Re: [fw-wiz] MAC blocking
From: Patrick M. Hausen (hausen_at_punkt.de)
Date: 11/28/05
- Previous message: Chuck Swiger: "Re: [fw-wiz] MAC blocking"
- In reply to: Chuck Swiger: "Re: [fw-wiz] MAC blocking"
- Next in thread: Paul D. Robertson: "Re: [fw-wiz] MAC blocking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Chuck Swiger <chuck@codefab.com> Date: Mon, 28 Nov 2005 23:33:57 +0100 (CET)
Hi, Chuck!
> I would say it's not safe to assume that VLANs can be trusted to
> separate traffic with complete reliability, especially if it is
> possible for a malicious machine to gain access to a trunk port:
But you can eliminate the latter. Disable VTP and even STP
for all ports that are connected to hosts - regardless if trusted
or untrusted.
OTOH this implies that you are in control of the physical environment,
i.e. cabling. A datacenter is quite diffent from an office or, say,
a school or library network.
I tend to recommend using 802.1q to establish many different zones
if it's "either separate on layer 3 cheaply or don't seperate at all".
There are no absolutes in network security beyond Marcus' proverbial
ultimate firewall ;-)
I learned from Bruce Schneier that security is always about tradeoffs
to make. I used to believe in absolutes, when I was a lot younger than
today.
Kind regards,
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
-- punkt.de GmbH Internet - Dienstleistungen - Beratung Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100 76137 Karlsruhe http://punkt.de _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Chuck Swiger: "Re: [fw-wiz] MAC blocking"
- In reply to: Chuck Swiger: "Re: [fw-wiz] MAC blocking"
- Next in thread: Paul D. Robertson: "Re: [fw-wiz] MAC blocking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
