Educause Security Discussion
mailing list archives
Re: Untrusted VLANs on Core Gear
From: "HALL, NATHANIEL D." <halln () OTC EDU>
Date: Wed, 7 Feb 2007 13:33:02 -0600
I have had similar questions before. I asked other GIAC alumni and I
was referred to DSniff by Dug Song.
Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA
Network Security System Administrator
OTC Computer Networking
Office: (417) 447-7535
From: Glenn Forbes Fleming Larratt [mailto:gl89 () CORNELL EDU]
Sent: Wednesday, February 07, 2007 1:18 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Untrusted VLANs on Core Gear
-----BEGIN PGP SIGNED MESSAGE-----
Yes (to the "run screaming" question).
I made the argument recently in another forum that:
} 1. In a design that includes a firewall appliance of any sort, it's a
} violation of default-deny to use VLAN's, rather than distinct
} to segregate networks on different sides of the firewall. Even though
} there are no known (to me) failure modes of VLAN switches that would
} allow effective bridged connectivity between nominally separated
} networks, the possibility that such a failure mode could exist
} the physical separation.
} 2. Buying/creating a firewall appliance and then using VLAN's to
} separate the networks on different sides of it is "silver-bullet"
} design; to get defense in depth, physical separation is indicated.
} Given the relative cost of firewall appliances (whether in dollars or
} sweat) vs. networking hardware, any cost savings is false anyway.
The one reason (other than personal hubris) I quote my previous argument
is that another participant pointed to documented failure modes of VLAN
switches that *would* allow effective bridge connectivity, i.e.
of your firewall.
The links he provided were:
(not sure why the link points to the "Conclusions" in the paper)
Hope this helps,
Glenn Forbes Fleming Larratt
Cornell University IT Security Office
On Wed, 7 Feb 2007, jkaftan wrote:
We are looking to create a fully redundant internet connection. I was
thinking about using my core switch to provide layer 2 for this setup.
Specifically I was going to create an Untrust VLAN that my edge
and Firewalls would connect to.
Fundamentally I do not see an issue as VLANs are supposed to be the
thing as having separate switches (broadcast domains). However
way to look at it is that I have potential bad guys actually
my core gear.
Does this make anyone want to run screaming into the night?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
-----END PGP SIGNATURE-----