Re: Vlans

[Tony Soprano <almazana () MEDIAONE NET>]

Tim Salus wrote:

> I am not certain if this is the place to ask this and if not please let
> me know where to send it.
>
> I have a client who has the following configuration
>
> Internet -> router -> firewall -> load balancer
>
> The connection from the router to the firewall is on a switch and the
> connection from the inside interface of the firewall is on the same
> switch. The separation is done using VLANS.
>
> I was taught this is bad due to 802.1q tagging and VLAN hopping using
> tagged packets. The problem is I can find very little information on
> this to prove my point.
>
> Also what if there is no 802.1q trunking being done. Is there still a
> problem with this?
>
> Is there an exploit to get around the firewall and do server flooding by
> jumping VLANS.
>
> No one can get on the firewall segment so what I need to know is can
> anyone on the internet cause a problem with this type of configuration.
>
> Thanks in advance
>
> Timothy L. Salus

Remember that a VLAN can be viewed as a seperate subnet. Since you must
route between Subnets via layer three, so too must you do between VLANS.
Remember that the Switch (with either 802.1q, or ISL) will strip off the
VLAN header info, and  typically will not pass trunk info over non-trunk
configured ports.

Since the Firewall interface is isolated, the firewall will make the
packet forwarding decision based on your rule set.Since the only real
players that are involved are the interfaces themselves, you can narrow
down the hosts bits to 30 bits in some cases, so that no other hosts can
spoof themselves into that VLAN/Subnet.

If you are dilligent about security, and have multiple layers of ACL's
starting at Area0, you can pretty much dictate which machines will
participate in your VLAN implementation.

Alex R. Almazan
TAOS
5 Cambridge Center
Cambridge MA 02142
aalmazan () taos com