Firewall Wizards mailing list archives

Re: Vlan's as effective security measures?

From: Brian Ford <brford () cisco com>
Date: Fri, 13 Feb 2004 13:34:33 -0500

Todd,

Acknowledged. And we (Cisco) are always looking for new and interestingways to break our own stuff.

We at Cisco have also done a lot to address the security issues of usingVLANs on our gear.

VLANs were developed to address a specific design issue. There are caveatsto the use of VLANs. The choice to use VLAN technology should be one ofthe decisions made when considering a network design.


I'd hope you agree with this?

Liberty for All,

Brian

At 06:26 PM 2/12/2004 -0500, Todd Joseph wrote:

The Cisco bug DB has plenty of entries for switches with "bleeding
VLAN" woes.  Carefull driving your own car. :)

VLANs are a cheap/convenient way of defining subnets and moving ports
logically.  A separate switch (or switches) for each subnet is a clear
win over VLANs -- it just costs more (in hardware and cable/port
management).

Fortunately, there's still lots of cheap Cisco (and other) gear on
Ebay - making it more $$ effective than some realize.

Todd
----------------
>John,
>
>And cars crash and cars burn and people are dying in cars all the
>time.   And cars can be made to carry disease and explosives and kill many
>people with just one car and driver! So let's all abandon our cars and
>start walking to work every morning.  If we're late the boss will
>understand because cars are dangerous.  ;-)
>
>You should probably research the switch that you buy and use in order to
>make sure that it doesn't do these things.
>
>Your mileage may vary!
>
>Liberty for All,
>
>Brian
>

>At 12:00 PM 2/10/2004 -0500, firewall-wizards-request () honor icsalabs comwrote

>:
>>Message: 4
>>Date: Mon, 09 Feb 2004 12:52:31 -0800
>>From: John Hall <jhall () ptavvs net>
>>To: "Ware, Larry" <LWare () e-one com>
>>Cc: "'firewall-wizards () honor icsalabs com'"
>><firewall-wizards () honor icsalabs com>
>>Subject: Re: [fw-wiz] Vlan's as effective security measures?
>>
>>
>>1.  A surprising number of network devices' VLAN implementations
>>     will leak packets between VLANs under heavy loads, or in some
>>     cases randomly all the time.
>>2,  Some switches have a single forwarding database which includes
>>     VLAN tags and a host presenting a carefully chosen MAC address
>>     can sometimes hijack traffic for a host on another VLAN.
>>3.  Some switches flood ARP requests across VLANs.
>>4.  Some switches flood all traffic under heavy load.
>>5.  Few switches and routers have adequate configuration security.
>>
>>Don't depend on VLANs to guarantee the separation of two networks
>>that *must* be separated.  Your security is only as good as the
>>weakest element in your infrastructure and the security of most
>>switches (and to a lesser extent routers) is pretty weak.
>>
>>JMH
>>
>>Ware, Larry wrote:
>>
>> >Forgive a long out of field, and now working on getting back up to speed

>> >firewall admin, but would someone care to educate me concerning thesecurit

>y

>> >issues related to VLAN's? I have lots of them, and need to know why aVLAN

>> >is not an effective adjunct to firewall and router security policies.
>> >-larry
>> >
>
>
>Brian Ford
>Consulting Engineer, Security & Integrity Specialist
>Office of Strategic Technology Planning
>Cisco Systems Inc.
>http://www.cisco.com/go/safe/
>
>The opinions expressed in this message are those of the author and not
>necessarily those of Cisco Systems, Inc..
>
>This email address is transmitted from San Jose, California, U.S.A..
>
>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards () honor icsalabs com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Brian Ford
Consulting Engineer, Security & Integrity Specialist
Office of Strategic Technology Planning
Cisco Systems Inc.
http://www.cisco.com/go/safe/

The opinions expressed in this message are those of the author and notnecessarily those of Cisco Systems, Inc..


This email address is transmitted from San Jose, California, U.S.A..


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Vlan's as effective security measures?, (continued)
- - - Re: Vlan's as effective security measures? John Hall (Feb 12)
    - Re: Vlan's as effective security measures? Daniel Linder (Feb 12)
    - Transparent proxying jm (Feb 12)
    - Re: Transparent proxying Luke Butcher (Feb 12)
    - Re: Transparent proxying kaptain (Feb 12)
    - Re: Transparent proxying Ng Pheng Siong (Feb 13)
- RE: Vlan's as effective security measures? Melson, Paul (Feb 10)
- Re: Vlan's as effective security measures? Brian Ford (Feb 12)
- Re: Re: Vlan's as effective security measures? Brian Ford (Feb 12)
  - Re: Vlan's as effective security measures? Todd Joseph (Feb 13)
    - Re: Vlan's as effective security measures? Brian Ford (Feb 16)
- RE: Re: Vlan's as effective security measures? hugh_fraser (Feb 16)
  - Re: Vlan's as effective security measures? Jeremiah Cornelius (Feb 20)
- RE: Re: Vlan's as effective security measures? Brian Ford (Feb 16)
- RE: Re: Vlan's as effective security measures? hugh_fraser (Feb 20)