Chris's Wiki :: blog/tech/VLANSecurityView Commentshttps://utcc.utoronto.ca/~cks/space/blog/tech/VLANSecurityView?atomcommentsDWiki2014-09-20T06:32:08ZRecent comments in Chris's Wiki :: blog/tech/VLANSecurityView.By Ewen McNeill on /blog/tech/VLANSecurityViewtag:CSpace:blog/tech/VLANSecurityView:8d6ff9f6b53ff7b2b0350cbdbc22ac9a87a9c738Ewen McNeill<div class="wikitext"><p>It's not clear to me what the concern they're referring to in the tweet you linked to actually is. (Which is probably a function of twitter being a poor way to communicate meaningful content, especially if half of the maxlen is used for naming people you're sending it to.... but I digress.)</p>
<p>VLANs are logical separation: for things which are approximately the same trust level, but perhaps shouldn't be mixed indiscriminately, separating them with VLANs seems like an improvement over, eg, just overlaying all the subnets on the same physical wires (which I do still keep seeing all over the place).</p>
<p>For things that really are <code><em>not</em></code> the same trust level, avoiding using te same <em>anything</em> seems like a good idea. You probably do actually want separate VM hosts, physical switches, physical network cables, etc, for the outside world facing side of your firewall (and arguably DMZ too). The fewer points those distinctly different trust levels come together the better.</p>
<p>But give or take management/control issues putting, eg, moderate trust/security needs groups on the same switch as VLANs does not seem like a terrible idea to me. </p>
<p>ISP/metro ethernet networks are often VLANs a fair way down (and then, eg, MPLS encapsulation -- another logical tagging -- to untangle the core). Which is seems tolerable if it's "Internet access" for all of them, just going to the outside of their border router/border firewall. And potentially worrying if it is also inter-site/inter-city internal ethernet tie links. (How worrying depending on what you have crossing those links; if the "it's VLANs" part bothers you, you probably should already be encrypting it before sending it over a network link outside your control -- the ISP and law enforcement can already see it anyway, eg <a href="https://www.getcloak.com/blog/2013/11/05/ssl-added-and-removed-here-nsa-smiley/">SSL added and removed here -- NSA</a>)</p>
<p>Ewen</p>
</div>2014-09-20T06:32:08Z