25

As per title, why do people tell me not to use VLANs for security purposes?

I have a network, where a have a couple of VLANS. There is a firewall between the 2 VLANs. I am using HP Procurve switches and have made sure that switch-to-switch links accept tagged frames only and that host ports don't accept tagged frames (They are not "VLAN Aware"). I've also made sure that the native VLAN (PVID) of the trunk links are not the same as either of the 2 host VLANs. I've also enabled "Ingress Filtering". Furthermore, I've made sure that host ports are only members of a single VLAN, which is the same as the PVID of the respective port. The only ports which are members of multiple VLANs are the trunk ports.

Can someone please explain to me why the above isn't secure? I believe I've addressed the double tagging issue..

Thanks

Update: Both switches are Hp Procurve 1800-24G

Malnizzle
  • 1,441
  • 2
  • 16
  • 30
jtnire
  • 777
  • 2
  • 7
  • 15

4 Answers4

18

Why do people tell me not to use VLANs for security purposes?

There is real risks, if you don't fully understand the potential issues, and properly setup your network to mitigate the risk to a point that is acceptable for your environment. In many locations VLANs provide an adequate level of separation between between two VLANs.

Can someone please explain to me why the above isn't secure?

It sounds like you have taken all the basic steps needed to achieve a pretty secure setup. But I am not totally familiar with HP gear. You may have done enough for your environment.

A good article too look at would be the Cisco VLAN Security White Paper.

It includes a list of possible attacks against a VLAN-Based Network. Some of these are not possible on some switches, or can be mitigated by a proper design of the infrastructure/network. Take the time to understand them and decide if the risk is worth the effort it will take to avoid it in your environment.

Quoted from the article.

  • MAC Flooding Attack
  • 802.1Q and ISL Tagging Attack
  • Double-Encapsulated 802.1Q/Nested VLAN Attack
  • ARP Attacks
  • Private VLAN Attack
  • Multicast Brute Force Attack
  • Spanning-Tree Attack

See also:

Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • 1
    Yes, I read that article before posting this. It is a very good article indeed. While I understand all the risks involved, the white paper only really applys to Cisco gear - at least for the parts that would relate to buggy firmware such as flooding and ARP attacks. – jtnire Jan 10 '11 at 05:10
10

It is safe for certain values of secure.

Bugs in firmware, switch configuration resets, human error can make it unsecure. As long as only very few people have access to configuration of the switches and switches themselves then it's OK in general business environment.

I would go for physical separation for really sensitive data though.

Hubert Kario
  • 6,351
  • 6
  • 33
  • 65
  • 1
    Wouldn't all those issues apply to normal layer-3 firewalls though? – jtnire Jan 09 '11 at 23:12
  • Yes, and VLANs should be considered as if they were connected to a common router. Network with really sensitive data shouldn't be connected to anything else. If both have Internet access then you're OK. – Hubert Kario Jan 09 '11 at 23:18
  • 2
    +1 You've hit the nail on the head with the first sentence. – John Gardeniers Jan 10 '11 at 01:31
  • Can you please explain your first sentence? Since I'm trying to use VLANs for security purposes, I can't just assume that they are unsafe and not use them for secure subnets :) – jtnire Jan 10 '11 at 05:39
  • There really isn't any other rule of thumb than the one I already mentioned (If both have Internet access, they can be VLANed in the same switch). In other situations you have to factor in the cost of broken security, how likely is an attack from different VLAN, how experienced are people that are responsible for configuration, etc. – Hubert Kario Jan 10 '11 at 12:08
  • 1
    This doesn't answer the question at all... it's just common security platitudes. – Mark E. Haase Apr 19 '13 at 13:59
4

I seem to recall that, in the past, it was easier to do VLAN hopping, so that may be why "people" are saying this. But, why don't you ask the "people" for the reasons? We can only guess why they told you that. I do know that HIPAA and PCI auditors are OK with VLANs for security.

mfinni
  • 35,711
  • 3
  • 50
  • 86
  • Really? PCi Auditors are ok with it? By "people", I just meaning reading around online :) – jtnire Jan 09 '11 at 23:07
  • 6
    PCI auditors are most definitely OK with it, which is surprising considering some of the bull they can up come with when making sure a system is secure! VLANs are just a tool to separate out broadcast domains at Layer 2. Layer 3 and up are most of the serious vulnerabilities lie. By the time someone has got close enough to you system to fiddling with VLANs, you've got a lot more serious problem! – Niall Donegan Jan 09 '11 at 23:10
  • Doesn't PCI DSS say though that for WLAN environments that you can't segment wired and wireless using VLAN? – jtnire Jan 09 '11 at 23:15
  • 1
    Fortunately I haven't had to deal with wireless in relation to PCI DSS so that hasn't come up. I normally deal with it in relation to hosting environments where it's nice locked cabs and good old fashioned cables. – Niall Donegan Jan 09 '11 at 23:21
  • 1
    Yes, I plan to roll out VLANs in my cab for my managed customers. The switches will be locked in the rack :) I guess VLANs are used a lot in colo environments to share switches, aren't they? – jtnire Jan 09 '11 at 23:31
  • 1
    @jnire Yes, PCI DSS does require physical separation for WLAN. Wireline networks are different. – sysadmin1138 Jan 10 '11 at 02:57
2

I think the core issue is that vlans aren't secure because you are just segregating broadcast domains, not actually segregating traffic. All the traffic from the multiple vlans still flows over the same physical wires. A host with access to that traffic can always be configured into promiscuous mode and view all of the traffic on the wire.

Obviously the use of switches reduces that risk quite a bit, since the switches are controlling which data actually appears on which ports, however the basic risk is still there.

Phil Hollenback
  • 14,647
  • 4
  • 34
  • 51
  • 3
    I'm sorry I don't understand this. Since switches control traffic flowing to ports depending on their VLAN membership, putting a host into promiscuous mode wouldn't do anything. Sure, if an attacker got access to the trunk line, then promiscuous mode would work, however the same could be said if an attacker got access to a cable for another physical firewall segment. Please correct me if I'm wrong.. – jtnire Jan 10 '11 at 00:20
  • Well, if an attacker got access to your switch over the network, they could do things like mirror ports and gather packets from other vlans, right? I think the issue gets back to the fact that vlans are a programmable feature, while separated cables and a physical layer of protection. – Phil Hollenback Jan 10 '11 at 01:11
  • 1
    But I still don't understand how this is any different from a regular Layer-3 firewall though - they use software to program as well. Of course, I've tried to mitigate this issue by not placing untrusted hosts on the management VLAN, so switch web gui access is not possible. – jtnire Jan 10 '11 at 05:32