From owner-freebsd-security  Tue Feb 27 10:14:38 2001
Delivered-To: freebsd-security@freebsd.org
Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75])
	by hub.freebsd.org (Postfix) with ESMTP id BC3E837B718
	for <security@FreeBSD.ORG>; Tue, 27 Feb 2001 10:14:35 -0800 (PST)
	(envelope-from brdavis@odin.ac.hmc.edu)
Received: (from brdavis@localhost)
	by odin.ac.hmc.edu (8.11.0/8.11.0) id f1RIEGi03065;
	Tue, 27 Feb 2001 10:14:16 -0800
Date: Tue, 27 Feb 2001 10:14:16 -0800
From: Brooks Davis <brooks@one-eyed-alien.net>
To: Olivier Nicole <on@cs.ait.ac.th>
Cc: shupilov@technobank.com.by, security@FreeBSD.ORG
Subject: Re: vlan
Message-ID: <20010227101416.B27373@Odin.AC.HMC.Edu>
References: <3A9A63D8.D6C8881F@eng.ufl.edu> <9185502756.20010227105425@technobank.com.by> <200102270858.PAA14543@banyan.cs.ait.ac.th>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="7ZAtKRhVyVSsbBD2"
Content-Disposition: inline
User-Agent: Mutt/1.2i
In-Reply-To: <200102270858.PAA14543@banyan.cs.ait.ac.th>; from on@cs.ait.ac.th on Tue, Feb 27, 2001 at 03:58:15PM +0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


--7ZAtKRhVyVSsbBD2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Feb 27, 2001 at 03:58:15PM +0700, Olivier Nicole wrote:
> Well, as I once heard a guy sayinf in a seminar about security, if you
> plan to deal with security, do NOT use vlan.
>=20
> Vlan only goal is to present broadcast packets to leak to every
> interface. Vlan should not be trusted beyond that.
>=20
> So maybe security list is not the best place to ask :)

This is not really accurate.  While there are a number of implemenations
out there with this problem, modern vlan implementations are intended to
be fully secure.  For instance, Cisco intends their VLANs in conjunction
with 802.1X (or a similar propriotary protocol) to allow things like
having a visitor be able to plug their laptop in to get internet access
but not end up behind the local firewall while an employee could plug
their laptop into the same port and have local access.  Cisco implements
this switching functionality at the ASIC level.

-- Brooks

--=20
Any statement of the form "X is the one, true Y" is FALSE.
PGP fingerprint 655D 519C 26A7 82E7 2529  9BF0 5D8E 8BE9 F238 1AD4

--7ZAtKRhVyVSsbBD2
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6m+53XY6L6fI4GtQRAsKDAJ9pk+ZoL8rf0RJk/5X4DW9+hhTg/QCgw169
YTyTzhtt2Dr6iIbeVP+8+WI=
=vIXP
-----END PGP SIGNATURE-----

--7ZAtKRhVyVSsbBD2--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message