Firewall Wizards mailing list archives
Re: VLAN Security
From: Carson Gaspar <carson () taltos org>
Date: Tue, 08 Jun 2004 15:25:51 -0400
--On Tuesday, June 08, 2004 10:18:02 -0700 Jeff Boles <bolesjb () yahoo com> wrote:
Anyone care to voice their consensus on contemporary VLAN implementations as a security measure? I'm
I'm sort of a heretic in this crowd. I think VLANs are a very useful security implementation tool. That doesn't mean I trust them completely. My policy is "one chassis, one trust level" - i.e. I will put 20 different business counterparties on a single (pair of) switch chassis, each on their own VLAN, but I'd never put internal or Internet exposed networks on that same chassis.
The risk acceptance question is "how screwed are we if something causes the switch to become one big flat network?". For now, ignore how this can happen (bugs, operator error, sabotage, ...) - the important thing is that it _can_ happen.
So in the above example, in the worst case scenario, I've allowed vendor A to use me as a transit net to attack vendor B. *shrug* I've made sure we're not liable by working with the lawyers, and any vendor that doesn't have their own firewall on their side has little pity from me.
-- Carson _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VLAN Security Jeff Boles (Jun 08)
- Re: VLAN Security Carson Gaspar (Jun 08)
- Re: VLAN Security Bennett Todd (Jun 08)
- Re: VLAN Security Shimon Silberschlag (Jun 23)
- Re: VLAN Security Bennett Todd (Jun 08)
- Re: VLAN Security Mason (Jun 09)
- RE: VLAN Security Vinicius Moreira Mello (Jun 09)
- <Possible follow-ups>
- RE: VLAN Security Melson, Paul (Jun 08)
- RE: VLAN Security DCSIM Subscriptions (IA) (Jun 10)
- RE: VLAN Security John Kougoulos (Jun 11)
- RE: VLAN Security Carson Gaspar (Jun 14)
- RE: VLAN Security John Kougoulos (Jun 11)
- RE: VLAN Security DCSIM Subscriptions (IA) (Jun 16)
- RE: VLAN Security Irwin Lazar (Jun 26)
- Re: VLAN Security Carson Gaspar (Jun 08)