Yeah, I'd love to know as well. I've searched CCO pretty thoroughly, and
can't find anything that really relates to this.
-----Original Message-----
From: Sam [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 08, 2001 4:19 PM
To: [EMAIL PROTECTED]
Subject: Re: security opinions please [7:3666]
Interesting, I'm wondering what Cisco's stand on this subject would be.
Anyone know or have other opinions. The same concern has been expressed to
me with regards to a similar configuration.
""Carroll Kong"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote:
> >Let me lay out the basic topology of a network first:
> >
> >A 6500 has several VLANS configured on it. Among these are an external
> >internet vlan, a dmz, and several internal vlans. The internal vlans
are
> >routed by an MSFC in the 6500. Routing between the internal, dmz, and
> >external are handled by a firewall external to the 6500.
> >
> >Are there any security issues with having all of these VLANS in the same
> >box? Someone in our organization is concerned that someone can hack the
> >switch just because the connection from the internet is plugged into it.
> >The switch's management address is on one of the internal vlans, and an
> >access list is on the telnet access that restricts access from only the
> >internal vlans.
>
> Oh boy, the big security button. IF you really want to be secure, you are
> NOT going to be using VLANs at all. You want hard, cold, old fashioned
> separate layer 2 networks, by HARDWARE. However, realize security is
> really a layering process and hopefully warding off attackers of a
> particular experience level by making the task seem like "too much
> trouble", or "beyond their ability." A true pro can penetrate "VLAN"
based
> security. A novice and probably most intermediates, will not. You decide
> and weigh out your costs in choosing the far less flexible hard switches
on
> the side method, or using the far more flexible Catalyst VLAN style.
>
> That is the security cost analysis you must do. i.e. If you are guarding
> the Fort Knox of the computer realm, I'd probably go hardcore. If you are
> not, you may want to stick with VLANs. Security is always a balance
> between convenience and security. :( The sad truth is, the ultimate
> security is, the wire cutters. (and perhaps a Faraday Cage if wireless
> takes off). :)
>
>
>
> -Carroll Kong
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3688&t=3666
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
