> In reality, there are no remote-exploits available for VLAN hacking that I
> am aware of, nor any hacks I've ever heard of involving VLANs. Using two
> VLANs on one switch (correctly configured) is just as safe as using two
> seperate switches. There are dozens of leading providers, ISPs, and web
> sites that do the VLAN seperation.
Sorry, no. As recent as a year and a half ago cisco was shipping
code for the catalyst that would allow an attacker to hop vlans. Send
a packet with a vlan header on an untagged port, and the switch would
happily do what you told it to do. This bug has been closed, but it
was well known for quite some time.
Even today, using vlans for security is assuming that your vendor
& administrative staff doesn't make any mistakes. Would you be
willing to say that never happens?
This topic comes up on the firewall-wizards list again and again.
Disclosure: I'm using vlans, but I'm aware that there are risks and
am willing to accept them.
Also, most firewalls worth their salt are doing signifigantly more
than the what an lb needs to do NAT; they actually police the flow,
keeping lots of state across multiple packets about tcp windows and
such. Many more sophisticated TCP attacks (e.g. session hijacks)
don't work across this sort of thing; first sign of trouble resets the
flow. Not that you need to be too worried about that for you web
server, but there are other places where it's more of a concern.
This archive was generated by hypermail 2b30 : Wed Feb 28 2001 - 17:45:38 EST