Solved

How safe are VLANs?

Posted on 2008-06-15
8
1,684 Views
Last Modified: 2009-06-05
Hey folks.

I have my clients behind a pfsense firewall. There are times, for testing purposes, that I would want to connect someone on the "red" side of the firewall (I.e. before it).

I have an HP Procurve 1800-24G with VLAN support.

How secure are VLANs? Is this OK practise to do this (split half a switch "outside" and half a switch "inside")?

Cheers
0
Comment
Question by:jonnytabpni
8 Comments
 
LVL 13

Expert Comment

by:kdearing
ID: 21788131
I've done it before with no problems.
You have to make sure that the switch can't route between the VLANs.
According to the specs, the 1800 is Layer2 only, so you're good.
0
 
LVL 6

Accepted Solution

by:
Nyah247 earned 168 total points
ID: 21788220
You can do it...  But if your switch were to get compromised your whole network would be at risk instead of just an external router/switch.  Instead I would attach a switch to your internal (DMZ) interface on your firewall then attach your client to this from the patch panel.  

Honestly it is a great risk to have workstations flapping in the breeze.  It doesn't take much to get your company's whole external IP range to get black listed if the workstation happened to get some malware or a virus.
0
 

Author Comment

by:jonnytabpni
ID: 21788422
[quote]Instead I would attach a switch to your internal (DMZ) interface on your firewall then attach your client to this from the patch panel.  [/quote]

can you please explain this. im sorry i dont understand.

Currently the switch is connected to the "green" interface of the pfsense firewall and the "red" interface is connected to a router. I was wanting to place a test machine on the red SIDE of the firewall. I don't understand why I would need a DMZ interface coming out of the firewall
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 13

Assisted Solution

by:kdearing
kdearing earned 166 total points
ID: 21788466
Think of a DMZ (De-Militarized Zone) as the 'middle' side of the firewall, it's orange.
It is normally not fully protected, like the 'green' side, but you can set up rules restricting access.

The idea is if a device in the DMZ gets compromised, the rest of your network is still secure.
The primary purpose is for devices that need to be accessed from the internet, like web servers, ftp servers, front-end email servers, etc.

On many firewalls it is a dedicated port.
On some firewalls it is an optional config setting that turns one of the other ports into a DMZ.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 21788474
Forgot to add that Nyah247's idea is a very good one.
That's the best way to accomplish what you want.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 166 total points
ID: 21790271
 VLAN security on switches can be pretty hard to break - one failure mode would be to overload the switch with large amounts of ARP traffic, so its MAC table overflows - many switches drop to "hub" mode in cases like that which allows you free access to the other vlans; if your ports are bound to a single mac address (which cisco kit can do, to give one example) then you can avoid that, but you should investigate with the hardware you chose if there are any failure modes that allow traffic between vlans; you should also give serious stares to anything on a trunk port, which could act as an inter-vlan router if configured to (or if a failure mode there can be exploited to force the device to become a simple router or packet reflector)

  The financial cost of a completely separate switch to handle dmz traffic is marginal compared to buying a bigger switch (ie, with more ports) - for a small enough dmz set, it can devolve to a simple crossover cable, which tends to be much much cheaper :)

  If your firewall is software (rather than an appliance) then its easier and much more secure to add a few more Ethernet cards and use crossovers, effectively giving each untrusted host its own dmz.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 23034310
This question is still open.
Is the problem resolved?
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now