[PLUG] Are cheap switches with flawed VLANs safe enough?

[Eric House]

On Tue, Jun 7, 2022 at 10:49 AM <plug-request at pdxlinux.org> wrote:

>
> I'm not an expert on this to say the least, but as far as I can tell the
> only security
> risk is if you have two VLANs. A switch that's supposed to transport
> packets for two separate VLANs can in some cases transport packets from
> one VLAN to the
> other, and if they're marked with a bogus return address, computers in the
> other VLAN may
> think it came from one of the machines within their VLAN.
>
> I can't imagine that is a problem unless those machines on the first VLAN
> have special
> privileges, and a program is running that changes a computer's behavior
> based on
> a single packet, only authenticated by its return address. And no
> information is going to
> leak out, since with a bogus return address, whoever's on the second VLAN
> isn't going to
> see a response.
>
> So... unless you're dealing with one switch managing two VLANs, and unless
> you're
> granting potentially malicious users access to one of your VLANs, but not
> the other, and
> unless it's a security breach for one of the VLANs to send packets to the
> other, I'd go
> with not worrying about it.
>

I do have two VLANs, a LAN and a DMZ. WiFi and my web and MQTT server are
on the DMZ. The web server sits right next to my laptop and main
development machine in a place reached by only one Ethernet cable. VLANs
make that setup possible, and now are making me nervous.

My biggest concern is friends and family who use the WiFi while visiting.
If any of them has been hacked (and one family member is particularly
clueless about computer security), some rootkit might get access to my
network. I want to make sure the LAN remains unreachable.

The idea of a switch running OpenWRT is attractive, and it seems I can get
something from Netgear for a reasonable price, so I think I'll go that way.

Thanks for the responses, all!

--Eric
-- 
My g-bike can trounce your e-bike!