Educause Security Discussion mailing list archives
Re: Untrusted VLANs on Core Gear
From: David Gillett <gillettdavid () FHDA EDU>
Date: Mon, 12 Feb 2007 10:55:09 -0800
VLAN implementations have gotten considerably more robust, on average, than they once were. It may be possible to "get away with" this for some time. The two main risks are: a) inter-VLAN traffic leakage This is not usually much of a threat, because the addressing of leaked packets is rarely correct for the VLAN they've leaked to -- but since their destination address is unrecognized, they get broadcast everywhere and can be sniffed. b) attack on the switch affects all VLANs This is probably less of an issue if the switch doesn't have a management interface on the untrusted VLAN -- but that has other downsides. It's a classic risk-management problem. You can solve it by throwing a small dedicated switch at it; the question is, does the risk justify that cost? (Costs are easier to measure and control than risks, and so a lot of organizations say "no".) David Gillett
-----Original Message----- From: jkaftan [mailto:jkaftan () UTICA EDU] Sent: Wednesday, February 07, 2007 10:53 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Untrusted VLANs on Core Gear We are looking to create a fully redundant internet connection. I was thinking about using my core switch to provide layer 2 for this setup. Specifically I was going to create an Untrust VLAN that my edge routers and Firewalls would connect to. Fundamentally I do not see an issue as VLANs are supposed to be the same thing as having separate switches (broadcast domains). However another way to look at it is that I have potential bad guys actually "touching" my core gear. Does this make anyone want to run screaming into the night?
Current thread:
- Untrusted VLANs on Core Gear jkaftan (Feb 07)
- <Possible follow-ups>
- Re: Untrusted VLANs on Core Gear Glenn Forbes Fleming Larratt (Feb 07)
- Re: Untrusted VLANs on Core Gear HALL, NATHANIEL D. (Feb 07)
- Re: Untrusted VLANs on Core Gear John Ladwig (Feb 07)
- Re: Untrusted VLANs on Core Gear Raw, Randy (Feb 08)
- Re: Untrusted VLANs on Core Gear Michael Sinatra (Feb 08)
- Re: Untrusted VLANs on Core Gear David C. Smith (Feb 08)
- Re: Untrusted VLANs on Core Gear David LaPorte (Feb 08)
- Re: Untrusted VLANs on Core Gear jkaftan (Feb 08)
- Re: Untrusted VLANs on Core Gear David Gillett (Feb 12)