Re: [fw-wiz] MAC blocking

From: Patrick M. Hausen (hausen_at_punkt.de)
Date: 11/28/05

  • Next message: Chris Byrd: "Re: [fw-wiz] MAC blocking"
    To: Chuck Swiger <chuck@codefab.com>
    Date: Mon, 28 Nov 2005 23:33:57 +0100 (CET)
    
    

    Hi, Chuck!

    > I would say it's not safe to assume that VLANs can be trusted to
    > separate traffic with complete reliability, especially if it is
    > possible for a malicious machine to gain access to a trunk port:

    But you can eliminate the latter. Disable VTP and even STP
    for all ports that are connected to hosts - regardless if trusted
    or untrusted.

    OTOH this implies that you are in control of the physical environment,
    i.e. cabling. A datacenter is quite diffent from an office or, say,
    a school or library network.

    I tend to recommend using 802.1q to establish many different zones
    if it's "either separate on layer 3 cheaply or don't seperate at all".
    There are no absolutes in network security beyond Marcus' proverbial
    ultimate firewall ;-)

    I learned from Bruce Schneier that security is always about tradeoffs
    to make. I used to believe in absolutes, when I was a lot younger than
    today.

    Kind regards,

    Patrick M. Hausen
    Leiter Netzwerke und Sicherheit

    -- 
    punkt.de GmbH         Internet - Dienstleistungen - Beratung
    Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
    76137 Karlsruhe       http://punkt.de
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Chris Byrd: "Re: [fw-wiz] MAC blocking"