|
Firewall Wizards
mailing list archives
Re: VLAN Security
From: Carson Gaspar <carson () taltos org>
Date: Tue, 08 Jun 2004 15:25:51 -0400
--On Tuesday, June 08, 2004 10:18:02 -0700 Jeff Boles <bolesjb () yahoo com>
wrote:
Anyone care to voice their consensus on contemporary
VLAN implementations as a security measure? I'm
I'm sort of a heretic in this crowd. I think VLANs are a very useful
security implementation tool. That doesn't mean I trust them completely. My
policy is "one chassis, one trust level" - i.e. I will put 20 different
business counterparties on a single (pair of) switch chassis, each on their
own VLAN, but I'd never put internal or Internet exposed networks on that
same chassis.
The risk acceptance question is "how screwed are we if something causes the
switch to become one big flat network?". For now, ignore how this can
happen (bugs, operator error, sabotage, ...) - the important thing is that
it _can_ happen.
So in the above example, in the worst case scenario, I've allowed vendor A
to use me as a transit net to attack vendor B. *shrug* I've made sure we're
not liable by working with the lawyers, and any vendor that doesn't have
their own firewall on their side has little pity from me.
--
Carson
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
|
Intro
