Are VLANs safe in DMZ environment?

The Thinking problem management! blog had an interesting article on The Leaky VLANs myth, quoting a test report from SANS Institute that documents how you can inject frames into other VLANs even if you're not connected to a trunk port. The report is eight years old (so one would hope this issue has been fixed in the meantime), but there's another question you should ask yourself is: what happens when you lose the configuration of the switch (and I've seen devices losing configuration after a power glitch). If you're using a router to perform L3 switching, no harm is done; a router with empty configuration forwards no packets. But if you're using a low-end switch, you're in deep trouble; by default, a switch forwards packets between all ports ... and if you use static IP addresses on all subnets, you won't even notice they're connected. If you want to be very safe, you're better off having a different set of switches for the inside and the outside zones of your firewall.

7 comments:

  1. Not to mention that if the switch gets compromised, you've just handed over the keys to your network. Anything outside the firewall needs to be just that - outside the firewall.

    ReplyDelete
  2. I wouldn't call Vlan leaking a myth. At one time it was a very real and serious vulnerability that was exploited by overflowing the capacity of the switch you were attacking, and causing it to "downgrade" from switch to a hub.

    As you mentioned though, this is 8 years ago. Most switches have evolved to the point where backplanes far exceed the traffic that could ever be injected into their switchports.

    Even beyond backplane enhancements there are many ways to further firm up your security stance - Virtual Device Contexts, Not using Layer 3 SVI's on a DMZ VLAN, utilizing PVLANs, using port security, and many more.

    I think the real question is not "are VLANs safe in a DMZ" I think the question is have you mitigated the risk of compromise to levels that are acceptable to your business. This question remains whether you have a standalone switch or not.

    --Colin

    ReplyDelete
  3. I have had many arguments about the use of VLANs on DMZ switches. It always cracks me up, as more often than not the provider in lots of cases delivered the WAN/Internet service via a cisco switch that... used VLANs.

    Though a lot of effort was often put in to separating zones and DMZs, through the use of dedicated and separated switches. I often thought it was a bit of a waste of effort, as often the WAN and Internet service were separated by the Telco/Service Provider by nothing more than a Virtual CCT or VLAN etc.. ie both types of traffic were delivered over the same physical connection.

    The times I have pointed this out to the security "architects" they could not see or understand my point. It was there belief that the Telco would never make mistakes or incorrectly configure the service securely. It still cracks me up.

    It is my opinion that as long as you use the full suite of tools available to you (as mentioned by the previous comment) and you pro-actively monitor and manage the infrastructure, then VLANs are OK.

    ReplyDelete
  4. Mike, I am glad that I wasn´t the only one cracking up on this issue.
    Ivan, I don´t agree with your analysis of a switch wipe being a justifiable reason:
    * A DMZ would not be a single switch install as it would be aggregated over at least two switches for resilience. It is not possible to have one of switch fail and not know about it.
    * The assumption with a switch failure as you described would mean no management or monitoring. Such a crime, in my opinion, would be a mandatory removal of the responsible engineer´s Cisco cert.
    * Good practice would be to have multiple DMZs. As a minimum at least two to separate processing and data. Since the DMZ connections are via a firewall, the only method to enable this configuration is via dot1q. If the firewall was using dot1q the scenario as described would not be possible.

    ReplyDelete
  5. @mikes: That's one of the reasons why some customers of ours use IPSec on top of SP MPLS VPN offering :)

    ReplyDelete
  6. In a big/enterprise environment mixing two vlans in a DMZ switch is only a fat finger away. Load Balancing module does even NOT need a fat finger since without carefull management you get a packet from balanced server to routing-neraest VLAN and not the client-nearest.

    ReplyDelete
  7. When you have multiple switches from different brands (cisco and dell for instance) it is not easy to roll out your DMZ vlan's over the whole network. Time consuming it is and it requires a lot of documentation. To reduce human error and stay time efficient it might be better to get real switches instead of a vlan. Plus the security doesnt have to get configured in a lot of ways.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.