security implications of dmz and vlan
James Lee Bell
nuclear-cowboy at cox.net
Thu Feb 1 00:28:49 MST 2007
Delurking for this one. VLANs within a switching fabric should not
usually be trusted as secure separation devices between zones of trust.
While most of the known vlan hopping/smashing mechanisms depend on items
that can be handled with appropriate switch configuration, the
possibility/probability of unknown ones (how many IOS vulnerabilities
have appeared in last few months?) should give one pause in doing so.
In reality, I'm uncertain what you are trying to accomplish - your
physically separate switches with fw performing access control and
routing seems more secure - so I'll stick with finishing the VLAN
question for now. Cisco has some good info on locking down their
switches, and of course looking up the Yersinia vlan hopping tool papers
and their recommendations can help to lock down the switches to the
point where you can somewhat "trust" them to do what you are asking. The
gist will be that you have to explicitly configure every single port on
the switch (some commands can be run once for all ports, some can't) to
be host ports not trunk ports, and turn off all unnecessary dynamic
services (where have we heard that refrain :-) like dynamic trunking
protcol, cdp, vtp, etc.
Side note: Outside and DMZ are in similar zones of trust, the latter
slightly more protected. Inside is completely different zone of trust.
My take is if possible to group not just layer 3 but layer 2 for
separation, because you don't know what you don't know.
Randy Melder wrote:
> Your VLANs are supposed to be on different subnets, so the setup seems
> legit. I don't know of any Layer 2 holes under this scenario. Now the
> issue is ACLs in your FW/Router. Are they tight? Layer 3 is where you're
> going to have all your security issues.
>
> On 1/31/07, *Darrin Chandler* <dwchandler at stilyagin.com
> <mailto:dwchandler at stilyagin.com>> wrote:
>
> On Wed, Jan 31, 2007 at 05:38:44PM -0600, JT Moree wrote:
> > Does anyone know enough about VLANs on a Cisco Catalyst 4506
> switch to explain
> > the security implications of this setup:
> >
> > 2 VLANs
> > VLAN 1 - internal servers
> > VLAN 2 - DMZ
> >
> > Given that the dmz is to keep the dmz servers separated from the
> internal
> > network would this be a secure setup? Are there any holes in the
> VLAN
> > architecture that would make this a BAD idea?
> >
> > One caveat. right now we have a cisco firewall which routes
> between two
> > different switches for dmz and internal. I realize a breach in
> cisco security
> > would be a problem in BOTH situations.
>
> Seems that you already understand the issues. ;) The VLAN stuff
> *should* be
> fine, really.
>
> But how are you going to route stuff between the VLANs? Still need a
> router after all?
>
> --
> Darrin Chandler | Phoenix BSD Users Group
More information about the PLUG-discuss
mailing list