: >
: >> >Have there been any recent vulns relating to VLANs at layer 2? : >> >
: >>
: >> Havent noted anything which wasnt down to ignoring the hardening : >> guidelines. : >>
: >
: >Me either, yet one of our security analysts always touts this as a BAD idea.
: I've met and had the misfortune to work that type before.
Based on past information and some previous vulnerabilities there is always going to be a theoritical possibility that some vulnerability might be discovered to breach the VLAN separation.
so, in the best of all worlds you should place each security zone on a physical separate switch.
In practical terms this is usually not a cost-effective approach. Using Vlan security and placing multiple vlans on the same switch including different zones is IMHO an acceptable risk.
I still air gap the external zones from all internal and DMZ zones. Because there is that low probability risk that a switch might be compromised I feel it is better to not introduce the possibility that a future vuln might allow external users to totally bypass the perimeter.
: >Yet when challenged can never site an example of a vuln. : >It's that kind of thinking that drives me nuts.
: He shouldnt be in a position to dictate policy if he cannot support his : arguments.
Exactly right..there is a theoritical vuln to this but to act on it in most cases without hard specific arguments of why it becomes an actual risk in the user's environment should not happen.
: >You have a 48 port switch : >but can't use it because of some layer 2 VLAN risk! What risk?
: As long as you dont mix trust levels, the notion of some unamed 'risk' is : nonsense.
Not nonsense but a risk that needs to be mentioned and then documented as to why the risk is not large enough to take action. Because this 'vulnerability' exists in the minds of so many people, especially auditors, you cannot simply hand-wave it away as nonsense. All you need to do is explain why it is a low-probability vuln and no action needs to be taken.
If a security analyst does not mention the risk, they are derelict in their job. Howver, as you have stated, to prohibit without doing an assesment of the actual risk to the organization is dumb. There is a bit too much of this type of FUD being seen and acted upon.
: greg
Richard H. Miller, MCSE, CCSE+ Information Security Manager Information Technology Security and Compliance Information Technology - Baylor College of Medicine