This design provides for a single physical switch existing in two security
zones of trust. Only traffic from one user group traverses the switch. An
example of such a design would be a switch which is configured for double-duty
on both DMZ and internal interfaces of a firewall. VLANs separate traffic on a
single physical LAN into multiple logical LANs through the use of VLAN tags.
The use of VLANs can be considered as a possible way of segmenting multiple
interfaces of a firewall on a single switch as shown in Figure
. In this example
both the external network, the DMZ, and the internal network utilize the same
switch for Layer 2 connectivity. The external network traffic is tagged as VLAN
ID 100 while the internal network traffic is tagged with VLAN ID 200. While it
is technically feasible to make this design secure, there are significant
ramifications should the switch be compromised.
Vulnerabilities
The primary layer 2 vulnerabilities of this
design include the following:
- MAC spoofing, within VLANs
- CAM table overflow, through per VLAN traffic flooding
- VLAN hopping
Mitigation
If the security zones are small enough, use port
security to help mitigate the CAM table overflow vulnerability as well as the
MAC spoofing vulnerability. Additionally, mitigation of VLAN hopping can be
accomplished by following the VLAN best practices outlined in this module. As
with the previous cases, the switches must be managed as securely as possible
and tested on a regular basis.
In the design shown in Figure
, another
mitigation approach would be to split the Layer 2 functionality of the switch
to two separate physical switches. If this is done, the mitigation techniques
described in case #1 would apply to both distinct security zones.
If
private VLANs (PVLANs) are employed in any of the VLANs, consideration must be
given to the possibility of private VLAN attacks. If the VLANs utilize DHCP for
address assignment then DHCP starvation by an attacker and needs to be
considered.