Re: [fw-wiz] Firewalls and 802.1q trunking

From: ark@eltex.ru
Date: 11/27/02

• Next message: Pearsall, Jim: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Previous message: Esger Abbink: "[fw-wiz] Problem getting vpn to work between netscreen 208 and cisco 1721"
• In reply to: David Pick: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Next in thread: R. DuFresne: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: ark@eltex.ru
To: David Pick <d.m.pick@qmul.ac.uk>
Date: Wed Nov 27 13:55:19 2002

And they are not.

There is another good point: generic secure network design common sense
requires that there should NOT be any hardware connection point between
networks except the firewall. Even a switch, a machine with packet forwarding
turned off, NOTHING, even a network printer with two interface cards if one
ever exists.

On Wed, Nov 27, 2002 at 08:00:14AM +0000, David Pick wrote:
>
> > My concern is that the "fan-out" boxes are typically run-of-the-mill
> > switches, like Cisco Catalysts, that probably have been design without
> > any security aspirations. I wouldn't be surprised if those switches
> > could be attacked and tricked into leaking packets between VLANs.
>
> A valid concern. My attitude is simple:
> * If the switches are secure enough to keep VLANs seperated for
> normal traffic then they're secure enough to use as interfaces
> to your firewall
> * If they're not, well, they're not!

-- 
                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

• Next message: Pearsall, Jim: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Previous message: Esger Abbink: "[fw-wiz] Problem getting vpn to work between netscreen 208 and cisco 1721"
• In reply to: David Pick: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Next in thread: R. DuFresne: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: What security package for SBS? ... I have a secure Windows network. ... I also have a secure MacMini and on occasion a secure Ubuntu. ... With a business class firewall stripping crap off all incoming traffic and properly implemented security policies in addition to giving your users absolutely no admin rights, there is no reason to believe you can't create a secure Microsoft Network. ... (microsoft.public.windows.server.sbs) RE: One computer two different networks ... Internet connection and one an internal secure connection tempts one ... You have a private network with no Internet for the reason that you ... in Information Security. ... (Security-Basics) Re: Single domain two IP subnets ... hardware or any of the complexities of "network hardward ... I never criticize anyone's typing as long as the words can ... Cisco ISL VLANS are history. ... Newer Cisco switches don't even support ISL ... (microsoft.public.win2000.dns) Re: Questions on secure remote access to Fedora Core 2 ... not secure at all, because hostnames can be forged. ... The users should generate themselves key pairs for SSH access. ... on the server, work on it, and then send it back. ... Linux-based, then Network Block Devices are a good idea, too. ... (comp.os.linux.security) RE: Business Thoughts ... We work in a very secure network with unbelievable constraints. ... online retail business because of "security." ... and very limited internet site exploration. ... (microsoft.public.windowsxp.network_web)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint