RE: VLAN as a DMZ
From: Smith, Chris (csmith@Calence.com)Date: 03/08/02
- Previous message: Tom Kapanka: "RE: scary site"
- Maybe in reply to: Mike Shaw: "VLAN as a DMZ"
- Next in thread: Peter Lee: "Re: VLAN as a DMZ"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Smith, Chris" <csmith@Calence.com> To: 'Mike Shaw' <mshaw@wwisp.com>, security-basics@securityfocus.com Date: Fri, 8 Mar 2002 09:08:30 -0700
VLAN-Hopping is a potential using only VLAN security to isolate an insecure
network segment - a previous version of CatOS code had such a
vulnerability. Another issue is misconfiguration (more likely) - i.e.
placing a trusted host on the VLAN, misconfiguring layer 3 routing, etc.
A better approach is to use a separate switch (off the core) for
DMZ/Extranet/untrusted segments. The potential for compromise exists, but
your risk may be reduced by securing the core devices from compromise. It's
the best blend of $$ vs. Security.
chrisls
-----Original Message-----
From: Mike Shaw [mailto:mshaw@wwisp.com]
Sent: Wednesday, March 06, 2002 1:26 PM
To: security-basics@securityfocus.com
Subject: VLAN as a DMZ
There are definitely textbook reasons (secondary compromize issues, etc),
but does anyone know of a specific technical reason why using a VLAN for a
DMZ segment is a bad idea (cisco 5500 switch)?
The VLAN would have no telnet interface living on it, and no level 3
switching/routing going to/from it. It'd be just an isolated segment. The
only thing I could think of would be that someone could spoof the
frame-tagging or something.
Any input is appreciated.
-Mike
- Previous message: Tom Kapanka: "RE: scary site"
- Maybe in reply to: Mike Shaw: "VLAN as a DMZ"
- Next in thread: Peter Lee: "Re: VLAN as a DMZ"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
