Re: Untrusted VLANs on Core Gear

[David Gillett <gillettdavid () FHDA EDU>]

  VLAN implementations have gotten considerably more robust,
on average, than they once were.  It may be possible to "get
away with" this for some time.
  The two main risks are:

a) inter-VLAN traffic leakage
  This is not usually much of a threat, because the addressing
of leaked packets is rarely correct for the VLAN they've leaked
to -- but since their destination address is unrecognized, they
get broadcast everywhere and can be sniffed.

b) attack on the switch affects all VLANs
  This is probably less of an issue if the switch doesn't have
a management interface on the untrusted VLAN -- but that has
other downsides.

  It's a classic risk-management problem.  You can solve it by
throwing a small dedicated switch at it; the question is, does
the risk justify that cost?  (Costs are easier to measure and
control than risks, and so a lot of organizations say "no".)

David Gillett


> -----Original Message-----
> From: jkaftan [mailto:jkaftan () UTICA EDU]
> Sent: Wednesday, February 07, 2007 10:53 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Untrusted VLANs on Core Gear
>
> We are looking to create a fully redundant internet
> connection.  I was thinking about using my core switch to
> provide layer 2 for this setup.
> Specifically I was going to create an Untrust VLAN that my
> edge routers and Firewalls would connect to.
>
> Fundamentally I do not see an issue as VLANs are supposed to
> be the same thing as having separate switches (broadcast
> domains).  However another way to look at it is that I have
> potential bad guys actually "touching" my core gear.
>
> Does this make anyone want to run screaming into the night?