Cisco Private VLANs

["Zarcone, Christopher" <Christopher.Zarcone () netigy com>]

Wizards,

I know there have a lot of religious-war threads about the use of VLANs as
security enforcement technologies. (I know firsthand because I started a few
of them :-)

Be that as it may, Cisco has recently introduced "Private VLANs" with their
Catalyst 6000 series of switches. According to the whitepapers, Private
VLANs allow you to "isolate" ports within a VLAN, such that they can only
communicate with other designated ports in the VLAN (like the port for your
router/default gateway). Supposedly an isolated port cannot communicate with
other isolated ports (e.g. one PC can't talk to another PC, even though
they're in the same VLAN). Cisco promotes the use of this in provider
co-location facilities, primarily for IP address conservation but also for
cross-customer security.

It all sounds good in theory, but is anyone aware of any security issues or
known vulnerabilities? For example, I know that with some of the other older
Catalysts, you could cause frames to jump VLANs (and therefore jump
enforcement boundaries) by creating frames with bogus 802.1q headers
prepended. I heard Cisco corrected the problem, but it only makes you wonder
what other VLAN gremlins might be lurking out there...

TIA,

Christopher Zarcone, CISSP
Senior Consultant
christopher.zarcone () netigy com

Netigy Corporation
www.netigy.com

My opinions do not necessarily represent the opinions of my employer.






_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards