Lions, Tigers, and VLANs Oh MY!

Posted July 25th, 2007 by

I’ve been courting with VLANs again this week.

For those of you who don’t habla routing and switching, VLANs are a way to carve out a virtual switch. You can share the VLANs over different physical switches using a technique called trunking, which comes in way handy.

Technically, it makes sense to take most (all?) of your switches and trunk them into one huge-gantic, gi-normous switch then do all the work withVLANs.  This is the “cram everything (router, firewall, and port modules) into one Catalyst 6500 chassis and have a nice day” approach which Cisco will gladly sell you.

Until you start looking at the typical setup. For DMZ servers (just about everything I deal with is in a DMZ of some sort), it’s fairly standard to have a switch (or any number thereof) sliced up by VLANs for different functions and then each VLAN segregated by a firewall.

The problem with this is when you put untrusted/external and  trusted/internal network segments on the same switch and use VLANs to separate them.  Basically what you’ve done is taken a “moderately robust security architecture” and configured it so that the switch is a single point of security failure.  That is, if you misconfigure or compromise the switch, you can bypass the firewalls.

In either case, being able to conduct a successful attack depends on misconfigurations which can happen anyway with firewalls, servers, and any other equipment that you own.  The real problem is that single-point-of-failure that the switch becomes.

My personal rules for using VLANs:

  • Don’t put untrusted/external and trusted/internal VLANs on the same switch.
  • Putting untrusted/external and semi-trusted/DMZ VLANs on the same switch is on a case-by-case basis.
  • Putting trusted/internal and semi-trusted/DMZ VLANs on the same switch is on a case-by-case basis.
  • Don’t trunk VLANs across trust boundaries.  IE, don’t mix up customer switches with our own switches.

I think the key for today’s CISO is that when people bring you drawrings of what the network looks like, you should get both a logical network drawring and a physical network drawing.  The differences between the 2 might shock you.  Usually when you’re asked to approve a design, you get the former and not the latter, so the usual caveats apply.

Further reading:

Similar Posts:

Posted in Risk Management, Technical, The Guerilla CISO | 2 Comments »

2 Responses

  1.  dre Says:

    I’m going to go ahead and disagree with you on this one. There are plenty of ways to make VLAN’s secure enough for DMZ and internal server shared use.

    One is: secure the data. It’s called SSL people and you should probably be using it. I don’t think firewalls work anyways.

    The second is: actually know what path the data is taking. Differential firewall analysis makes firewalls almost sound like they are doing something – but more importantly, it shows you what they are NOT doing. Network documentation and diagrams help with this, too.

    Thirdly, there are ways to prevent VLAN hopping from occurring through proper configuration. I’ve set this up hundreds of times. Yes, you have to know what you are doing – but it is possible. And then you test it with and verify that your protections are actually working.

  2.  Saso Says:

    I’m with you on this one Guerrilla Magilla. I still take to heart the old mantra that VLANs aren’t a security device.

    I also remember, from the days gone by, that keeping differently classified networks on separate physical switches is always good. Sure, there are all these newfangled modules for the Cat 6500, and BlackDiamond, and … that come close, but that still allows for mis-configurations.

    Throw in different colour cabling for different classification networks and you’re almost set.

    After that, auditing a network setup becomes as easy as taking a walk in the data centre. With separate physical switches, there is no chance for accidental configuration snafu. Malicious snafu, sure, but not accidental. 🙂

    I wholeheartedly agree on physical AND logical network diagrams. Not many people keep and/or update physical diagrams, unfortunately.

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: