Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Using Private vlans

From: James Lee Bell <nuclear-cowboy () cox net>
Date: Fri, 22 May 2009 23:09:36 -0700
No, it's not going to be more *ongoing* maintenance, just more up front,
although its really only a few more characters to type per port config.

What PVLANs buy you is layer 2 segmentation at the port level. If every
port assigned to a given VLAN is marked as a member of the isolated
PVLAN, then physical machines assigned to them will be unable to launch
layer 2 attacks or local subnet layer 3 attacks against it's VLAN neighbors.

Now, that capability is slightly dubious in the environment you suggest,
where any given port is a VM host with many guests on it. Infections
that occur on a given system *will* be able to attack its VM neighbors.
However, an infection will then be isolated to that VM host, with no
access to other ports or other VM hosts.

Management in this environment will NOT be complex as every port will be
isolated except for the layer 3 device that is the gateway out which
must be a promiscuous port.

Where PVLANs get complex is in an environment where machines on a given
VLAN do need to talk to one another in a layer 2 sense, say an HACMP or
VRRP or HSRP or ... cluster. In those cases, now you have to configure,
manage and track different "community" PVLANs for those setups.

avi shvartz wrote:

The security folks wants to add another level of separation:
  define each VM (can be up to 8,000 such machines) in that segment
    in an Isolated Private VLAN (I-PVLAN).
 The main claims:
   - The VM will still be separated from the network even in case of hostile
takeover from the Internet.
- In such usage, those VM's are going to communicate to the Internet only
and not to each other or to
  other resources in the campus, so it's not a big problem from maintenance
point of view.

The sysadmins (communication and system) are against:
  - Communication: yet another complexity.
  - System: there will be connections to resources in the campus such as
       printing, file transfer, software distribution etc.

 So, it's more ongoing maintenance.  



------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: