Vulnerability Development mailing list archives
Re: Vlans
From: Shawn Davenport <shawn.davenport () CURRENEX COM>
Date: Thu, 18 Jan 2001 07:41:48 -0800
Hey Tim, Although I feel the same way, ie bad idea, my only argument is from a "local" security standpoint. In most cases, having your internal and external segments existing on the same switch, using only VLANS (802.1q or port based) is safe from an external attack (outside your front router). The idea is that the router, as well as the firewall, should be replacing the Ethernet frames, thus eliminating any 802.1q tags and the ability to hop the vlan boundary. But if someone could gain access to the switch from the outside, or if you have a concern of someone/thing on the inside getting around the firewall to get out, then you have other points to go on. I can't think of any other ways to validate a need for a physical separation, assuming the above are not an issue. Shawn -----Original Message----- From: Tim Salus [mailto:tsalus () CBOSS COM] Sent: Wednesday, January 17, 2001 9:02 AM To: VULN-DEV () SECURITYFOCUS COM Subject: Vlans I am not certain if this is the place to ask this and if not please let me know where to send it. I have a client who has the following configuration Internet -> router -> firewall -> load balancer The connection from the router to the firewall is on a switch and the connection from the inside interface of the firewall is on the same switch. The separation is done using VLANS. I was taught this is bad due to 802.1q tagging and VLAN hopping using tagged packets. The problem is I can find very little information on this to prove my point. Also what if there is no 802.1q trunking being done. Is there still a problem with this? Is there an exploit to get around the firewall and do server flooding by jumping VLANS. No one can get on the firewall segment so what I need to know is can anyone on the internet cause a problem with this type of configuration. Thanks in advance Timothy L. Salus