Re: VLAN interfaces on FreeBSD; performance issues

From: Chuck Swiger (cswiger_at_mac.com)
Date: 09/11/05

  • Next message: Sten Daniel Sørsdal: "Re: VLAN interfaces on FreeBSD; performance issues" 
    Date: Sun, 11 Sep 2005 10:16:57 -0400
To: Blake Covarrubias <blake@yfug.yumaed.org>

    Blake Covarrubias wrote:
    > On Sep 10, 2005, at 8:37 AM, Chuck Swiger wrote:
    [ ... ]
    >> fxp is a good NIC hardware. However, if you are trying to connect
    >> two distinct subnets, playing ISO layer-2 games with VLANs is not
    >> going to result in a good substitute for layer-3 IP routing.
    >>
    >> You cannot truthfully multihome a machine with a single NIC.
    >
    > My goal is to make this machine a gateway for several servers that I
    > need to segment that will be on different IP subnets. I could always
    > just alias the IP's to the NIC on the gateway machine, but I need
    > layer-2 separation for security.

    If you need layer-2 seperation for security, then you need to put each of these
    machines or tiny subnets on seperate hubs or switches. Simply putting them all
    onto one switch and putting ports onto different VLANs does not give adequate
    isolation in practice even from non-malicious traffic, as you might discover if
    you monitor for ARP traffic leaking through (especially under high packet rate
    load).

    A malicious user can use mechanisms discussed here:

    http://www.sans.org/resources/idfaq/vlan.php
    http://archives.neohapsis.com/archives/sf/pentest/2001-06/0139.html

    "Try not to use VLANs as a mechanism for enforcing security policy. They are
    great for segmenting networks, reducing broadcasts and collisions and so forth,
    but not as a security tool."

    > I'm doing this for co-located servers
    > (hence the need for segmentation) I don't think its feasible to add a
    > NIC for every new machine.

    You don't need a seperate NIC or hub for each new machine, but you ought to
    have one for each distinct security domain (or client, or whatever).

    (If my packets and their packets all go to the same switch port, my traffic is
    not actually being isolated from their traffic, VLAN tagging or no.) 

    -- 
-Chuck
_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
  • Next message: Sten Daniel Sørsdal: "Re: VLAN interfaces on FreeBSD; performance issues"

    Relevant Pages