VLANs as a security barrier (oh no, not again!)

[Bennett Todd <bet () rahul net>]

It's been discussed many times, and I've solidly held the side that
VLANs are a performance hack, not a security barrier.

But I think I may have found a setting where they might reasonably
work, and if so they'd for sure be bodaciously helpful in this
application.

In a discussion on another list, it emerged that it can be an
amazing help to park a really _really_ tightly-secured bastion host
on every last LAN on a large and complex net, specifically for
providing services to various network boxes on those LANs --- config
download for routers and switches, logging, time sync, whatever.

Naturally the ideal solution would be if you could buy a card for a
cheap PC that gave you say 32 or more 10baseT ports. Sadly you
can't:-).

But what if you set up a bastion with a few quad 100BaseT Znyx cards
in it, and ran 802.1Q for VLANs over all of them to switches. The
picture here is that the bastion wouldn't be routing between these
VLANs; it'd just use them to be locally present on every LAN.

It seems like a switch could be designed to make this work very well
indeed; you want to wire down the MAC addr of the 802.1Q port, and
tell the switch somehow that traffic from other ports can only be
addressed to that addr, and only traffic from that addr on that port
can be addressed to other addrs. In principle that's the sort of
thing a switch could do robustly and securely, without any of the
usual worries about VLANs leaking.

Anybody know if any existing switch can do this? With this approach,
a switch could act like a box-o-ports, and the 100BaseT 802.1Q port
could act like a high-density port for placing a zillion interfaces
on a box.

-Bennett

Attachment: _bin
Description: