RE: Firewall and VLAN security design

[Jonathan Loh <kj6loh () yahoo com>]

Actually, I think cisco does.  It just depends on how you comprehend the
following statement.  Taken from the CCNA course curriculum Semester 3 module 8
overview.

"VLANs can enhance scalability, security, and network management. Routers in
VLAN topologies provide broadcast filtering, security, and traffic flow
management."

Strictly speaking "can enhance" does no mean the same as "does enhance".  

--- Ivan Coric <ivan.coric () workcoverqld com au> wrote:

> I beg to differ, using VLANs to segregate your external and internal
> network is a bad idea. 
>
> I don't think even Cisco recommends VLANs as a security mechanism
>
> http://www.sans.org/resources/idfaq/vlan.php 
>
> http://www.spirit.com/Network/net0103.html 
>
> http://www.terena.nl/conferences/tnc2003/programme/slides/s1c3.ppt 
>
> http://www.sans.org/rr/whitepapers/networkdevs/1090.php 
>
> http://www.google.com.au/search?q=vlan+hopping&hl=en&lr=&start=10&sa=N
>
> cheers
> Ivan
>
>
>
>
> Ivan Coric, CISSP
> IT Technical Security Officer
> Information Technology
> WorkCover Queensland
> Ph: (07) 30066414 Fax: (07) 30066424
> Email: ivan.coric () workcoverqld com au
>
> > > > "Bryan S. Sampsel" <bsampsel () libertyactivist org> 2/11/2004 2:56:11
> pm >>>
>
> > > Is VLAN segmentation enough to segment between the internet, DMZ
> and
> > > the internal network, or should I also use different switches for
> > > each, and be connected through the firewall.
> >
> >   This is a FAQ, and the usual answer is that no, VLAN separation is
> not
> > a robust security barrier, an separate switches are recommended where
> the
> > different subnets need separation for security reasons.
>
> Actually, if you don't offer up your management interface to the
> publicly
> accessible side of things, the VLAN separation makes things function
> exactly like a physically separate switch.  Without the routing
> between
> those VLANs, the traffic does not magically go from one VLAN to
> another
> and the ability to exploit/crack the switch is no greater than having
> a
> separate switch in place.  In fact, if you have a managed switch, and
> do
> not logically isolate your management interface/IP, you're opening up
> that
> standalone switch.
>
> If you're not crazy enough to put the management IP on the publicly
> accessible side, there is no risk unless you allow access through a
> firewall or other routing solution.  This is a fundamental concept of
> managed switches and VLANs.
>
> This is at least true of Foundry Networks and Cisco switches.  Mileage
> may
> vary.  ;)
>
> Sincerely,
>
> Bryan S. Sampsel
> LibertyActivist.org
> FNCNE
>
>
>
>
>
>
> ***************************************************************************
> Messages included in this e-mail and any of its attachments are those
> of the author unless specifically stated to represent WorkCover Queensland.
> The contents of this message are to be used for the intended purpose only and
> are to be kept confidential at all times.
> This message may contain privileged information directed only to the intended
> addressee/s. Accidental receipt of this information should be deleted
> promptly and the sender notified.
> This e-mail has been scanned by Sophos for known viruses.
> However, no warranty nor liability is implied in this respect.
> **********************************************************************



                
__________________________________ 
Do you Yahoo!? 
Check out the new Yahoo! Front Page. 
www.yahoo.com