security implications of dmz and vlan

James Lee Bell nuclear-cowboy at cox.net
Thu Feb 1 00:28:49 MST 2007 

Delurking for this one. VLANs within a switching fabric should not 
usually be trusted as secure separation devices between zones of trust. 
While most of the known vlan hopping/smashing mechanisms depend on items 
that can be handled with appropriate switch configuration, the 
possibility/probability of unknown ones (how many IOS vulnerabilities 
have appeared in last few months?) should give one pause in doing so.

In reality, I'm uncertain what you are trying to accomplish - your 
physically separate switches with fw performing access control and 
routing seems more secure - so I'll stick with finishing the VLAN 
question for now. Cisco has some good info on locking down their 
switches, and of course looking up the Yersinia vlan hopping tool papers 
and their recommendations can help to lock down the switches to the 
point where you can somewhat "trust" them to do what you are asking. The 
gist will be that you have to explicitly configure every single port on 
the switch (some commands can be run once for all ports, some can't) to 
be host ports not trunk ports, and turn off all unnecessary dynamic 
services (where have we heard that refrain :-) like dynamic trunking 
protcol, cdp, vtp, etc.

Side note: Outside and DMZ are in similar zones of trust, the latter 
slightly more protected. Inside is completely different zone of trust. 
My take is if possible to group not just layer 3 but layer 2 for 
separation, because you don't know what you don't know.

Randy Melder wrote:
> Your VLANs are supposed to be on different subnets, so the setup seems 
> legit. I don't know of any Layer 2 holes under this scenario. Now the 
> issue is ACLs in your FW/Router. Are they tight? Layer 3 is where you're 
> going to have all your security issues.
> 
> On 1/31/07, *Darrin Chandler* <dwchandler at stilyagin.com 
> <mailto:dwchandler at stilyagin.com>> wrote:
> 
>     On Wed, Jan 31, 2007 at 05:38:44PM -0600, JT Moree wrote:
>      > Does anyone know enough about VLANs on a Cisco Catalyst 4506
>     switch to explain
>      > the security implications of this setup:
>      >
>      > 2 VLANs
>      >  VLAN 1 - internal servers
>      >  VLAN 2 - DMZ
>      >
>      > Given that the dmz is to keep the dmz servers separated from the
>     internal
>      > network would this be a secure setup?  Are there any holes in the
>     VLAN
>      > architecture that would make this a BAD idea?
>      >
>      > One caveat.  right now we have a cisco firewall which routes
>     between two
>      > different switches for dmz and internal.  I realize a breach in
>     cisco security
>      > would be a problem in BOTH situations.
> 
>     Seems that you already understand the issues. ;) The VLAN stuff
>     *should* be
>     fine, really.
> 
>     But how are you going to route stuff between the VLANs? Still need a
>     router after all?
> 
>     --
>     Darrin Chandler                   |  Phoenix BSD Users Group

More information about the PLUG-discuss mailing list