[Gllug] A little OT: On the limits of VLANs

Thu Apr 29 23:51:17 UTC 2010

Russell Tester wrote:
> Hi Roger,
>
> Sounds like what you really want is a Private VLAN configuration (or
> Protected Ports in the case of a single switch), where your hosts are
> configured as Isolated ports and your server is configured as a Promiscuous
> port.
>
> http://www.ciscosysteme.org/en/US/tech/tk389/tk814/tk840/tsd_technology_support_sub-protocol_home.html
>
> The advantage of this is the simplicity in the design that everything is on
> one subnet. Unfortunately I can't see anywhere in the manual for your switch
> that it supports this type of configuration :(.
>
> I'd highly recommend keeping this traffic off your production network, and
> Isolate it from your server too. Put these machines into a series of VLAN's
> that are on the outside of your firewall (what sort of firewall do you have,
> can it trunk 802.1q?), which has specified ports open inbound to your
> server.
>
> £0.02
> Russ.
>
>   
Hi Russ, thanks for your input, what you suggest sounds good and I'm
fairly sure I can approximate it with the trunking method, separate
subnets is no biggie for my app (I think!).

Also, I appreciate your advice to keep these dirty boxen off my networks
but let me explain why I don't think that is a big problem. The machines
that are on the same VLANs as my server will never be deliberately
booted into the (potentially) infected OS however I still want
separation should that happen by accident e.g. power cut, machine boots
back into windows. Additionally the servers built in iptables firewall
will not permit anything to initiate a connection with it, it will only
make outgoing SSH connections and only then to machines that have the
right SSL key so I don't see any point in another layer of firewalling.

I also plan to have a few internet only ports that I can connect live,
potentially infected systems to. These will be on their own separate
VLAN. The big question here is can I really trust my switch to contain
these machines to their own VLAN and away from the VLANs my server and
personal machines are on.

Again, this is mostly academic. I don't seriously expect the crappy
malware on peoples domestic and soho XP boxen to do anything as
sophisticated as VLAN hopping but I'm curious to know if I would be
vulnerable (even potentially) and how I might mitigate against it,
someday I may need to be more certain of these things.

Also I was advised of a potential "mac flooding"? attack that might
force a switch to fail over into a hub mode of operation. I'd also like
to check if my new switch is vulnerable to that attack, any ideas what
its actually called, or what tool(s) can create it?

Cheers,

Roger.
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug