Security Basics mailing list archives

RE: DMZ - VLAN Security

From: Dan Lynch <DLynch () placer ca gov>
Date: Tue, 29 Sep 2009 08:43:51 -0700
Michail,

My rule is to avoid sharing switch hardware between high risk and high value networks. VLAN segregation doesn't offer 
flexible access controls or logging/audit capability like a firewall does. Even though vlan hopping attacks are old and 
(AFAIK) have all been mitigated, the cost of a second switch is minimal. So while the risk is low, the cost of complete 
mitigation is low too. You also have to worry about misconfigurations on that switch. For the same reasons, we avoid 
running high risk public web servers on VMs that also host high value internal servers.

That said, I do allow our internet segment and our public access DMZ segments to share switch hardware. The DMZ is only 
slightly lower risk, and very slightly higher value than the internet segment outside our firewall.

Assuming I understand your diagram, I would move your high-value "Other internal resources" off the high-risk "switch 
1", to "switch 2 - zone A - internal".

- Dan



Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA


"Isn't it enough to see that a garden is beautiful without having to believe that there are fairies at the bottom of it 
too?"
     - Douglas Adams



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of m.poultsakis () gmail com
Sent: Monday, September 28, 2009 8:38 AM
To: security-basics () securityfocus com
Subject: DMZ - VLAN Security

Hello to everyone,

This is my first post here :-)

I am currently investigating a DMZ deployment. The network infrastructure consists of one internal Switch (Summit 400), 
one Firewall and one (here is the problem...) Summit 400 switch that acts as the outside Switch as well as the DMZ 
Switch...

So it looks like this: 



                Other
               Internal
              Resources
               (ZoneA)
                  |
Internet-------Switch1-----Firewall-----Switch2
                  |                      ZoneA
                  |                    (Internal)
                 DMZ
                

Even though VLAN segregation exists on Switch1 and InterVLAN routing needs to take place via the Firewall in order for 
an inbound request to access DMZ resources, the more I am looking at the scheme... the more I am getting concerned...

A physical Switch sharing valuable resources with the untrusted interface seems like a weak point to me... I have made 
a research on Layer-2 attacks where an attacker can access another VLAN without the router/Firewall knowing anything 
about it but most of these resources age back in the late 90's beginning of 2000's...

So, the reason I am creating this post is that I do not know if things have changed in this field (VLAN attacks) during 
the last years... are Layer-2 attacks against VLANs still possible?

I am thinking of proposing a change in this deployment but I need to be sure first if threats really exist. The most 
obvious solution would be to dedicate a Firewall port to the outside (attacker) connection and implement VLAN 
separation on Switch1 for DMZ and ZoneB (adding another Switch is impossible unfortuantely...).

What I need to mention here is that the netire configuration is "static" which means that no VTP, CDP etc is running in 
the network...


Thank you all in advance for reading my post and (probably) of thinking of something that can help.


Regards,

Michail Poultsakis

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Current thread:

DMZ - VLAN Security m . poultsakis (Sep 28)
- RE: DMZ - VLAN Security Dan Lynch (Sep 29)
- <Possible follow-ups>
- Re: DMZ - VLAN Security m . poultsakis (Sep 29)