Educause Security Discussion mailing list archives

Re: Untrusted VLANs on Core Gear

From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Date: Wed, 7 Feb 2007 13:46:36 -0600

I guess I have a qualified answer to the "run screaming" question.
Like so many security analyses, it depends.

I'm affiliated with a rather large installation wherein compartments of
differing security levels are implemented on VLANs, and I am not
currently losing sleep over it.

The large caveat is that we have *very* good control over the entire
switching fabric of those compartments.  We have operational change
control that requires MAC assignments per-port, with unused ports
configured in an operationally-down state.  That alone reduces the risk
of ARP or CAM-table overflow attacks tremendously.  And the cost of the
number of gigabit-capable ports we'd need to implement the number of
security compartments we've defined is enough to cause us to accept this
level of risk, at this time.

The scenario from the OP, I think, probably does not fit the model of
mixed-assurance VLANs on a switch, unless the compensatory control of
fascist per-port layer-2 addressing were followed scrupulously on all
other nominally-trusted VLANs on connected devices.

If you can't do that, then I'd advise the OP to look for another
solution.

One man's opinion.  Mileage varies.

    -jml

John Ladwig -
Minnesota State Colleges and Universities
ITS
Wells Fargo Place
30 7th St. E., Suite 350
St. Paul, MN  55101-7804

Email: John.Ladwig () csu mnscu edu
Voice: +1.651.201.1458
Fax: +1.651.917.4731
IM: xmpp:ladwigjo () jabber its mnscu edu

halln () OTC EDU 02/07/07 1:33 PM >>>

I have had similar questions before.  I asked other GIAC alumni and I
was referred to DSniff by Dug Song.

http://www.monkey.org/~dugsong/dsniff/

--
Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA
Network Security System Administrator
OTC Computer Networking

Office: (417) 447-7535

-----Original Message-----
From: Glenn Forbes Fleming Larratt [mailto:gl89 () CORNELL EDU]
Sent: Wednesday, February 07, 2007 1:18 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Untrusted VLANs on Core Gear

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes (to the "run screaming" question).

I made the argument recently in another forum that:

} 1. In a design that includes a firewall appliance of any sort, it's a
} violation of default-deny to use VLAN's, rather than distinct
hardware,
} to segregate networks on different sides of the firewall. Even though
} there are no known (to me) failure modes of VLAN switches that would
} allow effective bridged connectivity between nominally separated
} networks, the possibility that such a failure mode could exist
justifies
} the physical separation.
}
} 2. Buying/creating a firewall appliance and then using VLAN's to
} separate the networks on different sides of it is "silver-bullet"
} design; to get defense in depth, physical separation is indicated.
}
} Given the relative cost of firewall appliances (whether in dollars or
} sweat) vs. networking hardware, any cost savings is false anyway.

The one reason (other than personal hubris) I quote my previous argument
is that another participant pointed to documented failure modes of VLAN
switches that *would* allow effective bridge connectivity, i.e.
bypassing
of your firewall.

The links he provided were:

http://www.sans.org/reading_room/whitepapers/networkdevs/1090.php

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_pap
er09186a008013159f.shtml#wp39832

  (not sure why the link points to the "Conclusions" in the paper)

Hope this helps,
- --
Glenn Forbes Fleming Larratt
Cornell University IT Security Office

On Wed, 7 Feb 2007, jkaftan wrote:

We are looking to create a fully redundant internet connection.  I was
thinking about using my core switch to provide layer 2 for this setup.
Specifically I was going to create an Untrust VLAN that my edge

routers

and Firewalls would connect to.

Fundamentally I do not see an issue as VLANs are supposed to be the

same

thing as having separate switches (broadcast domains).  However

another

way to look at it is that I have potential bad guys actually

"touching"

my core gear.

Does this make anyone want to run screaming into the night?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFFyiX3Lyw7nZwiKgQRAjRfAKCjjFv01jTsICiLcgqZtDqLlSk7jQCeJ1/H
zUpt7wv7EUaiXJAjDG2hoaE=
=INKh
-----END PGP SIGNATURE-----

Current thread:

Untrusted VLANs on Core Gear jkaftan (Feb 07)
- <Possible follow-ups>
- Re: Untrusted VLANs on Core Gear Glenn Forbes Fleming Larratt (Feb 07)
- Re: Untrusted VLANs on Core Gear HALL, NATHANIEL D. (Feb 07)
- Re: Untrusted VLANs on Core Gear John Ladwig (Feb 07)
- Re: Untrusted VLANs on Core Gear Raw, Randy (Feb 08)
- Re: Untrusted VLANs on Core Gear Michael Sinatra (Feb 08)
- Re: Untrusted VLANs on Core Gear David C. Smith (Feb 08)
- Re: Untrusted VLANs on Core Gear David LaPorte (Feb 08)
- Re: Untrusted VLANs on Core Gear jkaftan (Feb 08)
- Re: Untrusted VLANs on Core Gear David Gillett (Feb 12)