Firewall Wizards mailing list archives
Re: Vlan's as effective security measures?
From: Brian Ford <brford () cisco com>
Date: Fri, 13 Feb 2004 13:34:33 -0500
Todd,Acknowledged. And we (Cisco) are always looking for new and interesting ways to break our own stuff.
We at Cisco have also done a lot to address the security issues of using VLANs on our gear.
VLANs were developed to address a specific design issue. There are caveats to the use of VLANs. The choice to use VLAN technology should be one of the decisions made when considering a network design.
I'd hope you agree with this? Liberty for All, Brian At 06:26 PM 2/12/2004 -0500, Todd Joseph wrote:
The Cisco bug DB has plenty of entries for switches with "bleeding VLAN" woes. Carefull driving your own car. :) VLANs are a cheap/convenient way of defining subnets and moving ports logically. A separate switch (or switches) for each subnet is a clear win over VLANs -- it just costs more (in hardware and cable/port management). Fortunately, there's still lots of cheap Cisco (and other) gear on Ebay - making it more $$ effective than some realize. Todd ---------------- >John, > >And cars crash and cars burn and people are dying in cars all the >time. And cars can be made to carry disease and explosives and kill many >people with just one car and driver! So let's all abandon our cars and >start walking to work every morning. If we're late the boss will >understand because cars are dangerous. ;-) > >You should probably research the switch that you buy and use in order to >make sure that it doesn't do these things. > >Your mileage may vary! > >Liberty for All, > >Brian >>At 12:00 PM 2/10/2004 -0500, firewall-wizards-request () honor icsalabs com wrote>: >>Message: 4 >>Date: Mon, 09 Feb 2004 12:52:31 -0800 >>From: John Hall <jhall () ptavvs net> >>To: "Ware, Larry" <LWare () e-one com> >>Cc: "'firewall-wizards () honor icsalabs com'" >><firewall-wizards () honor icsalabs com> >>Subject: Re: [fw-wiz] Vlan's as effective security measures? >> >> >>1. A surprising number of network devices' VLAN implementations >> will leak packets between VLANs under heavy loads, or in some >> cases randomly all the time. >>2, Some switches have a single forwarding database which includes >> VLAN tags and a host presenting a carefully chosen MAC address >> can sometimes hijack traffic for a host on another VLAN. >>3. Some switches flood ARP requests across VLANs. >>4. Some switches flood all traffic under heavy load. >>5. Few switches and routers have adequate configuration security. >> >>Don't depend on VLANs to guarantee the separation of two networks >>that *must* be separated. Your security is only as good as the >>weakest element in your infrastructure and the security of most >>switches (and to a lesser extent routers) is pretty weak. >> >>JMH >> >>Ware, Larry wrote: >> >> >Forgive a long out of field, and now working on getting back up to speed>> >firewall admin, but would someone care to educate me concerning the securit>y>> >issues related to VLAN's? I have lots of them, and need to know why a VLAN>> >is not an effective adjunct to firewall and router security policies. >> >-larry >> > > > >Brian Ford >Consulting Engineer, Security & Integrity Specialist >Office of Strategic Technology Planning >Cisco Systems Inc. >http://www.cisco.com/go/safe/ > >The opinions expressed in this message are those of the author and not >necessarily those of Cisco Systems, Inc.. > >This email address is transmitted from San Jose, California, U.S.A.. > > >_______________________________________________ >firewall-wizards mailing list >firewall-wizards () honor icsalabs com >http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Brian Ford Consulting Engineer, Security & Integrity Specialist Office of Strategic Technology Planning Cisco Systems Inc. http://www.cisco.com/go/safe/The opinions expressed in this message are those of the author and not necessarily those of Cisco Systems, Inc..
This email address is transmitted from San Jose, California, U.S.A.. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Vlan's as effective security measures?, (continued)
- Re: Vlan's as effective security measures? John Hall (Feb 12)
- Re: Vlan's as effective security measures? Daniel Linder (Feb 12)
- Transparent proxying jm (Feb 12)
- Re: Transparent proxying Luke Butcher (Feb 12)
- Re: Transparent proxying kaptain (Feb 12)
- Re: Transparent proxying Ng Pheng Siong (Feb 13)
- Re: Vlan's as effective security measures? Todd Joseph (Feb 13)
- Re: Vlan's as effective security measures? Brian Ford (Feb 16)
- Re: Vlan's as effective security measures? Jeremiah Cornelius (Feb 20)