Firewall Wizards mailing list archives
Re: VLAN Security
From: Bennett Todd <bet () rahul net>
Date: Tue, 8 Jun 2004 20:24:25 +0000
2004-06-08T19:25:51 Carson Gaspar:
2004-06-08T10:18:02-0700 Jeff Boles:Anyone care to voice their consensus on contemporary VLAN implementations as a security measure?I'm sort of a heretic in this crowd. I think VLANs are a very useful security implementation tool. [...] My policy is "one chassis, one trust level" [...]
I don't know how heretical that is today. For sure, we used to say that VLANs aren't a security component --- when that was the vendors' stance. Sometime in the last year or two vendors turned around and last I heard, their stance was that correctly-configured VLANs are supported by them as a security component, they're believed to be leak-free and reports of leaks will be treated as security bugs. I'm glad of this; it makes possible a config that I like for certain applications, what I call a fully-routed net, the next step up from a fully-switched net. Instead of "every host gets a dedicated switch port, no hubs" you go up to "every host gets a dedicated router port, onto a firewall". Just give each switch port a separate vlan and 802.1q the lot into the firewall[s]. One of these days I'm looking forward to doing large tracts of business in-house nets that way. Even today, though, that's how I'd build out e.g. in-room network jacks at a hotel, or laptop jacks at a conference. -Bennett
Attachment:
_bin
Description:
Current thread:
- VLAN Security Jeff Boles (Jun 08)
- Re: VLAN Security Carson Gaspar (Jun 08)
- Re: VLAN Security Bennett Todd (Jun 08)
- Re: VLAN Security Shimon Silberschlag (Jun 23)
- Re: VLAN Security Bennett Todd (Jun 08)
- Re: VLAN Security Mason (Jun 09)
- RE: VLAN Security Vinicius Moreira Mello (Jun 09)
- <Possible follow-ups>
- RE: VLAN Security Melson, Paul (Jun 08)
- RE: VLAN Security DCSIM Subscriptions (IA) (Jun 10)
- RE: VLAN Security John Kougoulos (Jun 11)
- RE: VLAN Security Carson Gaspar (Jun 14)
- RE: VLAN Security John Kougoulos (Jun 11)
- RE: VLAN Security DCSIM Subscriptions (IA) (Jun 16)
- RE: VLAN Security Irwin Lazar (Jun 26)
- Re: VLAN Security Carson Gaspar (Jun 08)