|
Firewall Wizards
mailing list archives
Re: VLAN Security
From: Bennett Todd <bet () rahul net>
Date: Tue, 8 Jun 2004 20:24:25 +0000
2004-06-08T19:25:51 Carson Gaspar:
2004-06-08T10:18:02-0700 Jeff Boles:
Anyone care to voice their consensus on contemporary
VLAN implementations as a security measure?
I'm sort of a heretic in this crowd. I think VLANs are a very
useful security implementation tool. [...] My policy is "one
chassis, one trust level" [...]
I don't know how heretical that is today. For sure, we used to
say that VLANs aren't a security component --- when that was the
vendors' stance. Sometime in the last year or two vendors turned
around and last I heard, their stance was that correctly-configured
VLANs are supported by them as a security component, they're
believed to be leak-free and reports of leaks will be treated as
security bugs.
I'm glad of this; it makes possible a config that I like for certain
applications, what I call a fully-routed net, the next step up from
a fully-switched net. Instead of "every host gets a dedicated switch
port, no hubs" you go up to "every host gets a dedicated router
port, onto a firewall". Just give each switch port a separate vlan
and 802.1q the lot into the firewall[s]. One of these days I'm
looking forward to doing large tracts of business in-house nets that
way.
Even today, though, that's how I'd build out e.g. in-room network
jacks at a hotel, or laptop jacks at a conference.
-Bennett
Attachment:
_bin
Description:
 By Date 
By Thread
Current thread:
|
Intro
