When I've talked about pushing packets through VLAN's with network people,
they've expressed extreme skepticism that such a feat could be done. Here
is a quote that will help:
> Findings
> ========
> We found that under specific conditions it was possible to inject
> frames into one VLAN and have them 'hop' to a different VLAN. This
> is a serious concern if the VLAN mechanism is being used to
> maintain a security gradient between two network segments. This
> has been discussed with Cisco and we believe that it is an issue
> with the 802.1q specification rather than an implementation issue.
http://www.shmoo.com/mail/bugtraq/sep99/msg00349.html (this is a reply,
read the original with the ">" prefix.)
http://security-archive.merton.ox.ac.uk/bugtraq-199909/0223.html (Cisco
response paraphrased: we focus on speed, not security)
Bottom line: use physically seperate hardware for the internet segments.
-----Original Message-----
From: Simon Cooper [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 10, 2001 4:06 AM
To: Jarmoc, Jeff
Cc: [EMAIL PROTECTED]
Subject: Re: DMZ via VLAN
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 4 Apr 2001, Jarmoc, Jeff wrote:
> I've got a question in regards to running a DMZ on the same physical
> switches as my internal network, but segmented by VLAN. Currently, I've
got
> several 10/100 switches on my backbone, so my DMZ is physically seperated.
> However, we're looking at upgrading to a gigabit backbone. Obviously,
> gigabit switches are still somewhat pricey, and our DMZ is really only
about
> 6 servers. Soooo, the idea came to me to use VLANs to isolate the DMZ and
> internal networks on the same physical switch.
> Does anyone have any experience with this, or opinions on how it
> would impact security or performance? The gigabit switch I'm looking at
is
> also capable of Layer 3 switching, but obviously any layer 3 traffic
between
> these two VLANS would have to go through the firewall, I'll need to make
> sure I can specify that in the switch's software. Recommendations of
> quality gigabit switches that can support up to 24 gig ports, and 48 100
meg
> ports would also be appreciated, but that's not really the point of my
> message.
>
> Thanks in advance for the wonderful insights.
My opinion on this is: Don't rely on VLANs for security.
In Building Internet Firewalls, Ed 2, page 101 we say,
... VLANs are a convenient tool in many situations, and they provide a
small measure of increased security over a plain switched network.
However, you are still running all of the traffic through a single
device, which could be compromised. There are known attacks that will
move traffic from one VLAN to another in most implementations, and almost
any administrative error will compromise the separation. You should not
rely on VLANs to provide strong, secure separation between networks.
In addition, using a VLAN to separate your DMZ and Internal network and
having a firewall to route IP traffic is logically equivalent to having an
architecture with two interior routers. We also recommend against this type
of architecture!
I think you may want to re-evaluate why you need gigabit networking in
your DMZ. Where is most of your traffic coming from/going to? Last time
I looked a decent, but cheap, unmanaged 8 port 100MB switch cost less than
$300.
Simon Cooper.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQCVAwUBOtJcuaMJNhVXoGShAQGUDAP9HlHxqps/IMQcfafkmIFvm2/qgd7v6NBr
h12Fit3ZC+0hQhUfmFrQkUyF2yWvO1FtyBjOt4UDA2NkeSI+sup5pogFI1PfdAWV
PaF67EXr+aejO7Zli6c5oLNGhgVP+D1I2IA6+Pif/aGbA113JRzi7urBfo3UbHqm
J2xEdHa/SpE=
=x0Jy
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
*****************************************************************************
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
