RE: VLAN Security

["Ryan Smith" <Ryan.Smith () fairbankscapital com>]

VLANS don't really increase security as much as they increase
manageability.  The truly secure the switches you should implement port
level security and limit the number of mac addresses allowed per port.
This prevents someone from plugging in a cheap wireless access point and
opening your network to the world.  It also prevents someone from being
able to flood the switch with mac addresses and filling up the mac
cache, thus turning your switch into a hub and enabling them to run a
man a in the middle attack.

On the catalyst OS the command is:

set port security 2/1-48 enable age 10 maximum 2 shutdown 10 violation
shutdown

This sets the mac address age to 10 minutes, the maximum addresses per
port to 2, a violation will shut the port down for 10 minutes.
 Precaution: do not do this on your trunk ports and if you have other
switches or WAPs hanging off of ports, increase the max variable
accordingly.

Smith


-----Original Message-----
From: Naman Latif [mailto:naman.latif () inamed com] 
Sent: Thursday, February 06, 2003 12:00 PM
To: security-basics () securityfocus com
Subject: VLAN Security


Hi,
We have different Cisco Catalyst switches configured for VLANS. With the
current configuration

1. All trunks have a  native VLAN, which is not used by any User. 2.
Management VLAN is other than VLAN 1.

We have different VLANs in place, however these are only used for
different Servers ,And all Users are only members of VLAN-1

Does it make sense to have all the user ports migrated to a Different
VLAN (other than VLAN 1) ? 
Is there a security advantage in this ?

Regards \\ Naman