Security Basics mailing list archives
Re: Using Private vlans
From: James Lee Bell <nuclear-cowboy () cox net>
Date: Fri, 22 May 2009 23:09:36 -0700
No, it's not going to be more *ongoing* maintenance, just more up front, although its really only a few more characters to type per port config. What PVLANs buy you is layer 2 segmentation at the port level. If every port assigned to a given VLAN is marked as a member of the isolated PVLAN, then physical machines assigned to them will be unable to launch layer 2 attacks or local subnet layer 3 attacks against it's VLAN neighbors. Now, that capability is slightly dubious in the environment you suggest, where any given port is a VM host with many guests on it. Infections that occur on a given system *will* be able to attack its VM neighbors. However, an infection will then be isolated to that VM host, with no access to other ports or other VM hosts. Management in this environment will NOT be complex as every port will be isolated except for the layer 3 device that is the gateway out which must be a promiscuous port. Where PVLANs get complex is in an environment where machines on a given VLAN do need to talk to one another in a layer 2 sense, say an HACMP or VRRP or HSRP or ... cluster. In those cases, now you have to configure, manage and track different "community" PVLANs for those setups. avi shvartz wrote:
The security folks wants to add another level of separation: define each VM (can be up to 8,000 such machines) in that segment in an Isolated Private VLAN (I-PVLAN). The main claims: - The VM will still be separated from the network even in case of hostile takeover from the Internet. - In such usage, those VM's are going to communicate to the Internet only and not to each other or to other resources in the campus, so it's not a big problem from maintenance point of view. The sysadmins (communication and system) are against: - Communication: yet another complexity. - System: there will be connections to resources in the campus such as printing, file transfer, software distribution etc. So, it's more ongoing maintenance.
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Using Private vlans avi shvartz (May 22)
- Re: Using Private vlans James Lee Bell (May 25)