Re: VLAN Security

["Shimon Silberschlag" <shimons () bll co il>]

Has anyone on the group witnessed or implemented such a setup (VLAN per
server)?
Can you describe what were the requirements and circumstances that drove you
to such a design?
Did you encounter any problems implementing it, and how were these problems
mitigated?

TIA,

Shimon Silberschlag

+972-3-9351572
+972-51-207130


2004-06-08T19:25:51 Carson Gaspar:
> 2004-06-08T10:18:02-0700 Jeff Boles:
> > Anyone care to voice their consensus on contemporary
> > VLAN implementations as a security measure?
>
> I'm sort of a heretic in this crowd. I think VLANs are a very
> useful security implementation tool. [...] My policy is "one
> chassis, one trust level" [...]

I don't know how heretical that is today. For sure, we used to
say that VLANs aren't a security component --- when that was the
vendors' stance. Sometime in the last year or two vendors turned
around and last I heard, their stance was that correctly-configured
VLANs are supported by them as a security component, they're
believed to be leak-free and reports of leaks will be treated as
security bugs.

I'm glad of this; it makes possible a config that I like for certain
applications, what I call a fully-routed net, the next step up from
a fully-switched net. Instead of "every host gets a dedicated switch
port, no hubs" you go up to "every host gets a dedicated router
port, onto a firewall". Just give each switch port a separate vlan
and 802.1q the lot into the firewall[s]. One of these days I'm
looking forward to doing large tracts of business in-house nets that
way.

Even today, though, that's how I'd build out e.g. in-room network
jacks at a hotel, or laptop jacks at a conference.

-Bennett

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards