Re: [fw-wiz] MAC blocking

From: Patrick M. Hausen (
Date: 11/28/05

  • Next message: Chris Byrd: "Re: [fw-wiz] MAC blocking"
    To: Chuck Swiger <>
    Date: Mon, 28 Nov 2005 23:33:57 +0100 (CET)

    Hi, Chuck!

    > I would say it's not safe to assume that VLANs can be trusted to
    > separate traffic with complete reliability, especially if it is
    > possible for a malicious machine to gain access to a trunk port:

    But you can eliminate the latter. Disable VTP and even STP
    for all ports that are connected to hosts - regardless if trusted
    or untrusted.

    OTOH this implies that you are in control of the physical environment,
    i.e. cabling. A datacenter is quite diffent from an office or, say,
    a school or library network.

    I tend to recommend using 802.1q to establish many different zones
    if it's "either separate on layer 3 cheaply or don't seperate at all".
    There are no absolutes in network security beyond Marcus' proverbial
    ultimate firewall ;-)

    I learned from Bruce Schneier that security is always about tradeoffs
    to make. I used to believe in absolutes, when I was a lot younger than

    Kind regards,

    Patrick M. Hausen
    Leiter Netzwerke und Sicherheit

    -- GmbH         Internet - Dienstleistungen - Beratung
    Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
    76137 Karlsruhe
    firewall-wizards mailing list

  • Next message: Chris Byrd: "Re: [fw-wiz] MAC blocking"