Re: [fw-wiz] Firewalls and 802.1q trunking

From: Pearsall, Jim (Jim.Pearsall@hp.com)
Date: 11/27/02

• Next message: R. DuFresne: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Previous message: ark@eltex.ru: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Maybe in reply to: Steffen Kluge: "[fw-wiz] Firewalls and 802.1q trunking"
• Next in thread: David Pick: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Reply: David Pick: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Pearsall, Jim" <Jim.Pearsall@hp.com>
To: <firewall-wizards@honor.icsalabs.com>
Date: Wed Nov 27 13:55:35 2002

>> My concern is that the "fan-out" boxes are typically run-of-the-mill
>> switches, like Cisco Catalysts, that probably have been design
without
>> any security aspirations. I wouldn't be surprised if those switches
>> could be attacked and tricked into leaking packets between VLANs.

>A valid concern. My attitude is simple:
>* If the switches are secure enough to keep VLANs seperated for
> normal traffic then they're secure enough to use as interfaces
>to your firewall
>* If they're not, well, they're not!

I would submit that secure enough to manage traffic inside your trusted
network is quite different from secure enough to define a security
boundary.

Also, what about resistance to DOS attacks? Trusting your switch
administrators? Configuration errors? I just see a bunch of
possibilities that I do not need to worry about with discrete (The
dumber the better) network devices over big switches connecting border
subnets.

---

• Next message: R. DuFresne: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Previous message: ark@eltex.ru: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Maybe in reply to: Steffen Kluge: "[fw-wiz] Firewalls and 802.1q trunking"
• Next in thread: David Pick: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Reply: David Pick: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Hardening Cisco Catalyst Switches ... used Cisco Secure ACS for TACACS+ access ... We thought about and tested limiting access to the switches to ... >Does anyone have any suggestions on how to make a secure configuration on a switch? ... >I know about enabling secret password, changing the default SNMP community strings, filtering connections to the switch itself, using ACLs on VLANs etc, but I would appreciate some more good ideas. ... (Security-Basics) Re: [fw-wiz] Firewalls and 802.1q trunking ... generic secure network design common sense ... I wouldn't be surprised if those switches ... (Firewall-Wizards) Stunnel.. ... I am trying to secure a mysql connection usning the example provided on ... When I run the commands shown I get the following error.. ... what switches are available and none of the examples I have tried so far ... (Fedora) Re: Is VLAN still secure ? ... > secure as on different switches fpr diferent Networks. ... > build a DMZ on one Switch with an DMZ VLAN and a Secure VLAN. ... Vlan's are not a security option. ... (comp.security.firewalls) Re: [fw-wiz] Firewalls and 802.1q trunking ... > switches, like Cisco Catalysts, that probably have been design without ... > any security aspirations. ... I wouldn't be surprised if those switches ... normal traffic then they're secure enough to use as interfaces ... (Firewall-Wizards)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > Firewall-Wizards  > 2002-11