Re: [fw-wiz] Firewalls and 802.1q trunking

From: Pearsall, Jim (Jim.Pearsall@hp.com)
Date: 11/27/02


From: "Pearsall, Jim" <Jim.Pearsall@hp.com>
To: <firewall-wizards@honor.icsalabs.com>
Date: Wed Nov 27 13:55:35 2002


>> My concern is that the "fan-out" boxes are typically run-of-the-mill
>> switches, like Cisco Catalysts, that probably have been design
without
>> any security aspirations. I wouldn't be surprised if those switches
>> could be attacked and tricked into leaking packets between VLANs.

>A valid concern. My attitude is simple:
>* If the switches are secure enough to keep VLANs seperated for
> normal traffic then they're secure enough to use as interfaces
>to your firewall
>* If they're not, well, they're not!

I would submit that secure enough to manage traffic inside your trusted
network is quite different from secure enough to define a security
boundary.

Also, what about resistance to DOS attacks? Trusting your switch
administrators? Configuration errors? I just see a bunch of
possibilities that I do not need to worry about with discrete (The
dumber the better) network devices over big switches connecting border
subnets.



Relevant Pages

  • Re: Hardening Cisco Catalyst Switches
    ... used Cisco Secure ACS for TACACS+ access ... We thought about and tested limiting access to the switches to ... >Does anyone have any suggestions on how to make a secure configuration on a switch? ... >I know about enabling secret password, changing the default SNMP community strings, filtering connections to the switch itself, using ACLs on VLANs etc, but I would appreciate some more good ideas. ...
    (Security-Basics)
  • Re: [fw-wiz] Firewalls and 802.1q trunking
    ... generic secure network design common sense ... I wouldn't be surprised if those switches ...
    (Firewall-Wizards)
  • Stunnel..
    ... I am trying to secure a mysql connection usning the example provided on ... When I run the commands shown I get the following error.. ... what switches are available and none of the examples I have tried so far ...
    (Fedora)
  • Re: Is VLAN still secure ?
    ... > secure as on different switches fpr diferent Networks. ... > build a DMZ on one Switch with an DMZ VLAN and a Secure VLAN. ... Vlan's are not a security option. ...
    (comp.security.firewalls)
  • Re: [fw-wiz] Firewalls and 802.1q trunking
    ... > switches, like Cisco Catalysts, that probably have been design without ... > any security aspirations. ... I wouldn't be surprised if those switches ... normal traffic then they're secure enough to use as interfaces ...
    (Firewall-Wizards)