Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Re: Vlan's as effective security measures?

From: <hugh_fraser () dofasco ca>
Date: Tue, 17 Feb 2004 12:14:52 -0500


-----Original Message-----
From: Brian Ford [mailto:brford () cisco com] 
Sent: Friday, February 13, 2004 1:44 PM
To: Fraser Hugh
Cc: firewall-wizards () honor icsalabs com; jhall () ptavvs net; 
LWare () e-one com
Subject: RE: Re: [fw-wiz] Vlan's as effective security measures?


Hugh,

Please see my comments in line:

At 11:58 AM 2/13/2004 -0500, hugh_fraser () dofasco ca wrote:

Regardless of the VLAN technology chosen, the basic reason for 
investing in this kind of technology is to manage bandwidth 

and isolate 

traffic, not provide security.


I don't agree with your wording here.  You seem to be 
implying that VLANs 
can not be made secure at all.  In fact, VLAN technology can be 
secured.  Whether or not the level of security achieved in a 
particular 
design provides acceptable risk is design issue that is 
reviewed all the time.




I'm referring to the reasons people usually invest in VLAN technology,
and that usually drives their deployment strategies and the way the
network's managed. I'm not referring to what the vendors priorities are.
I mentioned later in my note that newer technologies (like 802.1x) offer
the ability to do port authentication, but that's not been the driving
force in the past, and I'm certain isn't the reason for most existing
installations. I can address a lot of security issues by simply managing
my systems better, enforcing stronger authentication, encrypted traffic,
mandatory access controls,  etc.. But some systems don't support these
features, run legacy or purchased apps I can't change, or are simply
driven by business requirements that we, as a supplier, are forced to
accept.

I've been waiting for quite some time for even rudimentary IDS functions
in switches to address the problems I have deploying IDS sensors
internally. The response has always been that it would be nice and is
being looked at, but the fundamental design goal, and the metric by
which the product is measured, is switching speed. IDS functionality
consumes valuable horsepower.

Practically speaking, VLANs are usually used to control traffic, and are
managed by people responsible for providing this service. Security is
another issue, usually handled by a different set of people, with an
entirely different mandate.

Security's a tough enough feature to sell in pure security circles. In a
market where the major concern is providing enough bandwidth to support
the next big app (ie. Voip, video conferencing, etc.), it's not the top
priority.



 As such, the vendors haven't invested a lot in
security.


That's a blanket statement that based on my own experience 
with my employer 
I would disagree with.



True enough, from the vendors perspective. I don't think the importance
of this has been made a high-enough priority to the customer though.
While security education is definitely one of my responsibilities,
security is still considered by many to be an expense that adds little
value to a company's bottom line, compared with a pipe that offers the
dedicated bandwidth my killer application needs.


But beyond that, there are basic authentication issues that make it 
difficult to implement a strong security solution based upon VLANs.

Policies controlling access to VLANs depend upon some method of 
identifying the client, and it's usually either a MAC address or a 
switch port.


802.1X solutions can go far beyond this.  We can examine 
credentials on the 
users computer or the users login to the network.  Or we can 
just challenge 
them when they attempt to connect.


Agreed. If they're used. I can also require 2 or 3 factor
authentication, which dramatically strengthens my ability to provide
access controls and audit trails. 

If the business will use them.




MAC addresses are readily obtained and almost as easily
forged as IP addresses, allowing access to a MAC-based VLAN. 

Port-based 

identification relies on restricted access to the ports 

themselves, or 

to the drop connected to the port.

In both cases, bypassing the VLAN security isn't something 

that happens 

by accident, but if you're concerned about security you're 

planning for 

malicious activity. Newer technologies can do stronger 

authentication 

at the port, but aren't widely used. And it's possible to configure 
most networking infrastructure to alert you to unexpected changes if 
they occur, but this information is rarely incorporated into 

a security 

auditting system, and generally go un-noticed except by the network 
group when they're debugging problems.

It requires extra diligence to ensure that VLANs provide 

anywhere near 

the security most people expect. In my experience, this 

extra diligence 

doesn't happen, and VLANs are incorrectly understood to 

provide secure 

channels.


Diligence is the key.  It's an important part of the network 
design process 
and should be exercised when using any feature.




It's more than just diligence. Networking technology is often selected
by the networking groups in response to pressures they feel to provide
what is felt to be a commodity service, like the phone system. In that
light, the product selected is the one that relieves the most pressure,
and security personnel often isn't involved. Thanks to recent trends in
network attacks (blaster, nachi, etc.), it's getting easier to justify
network security beyond anti-virus on the desktop, but it's still a
tough sell. So the solution is more than dilegence... It requires a
change in the way the network's viewed internally as more than just a
pipe, and co-operation between departments with different goals. Until
then, the diligence simply won't happen, and it's irresponsible to
assume the VLAN is a secure connection.

I spend a lot of my time educating the people I report to and work with
on security issues in the network. While I see a willingness on the part
of vendors to respond to questions concerning network security, it
usually is a result of me pulling rather than them pushing. The next
time you're talking to a client, raise the profile of the security
features. It will make my job a lot easier.


Liberty for All,

Brian


-----Original Message-----
From: Brian Ford [mailto:brford () cisco com]
Sent: Thursday, February 12, 2004 1:14 PM
To: firewall-wizards () honor icsalabs com
Cc: jhall () ptavvs net; Ware, Larry
Subject: Re: Re: [fw-wiz] Vlan's as effective security measures?


John,

And cars crash and cars burn and people are dying in cars all the
time.   And cars can be made to carry disease and explosives
and kill many
people with just one car and driver! So let's all abandon 

our cars 

and start walking to work every morning.  If we're late the boss 
will understand because cars are dangerous.  ;-)

You should probably research the switch that you buy and use in 
order to make sure that it doesn't do these things.

Your mileage may vary!

Liberty for All,

Brian

At 12:00 PM 2/10/2004 -0500, 
firewall-wizards-request () honor icsalabs com wrote:

Message: 4
Date: Mon, 09 Feb 2004 12:52:31 -0800
From: John Hall <jhall () ptavvs net>
To: "Ware, Larry" <LWare () e-one com>
Cc: "'firewall-wizards () honor icsalabs com'"
<firewall-wizards () honor icsalabs com>
Subject: Re: [fw-wiz] Vlan's as effective security measures?


1.  A surprising number of network devices' VLAN implementations
    will leak packets between VLANs under heavy loads, 

or in some

    cases randomly all the time.
2,  Some switches have a single forwarding database 

which includes

    VLAN tags and a host presenting a carefully chosen 

MAC address

    can sometimes hijack traffic for a host on another

VLAN. 3.  Some

switches flood ARP requests across VLANs. 4.  Some switches

flood all

traffic under heavy load. 5.  Few switches and routers have 
adequate configuration security.

Don't depend on VLANs to guarantee the separation of two

networks that

*must* be separated.  Your security is only as good as 

the weakest 

element in your infrastructure and the security of most

switches (and

to a lesser extent routers) is pretty weak.

JMH

Ware, Larry wrote:


Forgive a long out of field, and now working on 

getting back up 

to speed firewall admin, but would someone care to educate me

concerning

the security issues related to VLAN's? I have lots of

them, and need

to know why a VLAN is not an effective adjunct to firewall

and router

security policies. -larry




Brian Ford
Consulting Engineer, Security & Integrity Specialist
Office of Strategic Technology Planning
Cisco Systems Inc.
http://www.cisco.com/go/safe/

The opinions expressed in this message are those of the 

author and 

not necessarily those of Cisco Systems, Inc..

This email address is transmitted from San Jose, 

California, U.S.A..



_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards




Brian Ford
Consulting Engineer, Security & Integrity Specialist
Office of Strategic Technology Planning
Cisco Systems Inc.
http://www.cisco.com/go/safe/

The opinions expressed in this message are those of the 
author and not 
necessarily those of Cisco Systems, Inc..

This email address is transmitted from San Jose, California, U.S.A..


_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: