Network World
Saturday, November 22, 2008
DNSstuff.com
Get information about your IP
IP Information
50+ On-demand DNS and network tools

Andabatae

NetworkWorld.com > Community > Andabatae

Navigation

The Leaky VLANs myth?

By ronaldxbartels on Fri, 08/08/2008 - 8:32am.
I have often encountered the myth that VLANs are insecure and should not be used. People who state this proceed to buy a separate switch for each LAN that they deploy. Great commission for the salesman, but bad for the business paying the premium for the extra tin!
A closer questioning of this reasoning exposes the myth that these people believe VLANs leak. My perception is that the root of this myth is a poor analysis done yonks ago and published on SANS, Intrusion Detection FAQ: Are there Vulnerabilities in VLAN Implementations? VLAN Security Test Report. This dated reports states as a recommendation: "Try not to use VLANs as a mechanism for enforcing security policy. They are great for segmenting networks, reducing broadcasts and collisions and so forth, but not as a security tool." This report is used as the basis of many flawed recommendations, see this thread. VLANs are a security tool but they are not an exclusive security tool!
VLANs are not an alternative to a firewall. Duh! VLANs are not an alternative to a router either. Duh! Firewalls (or routers) are not an alternative to VLANs. Duh! But not using VLANs, period, is short sighted and flawed. Not using VLANs is a larger risk than actually using them! Without using VLANS, it is not possible to implement a reasonably secure network design. Security is in the design and configuration, not the components! VLANs don't leak and I challenge any security bunnies out there, to provide documented proof of a successful exploit!
Permalink
Tags:

Wrong

Useful answer?
0
By Anon (not verified) on Thu, 09/11/2008 - 8:26am.

Dream on there are plenty.
I will get more docs..

http://www.spirentcom.com/documents/4845.pdf
http://en.wikipedia.org/wiki/VLAN_hopping
http://www.itsyourip.com/Security/vlan-hopping-layer-2-security-exploit-bypass-layer-3-security/

False assumptions

Useful answer?
0
By ronaldxbartels on Thu, 09/11/2008 - 10:24pm.

There are many false assumptions made in these articles:
* VLANs are used with dynamic trunking. This is incorrect as DTP can be disabled and VLANs still used.
* Switch vendors donĀ“t update their firmware to address known vulnerabilities.
The fundamental issue is that even if the the myth was true it can not be exploited remotely. It would require local physical assess.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <i> <b> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote> <br /> <br> <p>
  • Lines and paragraphs break automatically.
  • You can use BBCode tags in the text.
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.

About Ronald Bartels

Ronald is an IT firefighter who enjoys the thrill of solving and analyzing problems. He was painted into a corner to become an IT firefighter because as a network engineer he quickly learned that everyone blamed the network, when there was a problem. He now works in the field of infrastructure architecture and service management.

RSS feed XML feed

Bartels's archive.

Advertisement: