Firewall Wizards: RE: VLAN Security

["DCSIM Subscriptions (IA)" <DCSIMSUBS () ia ngb army mil>]

More best practices: (in Cisco-ese)
* Never negotiate the trunking protocol (switchport nonnegotiate)
* Always statically set the port mode (switchport mode access/trunk)
* Always restrict allowed VLANs on a trunk to only what is necessary
(switchport trunk allowed vlan [a,b,c,...])
* Never deliver VLAN 1 downstream (switchport trunk allowed vlan remove 1)

- Lee

-----Original Message-----
From: Vinicius Moreira Mello [mailto:vinicius () lineone net] 
Sent: Tuesday, June 08, 2004 22:59
To: firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] VLAN Security

> -- Original Message --
> From: Jeff Boles <bolesjb () yahoo com>
> To: firewall-wizards () honor icsalabs com
> Subject: [fw-wiz] VLAN Security
> Date: Tue, 8 Jun 2004 10:18:02 -0700 (PDT)
>
>
> Anyone care to voice their consensus on contemporary VLAN 
> implementations as a security measure?
Jeff,

Keep in mind that VLANs are not designed for security, they're designed for
network segmentation. I've seen many telecommunication companies selling WAN
VPNs over MPLS that seems to be more secure than VLANs in a case like this.

> Anybody care to voice an argument on on VLAN integrity in the provider 
> network?
Anyway, when using VLANs there are some safe configurations:

- do not put any network on the default vlan (vlan id 1) (potencial L2
flooding,
DoS)
- do not put untrusted networks on native VLANs of trunk ports (vlan
jumping, vtp vlan erasing)
- if not absolutely necessary disable all VTP protocols.    Otherwise use
protocol authentication.

Regards,
vmm.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards