Educause Security Discussion
mailing list archives
Re: Untrusted VLANs on Core Gear
From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Date: Wed, 7 Feb 2007 13:46:36 -0600
I guess I have a qualified answer to the "run screaming" question.
Like so many security analyses, it depends.
I'm affiliated with a rather large installation wherein compartments of
differing security levels are implemented on VLANs, and I am not
currently losing sleep over it.
The large caveat is that we have *very* good control over the entire
switching fabric of those compartments. We have operational change
control that requires MAC assignments per-port, with unused ports
configured in an operationally-down state. That alone reduces the risk
of ARP or CAM-table overflow attacks tremendously. And the cost of the
number of gigabit-capable ports we'd need to implement the number of
security compartments we've defined is enough to cause us to accept this
level of risk, at this time.
The scenario from the OP, I think, probably does not fit the model of
mixed-assurance VLANs on a switch, unless the compensatory control of
fascist per-port layer-2 addressing were followed scrupulously on all
other nominally-trusted VLANs on connected devices.
If you can't do that, then I'd advise the OP to look for another
One man's opinion. Mileage varies.
John Ladwig -
Minnesota State Colleges and Universities
Wells Fargo Place
30 7th St. E., Suite 350
St. Paul, MN 55101-7804
Email: John.Ladwig () csu mnscu edu
IM: xmpp:ladwigjo () jabber its mnscu edu
halln () OTC EDU 02/07/07 1:33 PM >>>
I have had similar questions before. I asked other GIAC alumni and I
was referred to DSniff by Dug Song.
Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA
Network Security System Administrator
OTC Computer Networking
Office: (417) 447-7535
From: Glenn Forbes Fleming Larratt [mailto:gl89 () CORNELL EDU]
Sent: Wednesday, February 07, 2007 1:18 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Untrusted VLANs on Core Gear
-----BEGIN PGP SIGNED MESSAGE-----
Yes (to the "run screaming" question).
I made the argument recently in another forum that:
} 1. In a design that includes a firewall appliance of any sort, it's a
} violation of default-deny to use VLAN's, rather than distinct
} to segregate networks on different sides of the firewall. Even though
} there are no known (to me) failure modes of VLAN switches that would
} allow effective bridged connectivity between nominally separated
} networks, the possibility that such a failure mode could exist
} the physical separation.
} 2. Buying/creating a firewall appliance and then using VLAN's to
} separate the networks on different sides of it is "silver-bullet"
} design; to get defense in depth, physical separation is indicated.
} Given the relative cost of firewall appliances (whether in dollars or
} sweat) vs. networking hardware, any cost savings is false anyway.
The one reason (other than personal hubris) I quote my previous argument
is that another participant pointed to documented failure modes of VLAN
switches that *would* allow effective bridge connectivity, i.e.
of your firewall.
The links he provided were:
(not sure why the link points to the "Conclusions" in the paper)
Hope this helps,
Glenn Forbes Fleming Larratt
Cornell University IT Security Office
On Wed, 7 Feb 2007, jkaftan wrote:
We are looking to create a fully redundant internet connection. I was
thinking about using my core switch to provide layer 2 for this setup.
Specifically I was going to create an Untrust VLAN that my edge
and Firewalls would connect to.
Fundamentally I do not see an issue as VLANs are supposed to be the
thing as having separate switches (broadcast domains). However
way to look at it is that I have potential bad guys actually
my core gear.
Does this make anyone want to run screaming into the night?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
-----END PGP SIGNATURE-----