Educause Security Discussion
mailing list archives
Re: Untrusted VLANs on Core Gear
From: David Gillett <gillettdavid () FHDA EDU>
Date: Mon, 12 Feb 2007 10:55:09 -0800
VLAN implementations have gotten considerably more robust,
on average, than they once were. It may be possible to "get
away with" this for some time.
The two main risks are:
a) inter-VLAN traffic leakage
This is not usually much of a threat, because the addressing
of leaked packets is rarely correct for the VLAN they've leaked
to -- but since their destination address is unrecognized, they
get broadcast everywhere and can be sniffed.
b) attack on the switch affects all VLANs
This is probably less of an issue if the switch doesn't have
a management interface on the untrusted VLAN -- but that has
It's a classic risk-management problem. You can solve it by
throwing a small dedicated switch at it; the question is, does
the risk justify that cost? (Costs are easier to measure and
control than risks, and so a lot of organizations say "no".)
From: jkaftan [mailto:jkaftan () UTICA EDU]
Sent: Wednesday, February 07, 2007 10:53 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Untrusted VLANs on Core Gear
We are looking to create a fully redundant internet
connection. I was thinking about using my core switch to
provide layer 2 for this setup.
Specifically I was going to create an Untrust VLAN that my
edge routers and Firewalls would connect to.
Fundamentally I do not see an issue as VLANs are supposed to
be the same thing as having separate switches (broadcast
domains). However another way to look at it is that I have
potential bad guys actually "touching" my core gear.
Does this make anyone want to run screaming into the night?