At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote:
>Let me lay out the basic topology of a network first:
>
>A 6500 has several VLANS configured on it. Among these are an external
>internet vlan, a dmz, and several internal vlans. The internal vlans are
>routed by an MSFC in the 6500. Routing between the internal, dmz, and
>external are handled by a firewall external to the 6500.
>
>Are there any security issues with having all of these VLANS in the same
>box? Someone in our organization is concerned that someone can hack the
>switch just because the connection from the internet is plugged into it.
>The switch's management address is on one of the internal vlans, and an
>access list is on the telnet access that restricts access from only the
>internal vlans.
Oh boy, the big security button. IF you really want to be secure, you are
NOT going to be using VLANs at all. You want hard, cold, old fashioned
separate layer 2 networks, by HARDWARE. However, realize security is
really a layering process and hopefully warding off attackers of a
particular experience level by making the task seem like "too much
trouble", or "beyond their ability." A true pro can penetrate "VLAN" based
security. A novice and probably most intermediates, will not. You decide
and weigh out your costs in choosing the far less flexible hard switches on
the side method, or using the far more flexible Catalyst VLAN style.
That is the security cost analysis you must do. i.e. If you are guarding
the Fort Knox of the computer realm, I'd probably go hardcore. If you are
not, you may want to stick with VLANs. Security is always a balance
between convenience and security. :( The sad truth is, the ultimate
security is, the wire cutters. (and perhaps a Faraday Cage if wireless
takes off). :)
-Carroll Kong
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3677&t=3666
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
