Security Basics mailing list archives
Re: how secure is a vlan
From: JGrimshaw () ASAP com
Date: Wed, 7 Jan 2004 13:39:45 -0600
Hi Tigerblue, VLANs are as secure as you make them, but come pretty secure as-is. Logically, they are treated as a separate physical network. A device cannot connect to another network without the help of a routing device, be it a layer 3 switch that is routing for the vlan, an independent router (called Router-on-a-Stick), or perhaps a multi-homed machine such as a Windows server running RRAS and configured to route traffic. Better still, on the Cisco Catalyst 6000 series, one can create private VLANs, which prevent devices on the vlan from speaking to each other, and only to the default gateway port on the VLAN. A good reason to do this is on a DMZ. If a machine in the DMZ is compromised, it is still unable to speak to other machines on the DMZ, and only the default gateway port on the VLAN. Also, most switches that support VLANs also support MAC Address based security and other features to further protect your VLAN. I would check with documentation for your switch to see what features your switch supports, and if they make sense to implement. How about access lists protecting your new VLAN? You will also discover that the broadcast domain is reduced, and there may be a significant drop in broadcast traffic. Cutting a 1022 host subnet into four 254 host subnets reduces DHCP broadcasts and other such things immensely. But remember, if you decide to allow routing to and from this subnet, make sure you design a subnet scheme that makes sense! The last thing you want are numbers pulled out of the air, or something copied out of a book. Check out http://www.faqs.org/rfcs/rfc1597.html for information on private IP addressing, it is invaluable if this is your first attempt at subnet design. A place I once worked at used someone else's public IP address as their datacenter IP address. Oops. Then the private addresses were all decided by different departments. Oops again. It was a disaster rewriting all of the router and switch VLANs and rules, the firewall rules, printer addresses, load balancers, server addresses... talk about downtime! Do it right the first time and you may be employed where you are at for a long time! <tigerblue () puzzleapuma de> 01/07/2004 04:02 AM To <security-basics () securityfocus com> cc Subject how secure is a vlan Hello Outthere, I´m planing a reorganisation of our company network. I´m thinking about a vlan to secure a part of the net. Is this technology as secure as physical net ? Is there a way to break out of this virtual lan into another part of the network ? Best Regards tigerblue --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- how secure is a vlan tigerblue (Jan 07)
- Re: how secure is a vlan m (Jan 07)
- Re: how secure is a vlan JGrimshaw (Jan 08)
- <Possible follow-ups>
- RE: how secure is a vlan Shepler, Eric W. [Contractor] (Jan 07)
- RE: how secure is a vlan Timothy Donahue (Jan 07)
- RE: how secure is a vlan David Gillett (Jan 08)
- Re: how secure is a vlan Ivan Coric (Jan 08)
- RE: how secure is a vlan Timothy Donahue (Jan 08)
- RE: how secure is a vlan Moody, Chris (Jan 08)