Re: Vlan's as effective security measures?

[John Hall <jhall () ptavvs net>]

1.  A surprising number of network devices' VLAN implementations
   will leak packets between VLANs under heavy loads, or in some
   cases randomly all the time.
2,  Some switches have a single forwarding database which includes
   VLAN tags and a host presenting a carefully chosen MAC address
   can sometimes hijack traffic for a host on another VLAN.
3.  Some switches flood ARP requests across VLANs.
4.  Some switches flood all traffic under heavy load.
5.  Few switches and routers have adequate configuration security.

Don't depend on VLANs to guarantee the separation of two networks
that *must* be separated.  Your security is only as good as the
weakest element in your infrastructure and the security of most
switches (and to a lesser extent routers) is pretty weak.

JMH

Ware, Larry wrote:

> Forgive a long out of field, and now working on getting back up to speed
> firewall admin, but would someone care to educate me concerning the security
> issues related to VLAN's? I have lots of them, and need to know why a VLAN
> is not an effective adjunct to firewall and router security policies.
> -larry
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards