Security Basics mailing list archives
RE: VLAN Question
From: Meidinger Chris <chris.meidinger () badenit de>
Date: Fri, 22 Aug 2003 09:59:49 +0100
Remember the time when switched networking was a new and up-and-coming cool thing? Remeber those rows upon rows of AUI ports or 10Base2 connections all connnected to hunking brown hubs? Remember replacing then with one 48 port switch and 2 HE's worth of twisted pair jacks? Well at that time switches *were* massively more expensive than hubs. And the VLAN *was* intended to let you buy one big hunking switch and run several subnets off of it. This had nothing to do with big switches v. little switches, but rather with big switches v. big hubs. As far as the next mail, Todd said that it was true at the time that a bit of broadcast leakage wasn't a big deal. He didn't say that in today's security conscious environment nobody would care. The VLAN was not a security invention, it was an invention designed to utilize switches fully at a time when that technology was significantly more expensive. And in that enviroment one silly little broadcast packet too many wasn't really worrying anyone (much). This is not a flame, but i had to defend the guy. Cheers, Chris badenIT GmbH System Support Chris Meidinger Tullastrasse 70 79108 Freiburg -----Original Message----- From: David Gillett [mailto:gillettdavid () fhda edu] Sent: Thursday, August 21, 2003 2:30 AM To: 'Bennett Todd'; 'Steven Williams' Cc: Security-basics () securityfocus com Subject: RE: VLAN Question
Originally, VLANs were created solely to help mitigate the very high cost of early switches. Switches were being sold in multiples of 16 or 32 ports, and they were vastly more expensive than hubs. To help people get the most out of their switch investments, VLANs allowed partitioning broadcast domains, to buy the performance advantages of switch isolation while allowing multiple smaller networks to be implemented on the same expensive switch.
I can't buy this. Although several cascaded hubs get you the equivalent of one big hub, switches do not combine the same way. I don't think there was ever a time when a chassis switch with four 12-port cards cost less than four separate 12-port switches. And if all VLANs did was allow your one big expensive switch to emulate a stack of cheap little switches, almost nobody would ever use them. Where partitioning of switches into VLANs starts to pay off is where you have (a) trunking of multiple VLANs from switch to switch, and (b) router blades for switch chasses, to route between VLANs. Now you can deploy a layer 3 topology that doesn't look anything like your layer 2 topology, and you can provide redundant linkage via spanning tree instead of HSRP or even OSPF. David Gillett
-----Original Message----- From: Bennett Todd [mailto:bet () rahul net] Sent: August 20, 2003 09:51 To: Steven Williams Cc: Security-basics () securityfocus com Subject: Re: VLAN Question 2003-08-20T03:09:24 Steven Williams:I'm after some opinions of yours and your companies policy regarding the use of VLAN's as a method of isolating the internet to internal VLAN's on the same physical layer 2 / 3 switch and access controlled by ACL's or firewalls.There are several sides to this question. Originally, VLANs were created solely to help mitigate the very high cost of early switches. Switches were being sold in multiples of 16 or 32 ports, and they were vastly more expensive than hubs. To help people get the most out of their switch investments, VLANs allowed partitioning broadcast domains, to buy the performance advantages of switch isolation while allowing multiple smaller networks to be implemented on the same expensive switch. In this context, leakage between vlans wasn't an issue as long as the amount of leakage didn't cause a performance impact. vlans leaked. Minor leakage was not considered a problem by the vendors. They weren't designed as security partitions. Customers started pressing vendors, and they've responded. I've spoken with a Cisco engineer who said that properly, carefully configured, current switches with current CatOS were not believed to leak between vlans, and a finding that they could so leak would be treated as a priority security bug. Cool says I, this enables something I've wanted to have for some time. Combine switches with vlans that are secure and 802.1q trunking, and you can have a firewall with a ludicrous number of firewall ports --- it becomes practical to consider building a fully-firewalled fully-routed network, where every host has its own dedicated firewall port. Not for everybody, perhaps, but I can think of places where it'd be worth doing. Say, hotels offering network jacks in the rooms. But there's another issue to consider. Even if the vlan implementation is truly secure in the switch, sharing multiple vlans representing different security domains on the same switch means that a config error on that switch could compromise your isolation. Config errors happen. Config errors that don't overtly break anything are often not detected for a long time. Switches are cheap. Use multiple switches unless there's a really compelling engineering requirement to use multiple vlans on the same switch. -Bennett
--------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- VLAN Question Steven Williams (Aug 20)
- RE: VLAN Question David Gillett (Aug 20)
- Re: VLAN Question Bennett Todd (Aug 20)
- RE: VLAN Question David Gillett (Aug 21)
- Re: VLAN Question Bennett Todd (Aug 21)
- RE: VLAN Question David Gillett (Aug 21)
- RE: VLAN Question David Gillett (Aug 21)
- <Possible follow-ups>
- RE: VLAN Question Meidinger Chris (Aug 22)
- RE: VLAN Question David Gillett (Aug 25)