Firewall Wizards mailing list archives
RE: DMZ - the physical layer
From: Ben Nagy <bnagy () cpms com au>
Date: Thu, 16 Mar 2000 12:21:52 +1030
-----Original Message----- From: John White [mailto:johnjohn () triceratops com] Sent: Wednesday, 8 March 2000 1:02 PM To: firewall-wizards () nfr net Subject: [fw-wiz] DMZ - the physical layer I was looking through the archives of the greatcircle firewall list and came across some opinions regarding the construction of DMZ's. I'm using Baystack 450's as my backbone switches. Bay 450's have a virtual lan function which can be used to limit a collision domain to specific ports. I was planning on using this function to create the DMZ.
Nooo....
However, I ran across some opinions that this type of action was quite foolish. Can someone give me the cons to this proposal? An option would be to buy a cheap Netgear switch (under $500) to be a physically separate DMZ. Pros and cons on that vs the virtual lan? $500 is a small price to pay if there are security problems when using a vlan aa a DMZ. John
VLANs aren't designed to be security barriers with the assurance of firewalls. If you're worried about your security then don't use 'em. The key problem lies in the special packets/headers that the switches use to work out which VLAN an ethernet frame is in (and the possibility of forging such packets/headers to trick the switch). All (that I can envision) of the exploits require layer-2 tricks - in other words for remote penetration you need to gain enough control over something so that you can mess with its ethernet drivers or install software that can write raw frames. Also note that this is not a design flaw. A switch that is designed and configured correctly should (in theory) be immune to this kind of problem. However, there has been at least one demonstrated exploit (check the bugtraq archives - it was on a Cisco catalyst switch [1]). If it were me I'd take the assurance of the air gap. Cheers, [1] From memory this exploit is not terribly applicable to your case, but it's an example of VLAN busting. The problem in the bugtraq'ed case lay in trunk ports between two VLANs being vulnerable to specially crafted frames. This is easy to avoid. -- Ben Nagy Network Consultant, Volante IT PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
Current thread:
- DMZ - the physical layer John White (Mar 12)
- Re: DMZ - the physical layer Aaron D. Turner (Mar 17)
- Re: DMZ - the physical layer Bennett Todd (Mar 21)
- Re: DMZ - the physical layer Doug Fajardo (Mar 21)
- <Possible follow-ups>
- RE: DMZ - the physical layer fernando_montenegro (Mar 17)
- RE: DMZ - the physical layer Ben Nagy (Mar 21)
- RE: DMZ - the physical layer aturner (Mar 23)
- RE: DMZ - the physical layer Carl Friedberg (Mar 21)
- Re: DMZ - the physical layer Aaron D. Turner (Mar 17)