Security Basics mailing list archives
RE: Layer 2 Switches
From: "Bryan S. Sampsel" <bsampsel () libertyactivist org>
Date: Tue, 5 Oct 2004 09:02:34 -0600 (MDT)
I'd say that how you configure a managed switch with multiple VLANs can impact the risk. For example, if you use an IP address, that resides in the DMZ or accessible to the DMZ, for managing the switch, then yes, it becomes an easy target. However, if the only way for that VLAN to reach the ip of the management module is to traverse your firewall, and you configure your firewall correctly, you gain a configurable resource not lose your security profile. For instance, if you isolate your management modules to a VLAN that doesn't route out to anywhere, you can place a workstation to manage them on the VLAN and no network traffic can get in or out. There is no way to crack that switch at that point. It looks like a physically separate switch in the DMZ at that point. IMO, Bryan David Gillett said:
That's a defensible choice, but not the most important one. The crucial thing is to get a switch small enough that you don't mind putting *just* the DMZ on it. With a larger or fancier switch, there may be pressure to split it up with VLANs and put some non-DMZ devices on it. Inter-VLAN security has often been found to be less than robust on models from a variety of manufacturers. If there's a trusted VLAN on this switch, there's a risk that an attacker who gets into your DMZ can compromise the switch and use it to get to your trusted network. If all that's on the switch is the DMZ, all he can reach by compromising the switch is the DMZ -- and if he can reach the switch, he's already there. Yes, a managed switch may be subject to attacks that an unmanaged one would shrug off. But you can limit the potential for damage to the rest of your network, an so whether the switch is managed or not becomes a matter of choice. David Gillett-----Original Message----- From: Andy Paton [mailto:andy.paton () gmail com] Sent: Thursday, September 30, 2004 1:03 PM To: security-basics () securityfocus com Subject: Layer 2 Switches Hi All I'm building a new network & firewall implementation with a DMZ. I need basic L2 switch functionality in the DMZ and between the firewall, should I avoid the more expensive switches with management? as they have more potential for bugs/holes etc.. Thoughts please, Andy
Current thread:
- Layer 2 Switches Andy Paton (Sep 30)
- RE: Layer 2 Switches David Gillett (Oct 04)
- RE: Layer 2 Switches Bryan S. Sampsel (Oct 05)
- RE: Layer 2 Switches David Gillett (Oct 04)