Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Untrusted VLANs on Core Gear
From: "HALL, NATHANIEL D." <halln () OTC EDU>
Date: Wed, 7 Feb 2007 13:33:02 -0600

I have had similar questions before.  I asked other GIAC alumni and I
was referred to DSniff by Dug Song.

http://www.monkey.org/~dugsong/dsniff/

--
Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA
Network Security System Administrator
OTC Computer Networking

Office: (417) 447-7535

-----Original Message-----
From: Glenn Forbes Fleming Larratt [mailto:gl89 () CORNELL EDU] 
Sent: Wednesday, February 07, 2007 1:18 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Untrusted VLANs on Core Gear

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes (to the "run screaming" question).

I made the argument recently in another forum that:

} 1. In a design that includes a firewall appliance of any sort, it's a
} violation of default-deny to use VLAN's, rather than distinct
hardware,
} to segregate networks on different sides of the firewall. Even though
} there are no known (to me) failure modes of VLAN switches that would
} allow effective bridged connectivity between nominally separated
} networks, the possibility that such a failure mode could exist
justifies 
} the physical separation.
} 
} 2. Buying/creating a firewall appliance and then using VLAN's to
} separate the networks on different sides of it is "silver-bullet" 
} design; to get defense in depth, physical separation is indicated.
}
} Given the relative cost of firewall appliances (whether in dollars or
} sweat) vs. networking hardware, any cost savings is false anyway.

The one reason (other than personal hubris) I quote my previous argument
is that another participant pointed to documented failure modes of VLAN 
switches that *would* allow effective bridge connectivity, i.e.
bypassing 
of your firewall.

The links he provided were:

http://www.sans.org/reading_room/whitepapers/networkdevs/1090.php

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_pap
er09186a008013159f.shtml#wp39832

  (not sure why the link points to the "Conclusions" in the paper)

Hope this helps,
- --
Glenn Forbes Fleming Larratt
Cornell University IT Security Office

On Wed, 7 Feb 2007, jkaftan wrote:

We are looking to create a fully redundant internet connection.  I was
thinking about using my core switch to provide layer 2 for this setup.
Specifically I was going to create an Untrust VLAN that my edge
routers 
and Firewalls would connect to.

Fundamentally I do not see an issue as VLANs are supposed to be the
same 
thing as having separate switches (broadcast domains).  However
another 
way to look at it is that I have potential bad guys actually
"touching" 
my core gear.

Does this make anyone want to run screaming into the night?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFFyiX3Lyw7nZwiKgQRAjRfAKCjjFv01jTsICiLcgqZtDqLlSk7jQCeJ1/H
zUpt7wv7EUaiXJAjDG2hoaE=
=INKh
-----END PGP SIGNATURE-----

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]