Re: [fw-wiz] Firewalls and 802.1q trunking

From: Luca Berra (bluca@comedia.it)
Date: 12/04/02

• Next message: Steffen Kluge: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Previous message: David Lang: "RE: [fw-wiz] OWA and Risk Assesment"
• In reply to: Eric Vyncke: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Next in thread: Steffen Kluge: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Luca Berra <bluca@comedia.it>
To: "'firewall-wizards@honor.icsalabs.com'" <firewall-wizards@honor.icsalabs.com>
Date: Wed Dec  4 14:34:17 2002

Eric Vyncke wrote:
> First, have a look at my IP address to remove possible bias ;-)
>
> Second, @stakes made some extended research on VLAN hopping against a Catalyst switch. They were unable to actually hop between VLAN on a well configured switch. See their paper on:
> http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/stake_wp.pdf
>
> Having said this, I've seen two different points of view:
>
> - misconfiguration happens: an Infosec or network operator can make a mistake in the VLAN configuration
>
> - probabilty of faulty switch configuration by an educated network/infosec operator is less than the probability of a wrong cable patching in the datacom room by a uneducated engineer.
>
> I guess that the decision really belongs to _your_ security policy and requirements.

I have another one to add to the list:
it happened twice here that after a power f**k-up a catalyst rebooted
with default configuration (which means all port in default vlan)

since the default for a catalyst in this case is to switch traffic this
situation (even if rare) is another point of concern.

btw wrong cable patching can in part be prevented by mac-address checks
on the switch.

Regards,
Luca

• Next message: Steffen Kluge: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Previous message: David Lang: "RE: [fw-wiz] OWA and Risk Assesment"
• In reply to: Eric Vyncke: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Next in thread: Steffen Kluge: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Strannge situation with two SRW224G4 and one Cisco 2950-12 ... LinkSys SRW224G4 switch as described at scheme. ... forwarding via another trunk port to second SRW224G4 and then to Cisco ... vlan40 is described in VLAN DB of all three switches. ... So I suspect that problem is in Cisco switch configuration or IOS. ... (comp.dcom.sys.cisco) Re: Strannge situation with two SRW224G4 and one Cisco 2950-12 ... doesn't mean the vlan has been created. ... The em1 card of the BSD is connected into trunk port g3 of the first ... LinkSys SRW224G4 switch as described at scheme. ... So I suspect that problem is in Cisco switch configuration or IOS. ... (comp.dcom.sys.cisco) Re: Cisco ? ... I have a Win2003 domain connected thru a 2950 switch. ... When I started the only VLAN was the usual native VLAN 1 ... I have two different types of wireless stations. ... I don't want the vlan configuration to ... (microsoft.public.windows.server.networking) RE: Windows Server 2008 problems with Broadcom/802.3ad/VLANs ... a server with 3 VLANs using the BASP tools. ... Both ethernet ports on the server are connected to a switch stack comprising ... The 1st VLAN was then added, and again, this was successful with both the ... configuration, which is the point at which we started to run into problems. ... (microsoft.public.windows.server.networking) Re: HP/Cisco Vlan fun ... I also have the last two ports on the switch etherchanneled ... that it gets an IP address from the Voice vlan, but he can do a / ... decided to force the DHCP server on a tagged only port (force it to be ... the configuration above is about the switch port being configured ... (comp.dcom.lans.ethernet)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint