Re: Vlans

[Shawn Davenport <shawn.davenport () CURRENEX COM>]

Hey Tim,
Although I feel the same way, ie bad idea, my only argument is from a
"local" security standpoint. In most cases, having your internal and
external segments existing on the same switch, using only VLANS (802.1q or
port based) is safe from an external attack (outside your front router). The
idea is that the router, as well as the firewall, should be replacing the
Ethernet frames, thus eliminating any 802.1q tags and the ability to hop the
vlan boundary.

But if someone could gain access to the switch from the outside, or if you
have a concern of someone/thing on the inside getting around the firewall to
get out, then you have other points to go on.

I can't think of any other ways to validate a need for a physical
separation, assuming the above are not an issue.

Shawn


 -----Original Message-----
From:   Tim Salus [mailto:tsalus () CBOSS COM]
Sent:   Wednesday, January 17, 2001 9:02 AM
To:     VULN-DEV () SECURITYFOCUS COM
Subject:        Vlans

I am not certain if this is the place to ask this and if not please let
me know where to send it.

I have a client who has the following configuration

Internet -> router -> firewall -> load balancer

The connection from the router to the firewall is on a switch and the
connection from the inside interface of the firewall is on the same
switch. The separation is done using VLANS.

I was taught this is bad due to 802.1q tagging and VLAN hopping using
tagged packets. The problem is I can find very little information on
this to prove my point.

Also what if there is no 802.1q trunking being done. Is there still a
problem with this?

Is there an exploit to get around the firewall and do server flooding by
jumping VLANS.

No one can get on the firewall segment so what I need to know is can
anyone on the internet cause a problem with this type of configuration.

Thanks in advance

Timothy L. Salus