How does one go upon "penetrating" the internal VLAN on a switch while only
having access to the external VLAN and not traversing the PIX in the middle?
I have heard the response from numerous security engineers that anything is
possible however I guess I'm a novice because I have never seen nor heard of
this being done in the situation mentioned above. I attribute the idea of
physically seperating these networks (even though VLAN based seperation is
just as effective) as security paranoia. This isn't necessarily a bad
thing, after all that's what security guys are paid for, however I don't see
a technical reason why you can't have these VLANs connected to the same box
as long as a properly configured firewall logically seperates them.
-Michael Cohen CCIE #6080
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Carroll Kong
Sent: Tuesday, May 08, 2001 3:44 PM
To: [EMAIL PROTECTED]
Subject: Re: security opinions please [7:3666]
At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote:
>Let me lay out the basic topology of a network first:
>
>A 6500 has several VLANS configured on it. Among these are an external
>internet vlan, a dmz, and several internal vlans. The internal vlans are
>routed by an MSFC in the 6500. Routing between the internal, dmz, and
>external are handled by a firewall external to the 6500.
>
>Are there any security issues with having all of these VLANS in the same
>box? Someone in our organization is concerned that someone can hack the
>switch just because the connection from the internet is plugged into it.
>The switch's management address is on one of the internal vlans, and an
>access list is on the telnet access that restricts access from only the
>internal vlans.
Oh boy, the big security button. IF you really want to be secure, you are
NOT going to be using VLANs at all. You want hard, cold, old fashioned
separate layer 2 networks, by HARDWARE. However, realize security is
really a layering process and hopefully warding off attackers of a
particular experience level by making the task seem like "too much
trouble", or "beyond their ability." A true pro can penetrate "VLAN" based
security. A novice and probably most intermediates, will not. You decide
and weigh out your costs in choosing the far less flexible hard switches on
the side method, or using the far more flexible Catalyst VLAN style.
That is the security cost analysis you must do. i.e. If you are guarding
the Fort Knox of the computer realm, I'd probably go hardcore. If you are
not, you may want to stick with VLANs. Security is always a balance
between convenience and security. :( The sad truth is, the ultimate
security is, the wire cutters. (and perhaps a Faraday Cage if wireless
takes off). :)
-Carroll Kong
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3692&t=3666
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
