Firewall Wizards mailing list archives
VLANs as a security barrier (oh no, not again!)
From: Bennett Todd <bet () rahul net>
Date: Mon, 1 May 2000 10:42:36 -0400
It's been discussed many times, and I've solidly held the side that VLANs are a performance hack, not a security barrier. But I think I may have found a setting where they might reasonably work, and if so they'd for sure be bodaciously helpful in this application. In a discussion on another list, it emerged that it can be an amazing help to park a really _really_ tightly-secured bastion host on every last LAN on a large and complex net, specifically for providing services to various network boxes on those LANs --- config download for routers and switches, logging, time sync, whatever. Naturally the ideal solution would be if you could buy a card for a cheap PC that gave you say 32 or more 10baseT ports. Sadly you can't:-). But what if you set up a bastion with a few quad 100BaseT Znyx cards in it, and ran 802.1Q for VLANs over all of them to switches. The picture here is that the bastion wouldn't be routing between these VLANs; it'd just use them to be locally present on every LAN. It seems like a switch could be designed to make this work very well indeed; you want to wire down the MAC addr of the 802.1Q port, and tell the switch somehow that traffic from other ports can only be addressed to that addr, and only traffic from that addr on that port can be addressed to other addrs. In principle that's the sort of thing a switch could do robustly and securely, without any of the usual worries about VLANs leaking. Anybody know if any existing switch can do this? With this approach, a switch could act like a box-o-ports, and the 100BaseT 802.1Q port could act like a high-density port for placing a zillion interfaces on a box. -Bennett
Attachment:
_bin
Description:
Current thread:
- VLANs as a security barrier (oh no, not again!) Bennett Todd (May 05)
- Re: VLANs as a security barrier (oh no, not again!) Chris Cappuccio (May 12)