RE: VLAN Question

[Meidinger Chris <chris.meidinger () badenit de>]

Remember the time when switched networking was a new and up-and-coming cool
thing? Remeber those rows upon rows of AUI ports or 10Base2 connections all
connnected to hunking brown hubs? Remember replacing then with one 48 port
switch and 2 HE's worth of twisted pair jacks? Well at that time switches
*were* massively more expensive than hubs. And the VLAN *was* intended to
let you buy one big hunking switch and run several subnets off of it. This
had nothing to do with big switches v. little switches, but rather with big
switches v. big hubs.

As far as the next mail, Todd said that it was true at the time that a bit
of broadcast leakage wasn't a big deal. He didn't say that in today's
security conscious environment nobody would care. The VLAN was not a
security invention, it was an invention designed to utilize switches fully
at a time when that technology was significantly more expensive. And in that
enviroment one silly little broadcast packet too many wasn't really worrying
anyone (much).

This is not a flame, but i had to defend the guy.

Cheers,

Chris

badenIT GmbH
System Support
 
Chris Meidinger
Tullastrasse 70
79108 Freiburg


-----Original Message-----
From: David Gillett [mailto:gillettdavid () fhda edu]
Sent: Thursday, August 21, 2003 2:30 AM
To: 'Bennett Todd'; 'Steven Williams'
Cc: Security-basics () securityfocus com
Subject: RE: VLAN Question


> Originally, VLANs were created solely to help mitigate the very high
> cost of early switches. Switches were being sold in multiples of 16
> or 32 ports, and they were vastly more expensive than hubs. To help
> people get the most out of their switch investments, VLANs allowed
> partitioning broadcast domains, to buy the performance advantages of
> switch isolation while allowing multiple smaller networks to be
> implemented on the same expensive switch. 

  I can't buy this.  Although several cascaded hubs get you the 
equivalent of one big hub, switches do not combine the same way.
I don't think there was ever a time when a chassis switch with four
12-port cards cost less than four separate 12-port switches.
  And if all VLANs did was allow your one big expensive switch to
emulate a stack of cheap little switches, almost nobody would ever
use them.

  Where partitioning of switches into VLANs starts to pay off is 
where you have (a) trunking of multiple VLANs from switch to switch,
and (b) router blades for switch chasses, to route between VLANs.
Now you can deploy a layer 3 topology that doesn't look anything 
like your layer 2 topology, and you can provide redundant linkage
via spanning tree instead of HSRP or even OSPF.

David Gillett


> -----Original Message-----
> From: Bennett Todd [mailto:bet () rahul net]
> Sent: August 20, 2003 09:51
> To: Steven Williams
> Cc: Security-basics () securityfocus com
> Subject: Re: VLAN Question
>
>
> 2003-08-20T03:09:24 Steven Williams:
> > I'm after some opinions of yours and your companies policy
> > regarding the use of VLAN's as a method of isolating the internet
> > to internal VLAN's on the same physical layer 2 / 3 switch and
> > access controlled by ACL's or firewalls.
>
> There are several sides to this question.
>
> Originally, VLANs were created solely to help mitigate the very high
> cost of early switches. Switches were being sold in multiples of 16
> or 32 ports, and they were vastly more expensive than hubs. To help
> people get the most out of their switch investments, VLANs allowed
> partitioning broadcast domains, to buy the performance advantages of
> switch isolation while allowing multiple smaller networks to be
> implemented on the same expensive switch. In this context, leakage
> between vlans wasn't an issue as long as the amount of leakage
> didn't cause a performance impact. vlans leaked. Minor leakage was
> not considered a problem by the vendors. They weren't designed as
> security partitions.
>
> Customers started pressing vendors, and they've responded. I've
> spoken with a Cisco engineer who said that properly, carefully
> configured, current switches with current CatOS were not believed to
> leak between vlans, and a finding that they could so leak would be
> treated as a priority security bug. Cool says I, this enables
> something I've wanted to have for some time. Combine switches with
> vlans that are secure and 802.1q trunking, and you can have a
> firewall with a ludicrous number of firewall ports --- it becomes
> practical to consider building a fully-firewalled fully-routed
> network, where every host has its own dedicated firewall port. Not
> for everybody, perhaps, but I can think of places where it'd be
> worth doing. Say, hotels offering network jacks in the rooms.
>
> But there's another issue to consider. Even if the vlan
> implementation is truly secure in the switch, sharing multiple vlans
> representing different security domains on the same switch means
> that a config error on that switch could compromise your isolation.
> Config errors happen. Config errors that don't overtly break
> anything are often not detected for a long time.
>
> Switches are cheap. Use multiple switches unless there's a really
> compelling engineering requirement to use multiple vlans on the same
> switch.
>
> -Bennett

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------