Firewall Wizards mailing list archives
RE: Re: Vlan's as effective security measures?
From: <hugh_fraser () dofasco ca>
Date: Tue, 17 Feb 2004 12:14:52 -0500
-----Original Message----- From: Brian Ford [mailto:brford () cisco com] Sent: Friday, February 13, 2004 1:44 PM To: Fraser Hugh Cc: firewall-wizards () honor icsalabs com; jhall () ptavvs net; LWare () e-one com Subject: RE: Re: [fw-wiz] Vlan's as effective security measures? Hugh, Please see my comments in line: At 11:58 AM 2/13/2004 -0500, hugh_fraser () dofasco ca wrote:Regardless of the VLAN technology chosen, the basic reason for investing in this kind of technology is to manage bandwidthand isolatetraffic, not provide security.I don't agree with your wording here. You seem to be implying that VLANs can not be made secure at all. In fact, VLAN technology can be secured. Whether or not the level of security achieved in a particular design provides acceptable risk is design issue that is reviewed all the time.
I'm referring to the reasons people usually invest in VLAN technology, and that usually drives their deployment strategies and the way the network's managed. I'm not referring to what the vendors priorities are. I mentioned later in my note that newer technologies (like 802.1x) offer the ability to do port authentication, but that's not been the driving force in the past, and I'm certain isn't the reason for most existing installations. I can address a lot of security issues by simply managing my systems better, enforcing stronger authentication, encrypted traffic, mandatory access controls, etc.. But some systems don't support these features, run legacy or purchased apps I can't change, or are simply driven by business requirements that we, as a supplier, are forced to accept. I've been waiting for quite some time for even rudimentary IDS functions in switches to address the problems I have deploying IDS sensors internally. The response has always been that it would be nice and is being looked at, but the fundamental design goal, and the metric by which the product is measured, is switching speed. IDS functionality consumes valuable horsepower. Practically speaking, VLANs are usually used to control traffic, and are managed by people responsible for providing this service. Security is another issue, usually handled by a different set of people, with an entirely different mandate. Security's a tough enough feature to sell in pure security circles. In a market where the major concern is providing enough bandwidth to support the next big app (ie. Voip, video conferencing, etc.), it's not the top priority.
As such, the vendors haven't invested a lot in security.That's a blanket statement that based on my own experience with my employer I would disagree with.
True enough, from the vendors perspective. I don't think the importance of this has been made a high-enough priority to the customer though. While security education is definitely one of my responsibilities, security is still considered by many to be an expense that adds little value to a company's bottom line, compared with a pipe that offers the dedicated bandwidth my killer application needs.
But beyond that, there are basic authentication issues that make it difficult to implement a strong security solution based upon VLANs. Policies controlling access to VLANs depend upon some method of identifying the client, and it's usually either a MAC address or a switch port.802.1X solutions can go far beyond this. We can examine credentials on the users computer or the users login to the network. Or we can just challenge them when they attempt to connect.
Agreed. If they're used. I can also require 2 or 3 factor authentication, which dramatically strengthens my ability to provide access controls and audit trails. If the business will use them.
MAC addresses are readily obtained and almost as easily forged as IP addresses, allowing access to a MAC-based VLAN.Port-basedidentification relies on restricted access to the portsthemselves, orto the drop connected to the port. In both cases, bypassing the VLAN security isn't somethingthat happensby accident, but if you're concerned about security you'replanning formalicious activity. Newer technologies can do strongerauthenticationat the port, but aren't widely used. And it's possible to configure most networking infrastructure to alert you to unexpected changes if they occur, but this information is rarely incorporated intoa securityauditting system, and generally go un-noticed except by the network group when they're debugging problems. It requires extra diligence to ensure that VLANs provideanywhere nearthe security most people expect. In my experience, thisextra diligencedoesn't happen, and VLANs are incorrectly understood toprovide securechannels.Diligence is the key. It's an important part of the network design process and should be exercised when using any feature.
It's more than just diligence. Networking technology is often selected by the networking groups in response to pressures they feel to provide what is felt to be a commodity service, like the phone system. In that light, the product selected is the one that relieves the most pressure, and security personnel often isn't involved. Thanks to recent trends in network attacks (blaster, nachi, etc.), it's getting easier to justify network security beyond anti-virus on the desktop, but it's still a tough sell. So the solution is more than dilegence... It requires a change in the way the network's viewed internally as more than just a pipe, and co-operation between departments with different goals. Until then, the diligence simply won't happen, and it's irresponsible to assume the VLAN is a secure connection. I spend a lot of my time educating the people I report to and work with on security issues in the network. While I see a willingness on the part of vendors to respond to questions concerning network security, it usually is a result of me pulling rather than them pushing. The next time you're talking to a client, raise the profile of the security features. It will make my job a lot easier.
Liberty for All, Brian-----Original Message----- From: Brian Ford [mailto:brford () cisco com] Sent: Thursday, February 12, 2004 1:14 PM To: firewall-wizards () honor icsalabs com Cc: jhall () ptavvs net; Ware, Larry Subject: Re: Re: [fw-wiz] Vlan's as effective security measures? John, And cars crash and cars burn and people are dying in cars all the time. And cars can be made to carry disease and explosives and kill many people with just one car and driver! So let's all abandonour carsand start walking to work every morning. If we're late the boss will understand because cars are dangerous. ;-) You should probably research the switch that you buy and use in order to make sure that it doesn't do these things. Your mileage may vary! Liberty for All, Brian At 12:00 PM 2/10/2004 -0500, firewall-wizards-request () honor icsalabs com wrote:Message: 4 Date: Mon, 09 Feb 2004 12:52:31 -0800 From: John Hall <jhall () ptavvs net> To: "Ware, Larry" <LWare () e-one com> Cc: "'firewall-wizards () honor icsalabs com'" <firewall-wizards () honor icsalabs com> Subject: Re: [fw-wiz] Vlan's as effective security measures? 1. A surprising number of network devices' VLAN implementations will leak packets between VLANs under heavy loads,or in somecases randomly all the time. 2, Some switches have a single forwarding databasewhich includesVLAN tags and a host presenting a carefully chosenMAC addresscan sometimes hijack traffic for a host on anotherVLAN. 3. Someswitches flood ARP requests across VLANs. 4. Some switchesflood alltraffic under heavy load. 5. Few switches and routers have adequate configuration security. Don't depend on VLANs to guarantee the separation of twonetworks that*must* be separated. Your security is only as good asthe weakestelement in your infrastructure and the security of mostswitches (andto a lesser extent routers) is pretty weak. JMH Ware, Larry wrote:Forgive a long out of field, and now working ongetting back upto speed firewall admin, but would someone care to educate meconcerningthe security issues related to VLAN's? I have lots ofthem, and needto know why a VLAN is not an effective adjunct to firewalland routersecurity policies. -larryBrian Ford Consulting Engineer, Security & Integrity Specialist Office of Strategic Technology Planning Cisco Systems Inc. http://www.cisco.com/go/safe/ The opinions expressed in this message are those of theauthor andnot necessarily those of Cisco Systems, Inc.. This email address is transmitted from San Jose,California, U.S.A.._______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizardsBrian Ford Consulting Engineer, Security & Integrity Specialist Office of Strategic Technology Planning Cisco Systems Inc. http://www.cisco.com/go/safe/ The opinions expressed in this message are those of the author and not necessarily those of Cisco Systems, Inc.. This email address is transmitted from San Jose, California, U.S.A.. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Transparent proxying, (continued)
- Re: Transparent proxying kaptain (Feb 12)
- Re: Transparent proxying Ng Pheng Siong (Feb 13)
- RE: Vlan's as effective security measures? Melson, Paul (Feb 10)
- Re: Vlan's as effective security measures? Brian Ford (Feb 12)
- Re: Re: Vlan's as effective security measures? Brian Ford (Feb 12)
- Re: Vlan's as effective security measures? Todd Joseph (Feb 13)
- Re: Vlan's as effective security measures? Brian Ford (Feb 16)
- Re: Vlan's as effective security measures? Todd Joseph (Feb 13)
- RE: Re: Vlan's as effective security measures? hugh_fraser (Feb 16)
- Re: Vlan's as effective security measures? Jeremiah Cornelius (Feb 20)
- RE: Re: Vlan's as effective security measures? Brian Ford (Feb 16)
- RE: Re: Vlan's as effective security measures? hugh_fraser (Feb 20)