impression -- and I haven't reviewed this lately -- is that
most of the VLAN compromise techniques are much easier to do from
inside the local network, and so there's little reason to target 
the Internet segment VLAN in preference over something more sensitive.)

David Gillett


> -----Original Message-----
> From: Steven Williams [mailto:Steven.Williams () computershare com au]
> Sent: August 20, 2003 00:09
> To: Security-basics () securityfocus com
> Subject: VLAN Question
>
>
> Hi all,
>
> I'm after some opinions of yours and your companies policy 
> regarding the use
> of VLAN's as a method of isolating the internet to internal 
> VLAN's on the
> same physical layer 2 / 3 switch and access controlled by ACL's or
> firewalls. 
>
> Would you or your company allow this, relying on permanant 
> FDB entries,
> disabled MAC learning ability, Layer 2 VLAN only, no routing or IP
> forwarding enabled or purely stick with a physical isolation 
> of a separate
> switch etc. 
>
> I've been told that Extreme switches implement VLAN's in 
> hardware ASICs and
> are not vulnerable to the compromises and denial of service 
> attacks that
> other vendors may be due to VLANs implemented in software.
>
> It's clearly indicated by numerous sources including SAN's and some
> penetration testing outfits that VLAN's can be compromised. 
>
> Any feedback would be greatly appreciated....
>
> Steve
>
> Steve Williams 
> Communications Support Engineer
> Computershare Technology Services
> Melbourne Australia
> steven.williams () computershare com au
> +61 3 9235 5651
>
> www.computershare.com
>  
>  
>
>
> ---
> This email and any files transmitted with it are solely 
> intended for the use of the addressee(s) and may contain 
> information that is confidential and privileged.  If you 
> receive this email in error, please advise us by return email 
> immediately.  Please also disregard the contents of the 
> email, delete it and destroy any copies immediately.
> Computershare Limited and its subsidiaries do not accept 
> liability for the views expressed in the email or for the 
> consequences of any computer viruses that may be transmitted 
> with this email.
> This email is also subject to copyright.  No part of it 
> should be reproduced, adapted or transmitted without the 
> written consent of the copyright owner.
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------