* Adam Thompson <athom...@athompso.net> [2014-06-23 07:20]:
> On 14-06-21 01:03 PM, Chris Cappuccio wrote:
> >Adam Thompson [athom...@athompso.net] wrote:
> >>Yes, OT... But unless you've chosen to do something silly (like enabling
> >>MVRP, or blindly allowing all VLANs to an untrusted host) saying "VLANs
> >>aren't secure" is about as useful as "ICMP isn't secure".
> >>Please explain how VLANs are not secure when you have control of the
> >>devices on both ends of an 802.1Q-tagged link? That's no more or less
> >>secure than having multiple links to a switch running un-tagged ports on
> >>different VLANs. Or are you saying I should have a separate physical
> >>switch for each subnet?
> >This is well documented by security researchers who were proving these
> >bugs at the time. And this was some 14 years ago. If you're still using
> >a 14+ year old switch that hasn't failed by now, (even a nice, high-end
> >one) you are doing better than many others. Realize that these issues
> >were taken fairly seriously by vendors because vlans were being used
> >as a security mechanism.
> Henning already described it best as "last century's myths".
> Technically this isn't actually a myth: I know that some VLAN-hopping bugs
> did exist, but they've been long-since squashed. Which is why I compared it
> to the "ICMP is evil" dogma... perhaps a better comparison would be the
> "autonegotiation is evil" dogma, which also was true back in the days of
> Cisco 2900XLs with their (ahem) interesting implementation of 802.3u's
> autonegotiation clause.
> The correct response to that today isn't "don't use autonegotiation", it's
> "don't use Cisco 2900XL switches".
I'd really say "don't use cisco switches" - pick any vendor who gives
at least a little about quality.
> The correct response to VLAN security concerns today isn't "don't use VLANs
> for security", it's "use Cisco/Juiniper switches if possible, or at least
> tier-2 gear, and implement mitigation techniques".
The answer is NOT "use cisco/juniper", the answer is really "anything
reasonable". I can't really judge on the plastic boxes ("SOHO") since
I just don't really have experience with that kind of gear, but even
those should get that right these days.
The VLAN hopping bugs really were from the early days when vendors
tried to quickly bolt-on vlan support after the fact, some screwed that
up royally.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
