Re: VLAN Security

[Bennett Todd <bet () rahul net>]

2004-06-08T19:25:51 Carson Gaspar:
> 2004-06-08T10:18:02-0700 Jeff Boles:
> > Anyone care to voice their consensus on contemporary
> > VLAN implementations as a security measure?
>
> I'm sort of a heretic in this crowd. I think VLANs are a very
> useful security implementation tool. [...] My policy is "one
> chassis, one trust level" [...]

I don't know how heretical that is today. For sure, we used to
say that VLANs aren't a security component --- when that was the
vendors' stance. Sometime in the last year or two vendors turned
around and last I heard, their stance was that correctly-configured
VLANs are supported by them as a security component, they're
believed to be leak-free and reports of leaks will be treated as
security bugs.

I'm glad of this; it makes possible a config that I like for certain
applications, what I call a fully-routed net, the next step up from
a fully-switched net. Instead of "every host gets a dedicated switch
port, no hubs" you go up to "every host gets a dedicated router
port, onto a firewall". Just give each switch port a separate vlan
and 802.1q the lot into the firewall[s]. One of these days I'm
looking forward to doing large tracts of business in-house nets that
way.

Even today, though, that's how I'd build out e.g. in-room network
jacks at a hotel, or laptop jacks at a conference.

-Bennett

Attachment: _bin
Description: