>From SANS: ----------------------------------------------------------------
http://www.sans.org/newlook/resources/IDFAQ/vlan.htm <quote> Implications In a default configuration it is possible to inject 802.1q frames into non-trunk ports on a switch and have these frames delivered to the destination. It is possible to get 802.1q frames to hop from one VLAN to another if the frames are injected into a switch port belonging to the native VLAN of the trunk port. It is also necessary for the source and destination ethernet devices to be on different switches. This vulnerability could be exploited if the following conditions were met: The attacker has access to a switch port on the same VLAN as the native VLAN of the trunk port. The target machine is on a different switch in the same trunk group. The attacker knows the MAC address of the target machine. Some layer 3 device exists to provide a connection from the target VLAN back to the source VLAN. Unconfirmed Findings In our discussions with Cisco they stated that this issue was present in all of their VLAN switches and all of the competitors switches that they tried. This is assumed to include Nortel and 3Com devices. Recommendations Try not to use VLANs as a mechanism for enforcing security policy. They are great for segmenting networks, reducing broadcasts and collisions and so forth, but not as a security tool. If you MUST use them in a security context, ensure that the trunking ports have a unique native VLAN number. <end quote> ------------------------------------------------------------------------ - >From Cisco: ------------------------------------------------------------------------ -- http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safe_wp.htm <quote> Avoid using VLANs as the sole method of securing access between two subnets. The capability for human error, combined with understanding that VLANs and VLAN tagging protocols were not designed with security in mind, makes their use in sensitive environments inadvisable. When VLANs are needed in security deployments, be sure to pay close attention to the configurations and guidelines mentioned above <end quote> ------------------------------------------------------------------------ Vlans address the following two issues, scalability of a flat network topology, and simplification of network management by facilitating network reconfigurations A Vlan consists of a single broadcast domain and solves the scalability problems of large flat networks by breaking a single broadcast domain into several smaller broadcast domains. Virtual Lans offer easier moves and changes in a network design than traditional networks. Lan switches can be used to segment networks into logically defined virtual workgroups. While the use of Vlans can dovetail nicely into a security configuration, they were not designed for, developed for, or intended to be a security method in and of themselves. Glenn -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, February 14, 2002 4:05 PM To: [EMAIL PROTECTED] Subject: Antwort: Re: R�f . : Re : DMZ with switch Hello, [EMAIL PROTECTED] wrote: > 2. Is it okay to use a VLAN to implement my DMZ, sharing the switch > hardware with my trusted network? > Also no, for two basic reasons: > (a) The VLAN feature is not intended as a security barrier; it may be > subject to compromise. Care to elaborate on that, especially wrt Cisco switches ? I've seen this argument every now and then, but usually unsubstantiated. To the contrary, aside of broadcast domain (and thus fault) isolation Security is probably the most prominent argument listed in switching vendor literature wrt VLANs (which of course doesn't imply the existence of actual security in the first place, but sheds some light on its developer's design goals (aka what VLANs are "intended" as). > (b) A large switch with VLANs is often more expensive than two > smaller switches. VLANs are of limited utility unless you are also > trunking together multiple switches, in which case they allow you to > define a logical division into subnets that is independent of your > physical distribution across switches. > But in the case of the DMZ, the logical and physical partitioning > of the network really ought to match. Given a number of other constraints, this may or may not be correct. If this guy has a good reason to want his DMZ to be a VLAN on a Switch cluster, it should be possible to implement it safely, given appropriate switching technology and well thought configuration. Regards Christoph Weber-Fahr _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
