VLAN's & DMZ's

[roberto]

I understand that it is considered a less than 'best practice' to use
a few ports in a VLAN-able switch matrix to "logically" isolate a DMZ
from the private network. The better practice is to "physically"
isolate the DMZ by putting it on a completely separate piece of switch
hardware not related to the VLAN-able devices. I've reviewed some
white papers but none have been terribly specific about this. There
is a comment recommending the better practice in my GSEC study
material but no references beyond a year 2000 document alluding to
VLAN Hopping. Can any of you point me to a good source or two that
document good rationale for the better practice? It looks and sounds
perfectly logical to me - but that may not be forceful enough in this
work environment.

Thanks.

roberto

 

[Steve Clark [MSFT]]

VLANS are *not* security constructs: they are management constructs.
Somewhere about 1996 people saw that they could put ACL's on them and thus
they started treating them as if they were security boundaries.

Ettercap renders all that rot practically meaningless.

However, it is considered to be best practice to implement VLANS of the same
security posture on the same switch. i.e., you don't have a highly secure
VLAN and a less secure VLAN on the same switch, because the lowest common
denominator is the security posture on that device. (in this case, less
secure)

Also, physical isolation implies that there will be no communications
between the two conencted networks/devices. The US does this for DoD
networks by having a separate, highly secure classified network (SIPRNET)
and an internet connected (and therefore vulnerable) network called NIPRNET.
These networks are physically separated.

If you want the maximum amount of logical isolation, use packet filters on
the network edge, along with layer 7 aware firewalls. Use IPsec transport
mode to protect hosts on the inside and use L2TP/IPsec for VPN connectivity.

That's about as strong of a DiD approach on a network as current technology
provides. Beyond this, you start talking about extreme physical security,
and other methods...

 

[Steven L Umbach]

I am not an expert on switches and vlans but it seems to me that usually you
want at least some access to computers on a dmz from the lan network based
on what you have configured for firewall rules, even if it is jut to manage
computers in the dmz. A firewall would certainly be a better option and
there are very reasonably priced ones available. If a computer on the dmz is
compromised, then at the very least your switch could be subject to denial
of service attacks that may impact the whole network that uses that switch.
If the switch is compromised then the whole network may go down or be
subject to attacks from the dmz computer. I don't know of a good link
offhand. --- Steve

 

[Michael Pelletier]

I am not an expert on switches and vlans but it seems to me that usually
you want at least some access to computers on a dmz from the lan network
based on what you have configured for firewall rules, even if it is jut to
manage computers in the dmz. A firewall would certainly be a better option
and there are very reasonably priced ones available. If a computer on the
dmz is compromised, then at the very least your switch could be subject to
denial of service attacks that may impact the whole network that uses that
switch. If the switch is compromised then the whole network may go down or
be subject to attacks from the dmz computer. I don't know of a good link
offhand. --- Steve

Only true if the switch has a management IP stack. The trick is NOT to use
one (if you are ultra paranoid) or if you use one to filter out all
unnecessary traffic. In other words, only allow one IP address to connect
to the management TCP/IP stack on the switch. It is important to realize
that most switches view the management TCP/IP stack as secondary to
switching packets in terms of importace. In other words DOS'ing a switches
management TCP/IP stack should not/will not bring the switch down....Do do
fun things like that try arp cache posioning...won;t bring the switch down
but it will really screw up everything on the DMZ... ;-)

Also, do things right. Get a firewall. Use physically separated DMZs. If you
do not have enough interfaces on your firewall then group your servers by
likeness and use vlans (each vlan would be a group of like servers) with
the default router being the firewall...

VLAN "Hopping" I would not worry about since the switch will either use
tagging or trunking. In either case, this should be the least of your
problems if you do not have a real firewall....

Michael

 

[Michael Pelletier]

VLANS are *not* security constructs: they are management constructs.
Somewhere about 1996 people saw that they could put ACL's on them and thus
they started treating them as if they were security boundaries.

Ettercap renders all that rot practically meaningless.

However, it is considered to be best practice to implement VLANS of the
same
security posture on the same switch. i.e., you don't have a highly secure
VLAN and a less secure VLAN on the same switch, because the lowest common
denominator is the security posture on that device. (in this case, less
secure)

Also, physical isolation implies that there will be no communications
between the two conencted networks/devices. The US does this for DoD
networks by having a separate, highly secure classified network (SIPRNET)
and an internet connected (and therefore vulnerable) network called
NIPRNET. These networks are physically separated.

Yes, this is true. Also the DOE and Air Force segment by security
levels...not that I would know or anything ;-)

If you want the maximum amount of logical isolation, use packet filters on
the network edge, along with layer 7 aware firewalls. Use IPsec transport
mode to protect hosts on the inside and use L2TP/IPsec for VPN
connectivity.

That's about as strong of a DiD approach on a network as current
technology
provides. Beyond this, you start talking about extreme physical security,
and other methods...

There is more but, for what he is doing probably overkill...

Michael

 

[Steve Clark [MSFT]]

I've not yet heard of a switch that uses VLANS that isn't managed....

Most managed switches will drop packets if you DOS them and not forward
them.... Because they are concentrating traffic onto a single backplane,
this is why switches typically have high-speed backplanes.