Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Vlans

From: Dan Kaminsky <dankamin () CISCO COM>
Date: Mon, 22 Jan 2001 20:51:36 -0800
 | The basic difference is fail-safe vs. fail-open.  When 'bad
 | things happen' like the switch gets hammered with more packets
 | than it can deal with, how does it respond?  There's no industry
 | standard to specify how switches or other devices should deal with
 | these kind of situations.

Repeat after me:

VLANs are not a security system.
VLANs are not a security solution.
VLANs are not Magic Pixie Dust (and neither is 3DES, for that matter)

VLANs are a networking segmentation toolkit.
VLANs are a good method of centrally monitoring vast networks.
VLANs are a decent method of preventing certain types of passive attacks.
VLANs are a somewhat decent method of mitigating the scope of attacks.
VLANs are not secure against many types of active attacks.
VLANs (actually, intelligent switches) are eventually the only way to defend
against certain other types of active attacks, if only because they build
intelligence into the mesh instead of the chokepoints.
VLANs, amazingly enough, can be a part of a defense-in-depth security
toolkit.

But.

The bottom line is: VLANs are not firewalls, they are really not firewalls,
please, in the name of Jon Postel, don't think a VLAN gives you a firewall.
They don't.  They're not built to.  That there's even a *question* whether
to pass by default or not shows which way the entire genre of hardware
exists in.

I don't know how else to say it:  Security just doesn't live at Layer 2, and
there's a storm of interconnection protocols and standards that are about to
teach everyone why.

*sigh*

Yours Truly,

    Dan Kaminsky
Previous By Date Next
Previous By Thread Next

Current thread: