On 28/06/10 20:26, Brent Chapman wrote: > On Mon, Jun 28, 2010 at 12:05 PM, A. Dreyer (LOPSA) > I assume you both know that VLANs are just an administrative tool not a > security measurement and that for "real" security the switches with > external/DMZ VLANs should be *physically* separate from the switching > infrastructure of your internal network.. > > > Bullshit. > > As far as I've ever been able to determine, this is just FUD (Fear, > Uncertainty, and Doubt) propagated by folks who want to sell you more > switch hardware. > > Everybody says "but what if the switch somehow leaks packets from one > VLAN to another?" Well, what if the switch ACLs didn't work, and passed > traffic that it shouldn't? Those would both be major security bugs, > drawing a quick response from the vendors in question. > > As long as your switches and VLANs are properly configured, they're no > less secure than anything else. You just need to understand how they > work, and protect against things like VLAN sniffing and injection > attacks (basically, you need to protect your VLAN trunks between switches). > > > -Brent
Hi Brent, You seem to have a very well suited setup for _your_ requirements. Apparently you have switches with absolutely flawless software, your engineers never make mistakes and everything is documented, audited and tested. I am on the other hand a firm believer of the "security in depth" doctrine - where a single faulty software or a simple misconfiguration can not compromise the complete internal network (like bypassing the firewall via misconfigured or leaking VLANs). The more (simple and correctly configured) security layers, the better. If you read my mail I was only trying to separate major security zones "bad internet" vs "internal" network - I wasn't even saying that VLANs are bad, I just wouldn't use them as the only barrier. Further detailed discussions: VLANs might be insecure: http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-convery-switches.pdf http://www.hakipedia.com/index.php/VLAN_Hopping http://pentestit.com/2010/04/23/tutorial-vlan-hopping-yersinia/ Only misconfigured VLANs are unsafe: http://www.bogpeople.com/networking/vlanhopping/ Kind regards, Achim -- Achim Dreyer Network Security Consultant Senior Unix & Network Admin _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
