Re: [fw-wiz] Firewalls and 802.1q trunking
From: Two Dog Flats (j3ff9ack@yahoo.com)
Date: 11/26/02
- Next message: Carson Gaspar: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- Previous message: Steffen Kluge: "[fw-wiz] Firewalls and 802.1q trunking"
- In reply to: Steffen Kluge: "[fw-wiz] Firewalls and 802.1q trunking"
- Next in thread: Carson Gaspar: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Two Dog Flats <j3ff9ack@yahoo.com> To: firewall-wizards@honor.icsalabs.com Date: Tue Nov 26 20:40:01 2002
Having just addressed this topic a while ago, I found the following
study:
http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
I have personally seen other brands of switches exhibit the same
behavior. Overall, VLANS are a great technology, but they shouldn't be
used for high-risk network segments.
-- Jeff Pack j3ff9ack@yahoo.com --- Steffen Kluge <kluge@fujitsu.com.au> wrote: > Hi everyone, > I'd like to solicit your opinion on the popular trend of > equipping firewalls with (almost) arbitrary numbers of interfaces > by means of VLAN trunking. Many FW vendors (including Nokia, > NetScreen, and the like) are going down that path. > > My concern is that the "fan-out" boxes are typically run-of-the-mill > switches, like Cisco Catalysts, that probably have been design > without > any security aspirations. I wouldn't be surprised if those switches > could be attacked and tricked into leaking packets between VLANs. > > Are there any studies devoted to this issue, or reports of successful > attacks against 802.1q separation that I should be aware of? > > In our environment we use firewalls with rather large numbers of > interfaces (typically 15 ~ 25), mostly based on Xylan switches > running > FW-1. This product line has disappeared now and all alternative > solutions seem to be relying on VLAN trunking. > > I'm not comfortable with the idea yet, but I wasn't comfortable with > the Xylan switches in the beginning, either. I'd like to think I'm > too > paranoid, but then, that's my job... > > Cheers > Steffen. > > > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@honor.icsalabs.com > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
- Next message: Carson Gaspar: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- Previous message: Steffen Kluge: "[fw-wiz] Firewalls and 802.1q trunking"
- In reply to: Steffen Kluge: "[fw-wiz] Firewalls and 802.1q trunking"
- Next in thread: Carson Gaspar: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
