http://www.ISAserver.org ------------------------------------------------------- Go check out the IEEE papers on 802.1Q and decide for yourself. At no time is this mechanism discussed as a network security mechanism, although security ramifications and limitations are touched on. As Tom points out, this is a logical; not a physical separation mechanism. If you take "logical isolation" as a security mechanism, then you must also believe that your employee agreements protect your company from the "wild admin" factor. I see large, flightless birds in this discussion... ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young Sent: Friday, October 06, 2006 07:23 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: FW: Layer 3 and Firewall http://www.ISAserver.org ------------------------------------------------------- VLANs not a security mechanism? I suppose it depends on your definition of "security mechanism". Isolation of virtual broadcast domains seems like something that has security applications to me. In any case, yes, I agree about "the administrator is a threat" being a bit overboard given the very purpose they serve. :) For what it's worth though, here is a link to a VLAN Security White Paper published by Cisco for the 6500 series of switches. It contains VLAN Security Best Practices. http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_pap er09186a008013159f.shtml Cordially yours, Jerry G. Young II Applications Engineer, Platform Engineering Enterprise Hosting NTT America, an NTT Communications Company 22451 Shaw Rd. Sterling, VA 20166 Office: 571-434-1319 Fax: 703-333-6749 Email: g.young@xxxxxxxx > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: Friday, October 06, 2006 12:39 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: FW: Layer 3 and Firewall > > http://www.ISAserver.org > ------------------------------------------------------- > > While I agree with Tom that VLANs are a management; not a security > mechanism, the idea that "the administrator is a threat" is just plain > stupid. If you're trying to mitigate threats created by your domain, > network or application administrators, you've already lost the war - > period. If you can't trust your network admin to not #$%^ up your VLAN > structure with malicious intent, you need to review your interview > processes. > > Can you use VLANs to logically segment your network within the same > physical devices? Absolutely. > Can you use this management mechanism to improve your network security? > AbsoFreakinLutely Not; again - all you are doing with VLANS is both > complicating and simplifying your network structure in the same effort. > > Did I do this within my own ISA test lab? Ask Tom - I had 11 separate > networks all operating through a single ISA that only had two physical > interfaces. ..but this deployment was only to logically isolate one > test bench or rack from the rest and minimize malware effects. If I > couldn't trust my network admin (me) to maintain segment separation, > what the #$%$% is doing in this position?!? > > Quit trying to mitigate bad decisions with techniques; technology can't > help you here. > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Thomas W Shinder > Sent: Thursday, October 05, 2006 6:38 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] FW: Layer 3 and Firewall > > http://www.ISAserver.org > ------------------------------------------------------- > > Nice description on why you don't want to use VLAN segmentation as a > security measure. > > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- Microsoft Firewalls (ISA) > > > -----Original Message----- > From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] > On Behalf Of dubaisans dubai > Sent: Thursday, October 05, 2006 1:32 AM > To: pen-test@xxxxxxxxxxxxxxxxx > Subject: Layer 3 and Firewall > > Is it a BAD idea to have multiple logical segments of a Firewall > connected to the same physical switch? > > One of our customers has a Cisco 6509. All VLANs are Layer 2. The server > segment multiple User LANs are all terminated here on the same 6509. The > default gateway for these Layer 2 VLAN is on the Checkpoint Firewall. So > al access from UserLAN to server segment is through the Firewall > rulebase. > > The threat I see is if the network switch administrator wants to bypass > Firewall, he can just disconnect the Firewall links and make the VLANs > Layer 3 and there is no security. After malicious activites he can very > well connect the Firewall and revert back to Layer 2. > > Is that a valid threat ? Is it High risk ? What controls are possible ? > Are multiple physical switches required.? > > ------------------------------------------------------------------------ > This List Sponsored by: Cenzic > > Need to secure your web apps? > Cenzic Hailstorm finds vulnerabilities fast. > Click the link to buy it, try it or download Hailstorm for FREE. > http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 > 00000008bOW > ------------------------------------------------------------------------ > > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > All mail to and from this domain is GFI-scanned. > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx