Educause Security Discussion mailing list archives

Re: Untrusted VLANs on Core Gear

From: Glenn Forbes Fleming Larratt <gl89 () CORNELL EDU>
Date: Wed, 7 Feb 2007 14:18:10 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes (to the "run screaming" question).

I made the argument recently in another forum that:

} 1. In a design that includes a firewall appliance of any sort, it's a
} violation of default-deny to use VLAN's, rather than distinct hardware,
} to segregate networks on different sides of the firewall. Even though
} there are no known (to me) failure modes of VLAN switches that would
} allow effective bridged connectivity between nominally separated
} networks, the possibility that such a failure mode could exist justifies
} the physical separation.
}
} 2. Buying/creating a firewall appliance and then using VLAN's to
} separate the networks on different sides of it is "silver-bullet"
} design; to get defense in depth, physical separation is indicated.
}
} Given the relative cost of firewall appliances (whether in dollars or
} sweat) vs. networking hardware, any cost savings is false anyway.

The one reason (other than personal hubris) I quote my previous argument
is that another participant pointed to documented failure modes of VLAN
switches that *would* allow effective bridge connectivity, i.e. bypassing
of your firewall.

The links he provided were:

http://www.sans.org/reading_room/whitepapers/networkdevs/1090.php

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39832

 (not sure why the link points to the "Conclusions" in the paper)

Hope this helps,
- --
Glenn Forbes Fleming Larratt
Cornell University IT Security Office

On Wed, 7 Feb 2007, jkaftan wrote:

We are looking to create a fully redundant internet connection.  I was
thinking about using my core switch to provide layer 2 for this setup.
Specifically I was going to create an Untrust VLAN that my edge routers
and Firewalls would connect to.

Fundamentally I do not see an issue as VLANs are supposed to be the same
thing as having separate switches (broadcast domains).  However another
way to look at it is that I have potential bad guys actually "touching"
my core gear.

Does this make anyone want to run screaming into the night?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFFyiX3Lyw7nZwiKgQRAjRfAKCjjFv01jTsICiLcgqZtDqLlSk7jQCeJ1/H
zUpt7wv7EUaiXJAjDG2hoaE=
=INKh
-----END PGP SIGNATURE-----

Current thread:

Untrusted VLANs on Core Gear jkaftan (Feb 07)
- <Possible follow-ups>
- Re: Untrusted VLANs on Core Gear Glenn Forbes Fleming Larratt (Feb 07)
- Re: Untrusted VLANs on Core Gear HALL, NATHANIEL D. (Feb 07)
- Re: Untrusted VLANs on Core Gear John Ladwig (Feb 07)
- Re: Untrusted VLANs on Core Gear Raw, Randy (Feb 08)
- Re: Untrusted VLANs on Core Gear Michael Sinatra (Feb 08)
- Re: Untrusted VLANs on Core Gear David C. Smith (Feb 08)
- Re: Untrusted VLANs on Core Gear David LaPorte (Feb 08)
- Re: Untrusted VLANs on Core Gear jkaftan (Feb 08)
- Re: Untrusted VLANs on Core Gear David Gillett (Feb 12)