RE: Firewall and VLAN security design

["Bryan S. Sampsel" <bsampsel () libertyactivist org>]

Well, according to the articles, the weakness discovered in Cisco was the
default VLAN.  Change that, and your exploit goes out the window.  Sounds
like a default security setting issue.

I've seen references in the articles to "Cisco says their competitor has
the same problem" but not any tested instances.

If there's any Foundry Networks TAC guys on this list, I'd love to know if
they've discovered something similar.  Though, I usually set the default
VLAN ID to something different anyways.

But, at least with the first couple of articles, the default VLAN settings
appears to be the crux of the whole issue.  Fix that and VLANs perform
exactly like physically separate switches.

As to the issue of VLAN aware firewalls...I'd never take advantage of that
particular feature as I like simple, easily clamped down firewall
configurations.  But that's my particular philosophy.

Good info though regarding Cisco.  I'm going to file that away.  Thanks.

Sincerely,

Bryan S. Sampsel
LibertyActivist.org


Ivan Coric said:
> I beg to differ, using VLANs to segregate your external and internal
> network is a bad idea.
>
> I don't think even Cisco recommends VLANs as a security mechanism
>
> http://www.sans.org/resources/idfaq/vlan.php
>
> http://www.spirit.com/Network/net0103.html
>
> http://www.terena.nl/conferences/tnc2003/programme/slides/s1c3.ppt
>
> http://www.sans.org/rr/whitepapers/networkdevs/1090.php
>
> http://www.google.com.au/search?q=vlan+hopping&hl=en&lr=&start=10&sa=N
>
> cheers
> Ivan