Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Untrusted VLANs on Core Gear
From: "Raw, Randy" <rawr () MORE NET>
Date: Thu, 8 Feb 2007 09:47:35 -0600

This has been a good discussion, thanks for the different perspectives.

It raises another question that is potentially more troublesome, and
that is the Metro Ethernet that many ISPs now provide. Are they not also
using VLANs for separating traffic in the core of their networks? It
just doesn't seem feasible that they would have a physically separate
network for every customer. How do they keep overflow attacks from
happening on their networks?

Furthermore, it is much easier to run Ethereal/Wireshark to grab traffic
off of one of those VLANS than it is for capturing traffic off of an
OC-3/12/48. What keeps an ISP employee from illegally capturing your
data?  Do any of you have SLAs that address these sort of issues, or do
they keep you up at night?

Randy Raw, CISSP
MOREnet Manager, Network Security
3212 LeMone Industrial Blvd
Columbia, MO 65201
573.884.7699 fax

-----Original Message-----
From: John Ladwig [mailto:John.Ladwig () CSU MNSCU EDU] 
Sent: Wednesday, February 07, 2007 1:47 PM
Subject: Re: [SECURITY] Untrusted VLANs on Core Gear

I guess I have a qualified answer to the "run screaming" question.  
Like so many security analyses, it depends.

I'm affiliated with a rather large installation wherein 
compartments of differing security levels are implemented on 
VLANs, and I am not currently losing sleep over it.  

The large caveat is that we have *very* good control over the 
entire switching fabric of those compartments.  We have 
operational change control that requires MAC assignments 
per-port, with unused ports configured in an 
operationally-down state.  That alone reduces the risk of ARP 
or CAM-table overflow attacks tremendously.  And the cost of 
the number of gigabit-capable ports we'd need to implement 
the number of security compartments we've defined is enough 
to cause us to accept this level of risk, at this time.

The scenario from the OP, I think, probably does not fit the 
model of mixed-assurance VLANs on a switch, unless the 
compensatory control of fascist per-port layer-2 addressing 
were followed scrupulously on all other nominally-trusted 
VLANs on connected devices.

If you can't do that, then I'd advise the OP to look for another

One man's opinion.  Mileage varies.


John Ladwig -
Minnesota State Colleges and Universities ITS Wells Fargo 
Place 30 7th St. E., Suite 350 St. Paul, MN  55101-7804

Email: John.Ladwig () csu mnscu edu
Voice: +1.651.201.1458
Fax: +1.651.917.4731
IM: xmpp:ladwigjo () jabber its mnscu edu

halln () OTC EDU 02/07/07 1:33 PM >>>
I have had similar questions before.  I asked other GIAC 
alumni and I was referred to DSniff by Dug Song.


Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA Network Security 
System Administrator OTC Computer Networking

Office: (417) 447-7535

-----Original Message-----
From: Glenn Forbes Fleming Larratt [mailto:gl89 () CORNELL EDU]
Sent: Wednesday, February 07, 2007 1:18 PM
Subject: Re: [SECURITY] Untrusted VLANs on Core Gear

Hash: SHA1

Yes (to the "run screaming" question).

I made the argument recently in another forum that:

} 1. In a design that includes a firewall appliance of any 
sort, it's a } violation of default-deny to use VLAN's, 
rather than distinct hardware, } to segregate networks on 
different sides of the firewall. Even though } there are no 
known (to me) failure modes of VLAN switches that would } 
allow effective bridged connectivity between nominally 
separated } networks, the possibility that such a failure 
mode could exist justifies } the physical separation.
} 2. Buying/creating a firewall appliance and then using 
VLAN's to } separate the networks on different sides of it is 
} design; to get defense in depth, physical separation is indicated.
} Given the relative cost of firewall appliances (whether in 
dollars or } sweat) vs. networking hardware, any cost savings 
is false anyway.

The one reason (other than personal hubris) I quote my 
previous argument is that another participant pointed to 
documented failure modes of VLAN switches that *would* allow 
effective bridge connectivity, i.e.
of your firewall.

The links he provided were:



  (not sure why the link points to the "Conclusions" in the paper)

Hope this helps,
- --
Glenn Forbes Fleming Larratt
Cornell University IT Security Office

On Wed, 7 Feb 2007, jkaftan wrote:

We are looking to create a fully redundant internet 
connection.  I was 
thinking about using my core switch to provide layer 2 for 
this setup.
Specifically I was going to create an Untrust VLAN that my edge
and Firewalls would connect to.

Fundamentally I do not see an issue as VLANs are supposed to be the
thing as having separate switches (broadcast domains).  However
way to look at it is that I have potential bad guys actually
my core gear.

Does this make anyone want to run screaming into the night?

Version: GnuPG v1.4.1 (MingW32)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]