Layer 2 Security - Private VLANs (the Story Continues ...)
Rob, you say - it's been a little while since we talked about Layer 2 Security (almost a week) - does that mean that we're done?
Not a chance - we haven't talked about Private VLANs yet!
A VLAN is often defined as a "broadcast domain", and in most cases is co-incides with an IP subnet. Private VLANs (also called PVLANs) are the exception to this, a Private VLAN is still usually a single IP subnet, but the "broadcast domain" definition no longer holds true.
In a private VLAN, you start by defining an "uplink" port (also called a "promiscuous" port). This is normally the port (or link aggregation group) that is attached to the uplink router(s), firewall(s), provider network or server(s). After that is set, you define "isolated" ports. Any frame received on a isolated port is forwarded only out the uplink port, no matter what destination MAC or IP address it might have. This includes ARP traffic or any broadcast traffic. Frames received on the promiscuous port are then forwarded in the usual way - ARPs, Broadcasts and all other layer 2 frames work as you would expect them to.
So what this means is that isolated ports in a Private VLAN cannot "speak" to each other at all - their only traffic path is via layer 3, to other subnets or to other isolated ports in that PVLAN.
The concept of private ports can be expanded to include larger port groups - this concept is called "community" ports. Community ports can speak to each other via layer 2 just like a regular vlan, but are separated from ports in other communities, and from isolated ports.
Typical applications for private VLANs might be in a Colocation Facility or public or private IaaS network (Infrastructure as a Service Cloud), where you might have several customers using the same subnet, but communications between the customers is not desirable as it would circumvent their firewalls. This might also be used on a DMZ, where you might want to restrict communications between DMZ hosts, but it's not worth the effort or cost of creating a separate DMZ for each host. Another common use for Private VLANs might be in a hotel situation, where each hotel room has internet access, all are on the same subnet, but communications between the rooms is not desired (for obvious reasons.)
This diary touches on only the most basic concepts of Private VLANs - I won't get into the specifics of the configuration, as they vary quite a bit between various vendors' gear. Also be aware that this covers only the most basic of PVLAN concepts - there's enough material in this for a good few hundred pages, if you were writing a book on Layer 2/3 Switching and Security for instance
As always, if there are any errors in this diary, or if you'd like to comment with other examples of how you've seen PVLANs used, feel free to use the "comment" link.
=============== Rob VandenBrink Metafore ===============
Adobe Shockwave Update
Adobe released a new version of the Shockwave Player for Windows and OSX yesterday. Multiple vulnerabiltiies are addressed, most of the vulnerabilities on the list result in compromise of the workstation and arbitrary code execution, so this is an important update to get done ASAP.
Full details here ==> http://www.adobe.com/support/security/bulletins/apsb10-12.html
=============== Rob VandenBrink Metafore ===============
.de TLD Outage
Several readers wrote in to note that the .de domain (Germany), which is operated by DENIC [1], had an unplanned outage earlier that lasted a bit over an hour.
There is no official statement yet, but according to one source [2], a bad zone file was loaded and it took a while to fix.
Currently, .de domains appear to be reachable again.
[1] http://denic.de/ (in German)
[2] http://www.tld.sc/en/
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
===================================================
The outage looks like it was from approximately 13:30 to 15:30 local time (CEST)
================= Rob VandenBrink ====================
Comments