On Mon, Jun 28, 2010 at 12:26:58PM -0700, Brent Chapman spake thusly: > On Mon, Jun 28, 2010 at 12:05 PM, A. Dreyer (LOPSA) > <[email protected]>wrote: > > I assume you both know that VLANs are just an administrative tool not a > > security measurement and that for "real" security the switches with > > external/DMZ VLANs should be *physically* separate from the switching > > infrastructure of your internal network.. > > As far as I've ever been able to determine, this is just FUD (Fear, > Uncertainty, and Doubt) propagated by folks who want to sell you more switch > hardware.
I thought about his email for a good 10 minutes this morning and did some research and almost replied but decided not to. But since you have stuck your neck out first I am going to support you on this. My specialty is PCI so I always look at security from that perspective. VLANs have been good enough to pass PCI audits. The auditor is given quite a bit of lattitude in this area. If you are appear even slightly incompetant, do not have business justification for each thing allowed through, do not have recent review of your VLAN/firewall ACLs, or do not have your VLANs properly configured they can certainly deny you their use. But barring any of that they have always been acceptable. You can google and find a few people out there who don't trust VLANs for this purpose but in my experience they have been problem free when properly configured (and really, what doesn't need to be properly configured to be secure?). Properly configured means, among other things: - Not configuring every port as an open trunk or autoconfigure trunk - Pruning the list of vlans to distribution switches and untrusted ports (especially VLAN 1) - Not running autotrunking protocols like VTP or any other unnecessary L2 protocol and restricting them to trusted ports where they absolutely must be used > As long as your switches and VLANs are properly configured, they're no less > secure than anything else. You just need to understand how they work, and > protect against things like VLAN sniffing and injection attacks (basically, > you need to protect your VLAN trunks between switches). Exactly. Cisco sponsored (take that for what you will but it looks like a decent effort to me) @Stake to conduct a security assessment of the use of VLANs: http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml You need to understand how it works to implement it safely but having done that there is no reason VLANs aren't good enough. -- Tracy Reed http://tracyreed.org
pgpI1kMXa9QeH.pgp
Description: PGP signature
_______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
