Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Layer 2 Switches

From: "Bryan S. Sampsel" <bsampsel () libertyactivist org>
Date: Tue, 5 Oct 2004 09:02:34 -0600 (MDT)
I'd say that how you configure a managed switch with multiple VLANs can
impact the risk.

For example, if you use an IP address, that resides in the DMZ or
accessible to the DMZ, for managing the switch, then yes, it becomes an
easy target.  However, if the only way for that VLAN to reach the ip of
the management module is to traverse your firewall, and you configure your
firewall correctly, you gain a configurable resource not lose your
security profile.

For instance, if you isolate your management modules to a VLAN that
doesn't route out to anywhere, you can place a workstation to manage them
on the VLAN and no network traffic can get in or out.  There is no way to
crack that switch at that point.  It looks like a physically separate
switch in the DMZ at that point.

IMO,

Bryan


David Gillett said:

  That's a defensible choice, but not the most important one.

  The crucial thing is to get a switch small enough that you
don't mind putting *just* the DMZ on it.  With a larger or
fancier switch, there may be pressure to split it up with VLANs
and put some non-DMZ devices on it.

  Inter-VLAN security has often been found to be less than robust
on models from a variety of manufacturers.  If there's a trusted
VLAN on this switch, there's a risk that an attacker who gets
into your DMZ can compromise the switch and use it to get to your
trusted network.
  If all that's on the switch is the DMZ, all he can reach by
compromising the switch is the DMZ -- and if he can reach the
switch, he's already there.

  Yes, a managed switch may be subject to attacks that an unmanaged
one would shrug off.  But you can limit the potential for damage to
the rest of your network, an so whether the switch is managed or not
becomes a matter of choice.

David Gillett



-----Original Message-----
From: Andy Paton [mailto:andy.paton () gmail com]
Sent: Thursday, September 30, 2004 1:03 PM
To: security-basics () securityfocus com
Subject: Layer 2 Switches


Hi All

I'm building a new network & firewall implementation with a DMZ.

I need basic L2 switch functionality in the DMZ and between the
firewall, should I avoid the more expensive switches with management?
as they have more potential for bugs/holes etc..


Thoughts please,
Andy
Previous By Date Next
Previous By Thread Next

Current thread: