Re: [fw-wiz] Firewalls and 802.1q trunking

From: ark@eltex.ru
Date: 11/27/02


From: ark@eltex.ru
To: David Pick <d.m.pick@qmul.ac.uk>
Date: Wed Nov 27 13:55:19 2002

And they are not.

There is another good point: generic secure network design common sense
requires that there should NOT be any hardware connection point between
networks except the firewall. Even a switch, a machine with packet forwarding
turned off, NOTHING, even a network printer with two interface cards if one
ever exists.

On Wed, Nov 27, 2002 at 08:00:14AM +0000, David Pick wrote:
>
> > My concern is that the "fan-out" boxes are typically run-of-the-mill
> > switches, like Cisco Catalysts, that probably have been design without
> > any security aspirations. I wouldn't be surprised if those switches
> > could be attacked and tricked into leaking packets between VLANs.
>
> A valid concern. My attitude is simple:
> * If the switches are secure enough to keep VLANs seperated for
> normal traffic then they're secure enough to use as interfaces
> to your firewall
> * If they're not, well, they're not!

-- 
                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!


Relevant Pages

  • Re: Pakistan to ban encryption software
    ... network you have access to (and of course, ... capture, which is illegal without said permission). ... But the point remains that general email is at least as secure as a letter, and that greater security than that is not generally warranted. ... card details are sold in batches as quickly as possible. ...
    (uk.legal)
  • Circa 1976, Long Distance Network Mapping Project [telecom]
    ... I had the opportunity to do some university level work in the 1970s related to the cost of operation and ROI feasibility for long-line costs over the old Bell Operated Public Switched Telephone Network. ... calls would default to a route based on what was termed a "homing" priority. ... There were five levels of ranked switches, or a hierarchy of switches based on where calls needed to go. ... For example, under the strict homing hierarchy-topology, a call from Walla Walla, Washington to Moscow, Idaho - a distance of less than 100 miles - would route from Walla Walla, to Yakima, to Seattle, to Sacramento, to Denver, to Salt Lake, to Boise, to Coeur d'Alene and finally to Moscow. ...
    (comp.dcom.telecom)
  • Re: What security package for SBS?
    ... I have a secure Windows network. ... I also have a secure MacMini and on occasion a secure Ubuntu. ... With a business class firewall stripping crap off all incoming traffic and properly implemented security policies in addition to giving your users absolutely no admin rights, there is no reason to believe you can't create a secure Microsoft Network. ...
    (microsoft.public.windows.server.sbs)
  • Re: Wifi Security
    ... Then add in good practices and secure those endpoints! ... I have changed the security to WPA2 with a 128bit ... and attempt to break into her wireless internet connection. ... part of her network cannot do WPA2 but you actually want her network to ...
    (microsoft.public.security)
  • RE: One computer two different networks
    ... Internet connection and one an internal secure connection tempts one ... You have a private network with no Internet for the reason that you ... in Information Security. ...
    (Security-Basics)