Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: VLAN Security

From: Carson Gaspar <carson () taltos org>
Date: Tue, 08 Jun 2004 15:25:51 -0400
--On Tuesday, June 08, 2004 10:18:02 -0700 Jeff Boles <bolesjb () yahoo com> wrote: 


Anyone care to voice their consensus on contemporary
VLAN implementations as a security measure?  I'm
I'm sort of a heretic in this crowd. I think VLANs are a very useful security implementation tool. That doesn't mean I trust them completely. My policy is "one chassis, one trust level" - i.e. I will put 20 different business counterparties on a single (pair of) switch chassis, each on their own VLAN, but I'd never put internal or Internet exposed networks on that same chassis.
The risk acceptance question is "how screwed are we if something causes the switch to become one big flat network?". For now, ignore how this can happen (bugs, operator error, sabotage, ...) - the important thing is that it _can_ happen.
So in the above example, in the worst case scenario, I've allowed vendor A to use me as a transit net to attack vendor B. *shrug* I've made sure we're not liable by working with the lawyers, and any vendor that doesn't have their own firewall on their side has little pity from me. 

--
Carson

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: