Educause Security Discussion mailing list archives
Re: Untrusted VLANs on Core Gear
From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Date: Wed, 7 Feb 2007 13:46:36 -0600
I guess I have a qualified answer to the "run screaming" question. Like so many security analyses, it depends. I'm affiliated with a rather large installation wherein compartments of differing security levels are implemented on VLANs, and I am not currently losing sleep over it. The large caveat is that we have *very* good control over the entire switching fabric of those compartments. We have operational change control that requires MAC assignments per-port, with unused ports configured in an operationally-down state. That alone reduces the risk of ARP or CAM-table overflow attacks tremendously. And the cost of the number of gigabit-capable ports we'd need to implement the number of security compartments we've defined is enough to cause us to accept this level of risk, at this time. The scenario from the OP, I think, probably does not fit the model of mixed-assurance VLANs on a switch, unless the compensatory control of fascist per-port layer-2 addressing were followed scrupulously on all other nominally-trusted VLANs on connected devices. If you can't do that, then I'd advise the OP to look for another solution. One man's opinion. Mileage varies. -jml John Ladwig - Minnesota State Colleges and Universities ITS Wells Fargo Place 30 7th St. E., Suite 350 St. Paul, MN 55101-7804 Email: John.Ladwig () csu mnscu edu Voice: +1.651.201.1458 Fax: +1.651.917.4731 IM: xmpp:ladwigjo () jabber its mnscu edu
halln () OTC EDU 02/07/07 1:33 PM >>>
I have had similar questions before. I asked other GIAC alumni and I was referred to DSniff by Dug Song. http://www.monkey.org/~dugsong/dsniff/ -- Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA Network Security System Administrator OTC Computer Networking Office: (417) 447-7535 -----Original Message----- From: Glenn Forbes Fleming Larratt [mailto:gl89 () CORNELL EDU] Sent: Wednesday, February 07, 2007 1:18 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Untrusted VLANs on Core Gear -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes (to the "run screaming" question). I made the argument recently in another forum that: } 1. In a design that includes a firewall appliance of any sort, it's a } violation of default-deny to use VLAN's, rather than distinct hardware, } to segregate networks on different sides of the firewall. Even though } there are no known (to me) failure modes of VLAN switches that would } allow effective bridged connectivity between nominally separated } networks, the possibility that such a failure mode could exist justifies } the physical separation. } } 2. Buying/creating a firewall appliance and then using VLAN's to } separate the networks on different sides of it is "silver-bullet" } design; to get defense in depth, physical separation is indicated. } } Given the relative cost of firewall appliances (whether in dollars or } sweat) vs. networking hardware, any cost savings is false anyway. The one reason (other than personal hubris) I quote my previous argument is that another participant pointed to documented failure modes of VLAN switches that *would* allow effective bridge connectivity, i.e. bypassing of your firewall. The links he provided were: http://www.sans.org/reading_room/whitepapers/networkdevs/1090.php http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_pap er09186a008013159f.shtml#wp39832 (not sure why the link points to the "Conclusions" in the paper) Hope this helps, - -- Glenn Forbes Fleming Larratt Cornell University IT Security Office On Wed, 7 Feb 2007, jkaftan wrote:
We are looking to create a fully redundant internet connection. I was thinking about using my core switch to provide layer 2 for this setup. Specifically I was going to create an Untrust VLAN that my edge
routers
and Firewalls would connect to. Fundamentally I do not see an issue as VLANs are supposed to be the
same
thing as having separate switches (broadcast domains). However
another
way to look at it is that I have potential bad guys actually
"touching"
my core gear. Does this make anyone want to run screaming into the night?
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFFyiX3Lyw7nZwiKgQRAjRfAKCjjFv01jTsICiLcgqZtDqLlSk7jQCeJ1/H zUpt7wv7EUaiXJAjDG2hoaE= =INKh -----END PGP SIGNATURE-----
Current thread:
- Untrusted VLANs on Core Gear jkaftan (Feb 07)
- <Possible follow-ups>
- Re: Untrusted VLANs on Core Gear Glenn Forbes Fleming Larratt (Feb 07)
- Re: Untrusted VLANs on Core Gear HALL, NATHANIEL D. (Feb 07)
- Re: Untrusted VLANs on Core Gear John Ladwig (Feb 07)
- Re: Untrusted VLANs on Core Gear Raw, Randy (Feb 08)
- Re: Untrusted VLANs on Core Gear Michael Sinatra (Feb 08)
- Re: Untrusted VLANs on Core Gear David C. Smith (Feb 08)
- Re: Untrusted VLANs on Core Gear David LaPorte (Feb 08)
- Re: Untrusted VLANs on Core Gear jkaftan (Feb 08)
- Re: Untrusted VLANs on Core Gear David Gillett (Feb 12)