Firewall Wizards mailing list archives
RE: VLAN Security
From: "Melson, Paul" <PMelson () sequoianet com>
Date: Tue, 8 Jun 2004 15:05:16 -0400
-----Original Message----- Anyone care to voice their consensus on contemporary VLAN implementations as a security measure? I'm looking at a WAN design using a newly rolled out MetroEthernet product, and provider network is built on catalyst switches and VLAN's. Every customer rides a separate VLAN. The provider's intention is to also provide ISP services across this cloud.
The main issue for 802.1Q VLANs is that some implementations are susceptible to "hopping" attacks. The attacker has to know the proper 802.1Q VLAN ID tag and the MAC address of the victim in order to hop VLANs, but this information is often much easier to come by than it ought to be. (Usually all you need is a read-only SNMP community. Sometimes not even that -- how many of your switches have a VLAN with an ID of '1'?) Some light reading: http://www.sans.org/resources/idfaq/vlan.php http://www.phenoelit.de/stuff/18C3.pdf http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_pap er09186a008013159f.shtml
Anybody care to voice an argument on on VLAN integrity in the provider network?
I wouldn't trust it if I didn't put it in and test it myself or see that it was analyzed and certified by a third party qualified to do so. That said, you may opt to mitigate these risks by using other access control, encryption, or authentication mechanisms. For instance, restricting traffic so that only IPSec tunnels can cross the cloud would negate the issue of whether or not the VLANs were secure. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VLAN Security Jeff Boles (Jun 08)
- Re: VLAN Security Carson Gaspar (Jun 08)
- Re: VLAN Security Bennett Todd (Jun 08)
- Re: VLAN Security Shimon Silberschlag (Jun 23)
- Re: VLAN Security Bennett Todd (Jun 08)
- Re: VLAN Security Mason (Jun 09)
- RE: VLAN Security Vinicius Moreira Mello (Jun 09)
- <Possible follow-ups>
- RE: VLAN Security Melson, Paul (Jun 08)
- RE: VLAN Security DCSIM Subscriptions (IA) (Jun 10)
- RE: VLAN Security John Kougoulos (Jun 11)
- RE: VLAN Security Carson Gaspar (Jun 14)
- RE: VLAN Security John Kougoulos (Jun 11)
- RE: VLAN Security DCSIM Subscriptions (IA) (Jun 16)
- RE: VLAN Security Irwin Lazar (Jun 26)
- Re: VLAN Security Carson Gaspar (Jun 08)