Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2318
Views
0
Helpful
4
Replies

How secure are VLANS ?

mcroft
Level 1
Level 1

‎01-12-2004 08:16 AM - edited ‎03-09-2019 06:06 AM

Hi,

I am designing a network using the PIX with a DMZ.

i.e Outside, Inside and middle interface ... simple.

For maximum secuirty I understand I should use 3x "seperate" switches. (for physical security!)

For cost, is would be nice to use the same ethernet switch and implement VLANS. i.e vlan1, vlan2 and vlan3.

I have to weigh Cost and Security Risk. Is it a realistic threat that a hacker can jump Vlans by messing with Ethernet/ISL headers ?

All comments are welcome and appreciated. Thanks

Matt C,

Labels:
0 Helpful
4 Replies 4

mikegallagher
Level 1
Level 1

‎01-13-2004 10:41 AM

There was a bug a while ago in Cisco switches that would allow VLAN jumping, but that has been fixed for some time now. Personally, I would never use a VLAN'd switch for the inside, outside, and DMZ. But if you have to, just stay away from using the native vlan on the switch. Keep in mind, you can get 24 port switches for under $1k now.

HTH,

Mike

0 Helpful

shannong
Level 4
Level 4

‎01-16-2004 04:03 PM

A malicious user can cause frames to hop from one VLAN to another depending on the configuration of the switch. This isn't a bug, but rather the result of the dot1q standard and all vendors have this "problem".

As mentioned, don't use native vlans to carry any traffic, and don't provide any trunked ports to any devices. This will mitigate the concerns with VLANs themselves.

The other problem is that a malicious user in the DMZ or on the Outside can hack at the switch itself to gain admin access. If this happens due to poor security configuration of the switch as a host, the attacker could simply make the port of another device on the switch that was formely in the DMZ/Outside in the inside VLAN giving full access.

The last problem is human errors in configuration have a high risk on creating new problems. With three switches, this isn't a concern as each network segment is both logically and physically separate.

Cisco even has 8 port switches now that are cheap. It's hard to make a arguement these days for using one switch for all three purposes.

0 Helpful

mcroft
Level 1
Level 1
In response to shannong

‎01-19-2004 02:02 AM

Thanks for all your help guys.

Your commenets are much appreciated.

0 Helpful

baileja
Level 1
Level 1

‎02-05-2004 07:21 PM

Just a quick note on the mentioned VLAN hopping security risks mentioned. These are mitigated by shutting down VLAN 1. VLAN hopping uses VLAN 1 to inject packets onto other VLAN's

0 Helpful
Customers Also Viewed These Support Documents