Echoing these sentiments here, the whole point of vlans is traffic
separation.
Brian "Sonic" Whalen
Success = Preparation + Opportunity
On Tue, 8 May 2001, Eric Rivard wrote:
> If you look at all of Cisco's documentation on their website it
> recommends you use VLANs just like this. They even did a study with
> Microsoft and posted it on Microsoft's website suggesting to use VLANS
> to distinguish between outside, dmz, and internal networks. I have seen
> many big companies do it this way. For example, last month Cisco had
> Exciter's network diagram on its site, saying how they used VLANS, they
> also had an Oracle example. I have set up quite a bit of co locations
> using only a 5500 with 3 VLANs, one for the outside, one for the inside,
> and one for the DMZ. I don't see how a hacker can break into a different
> VLAN from the outside. Switches see VLANs as logical switches inside of
> it. If a hacker wants to get to the internal VLAN from the Outside he
> would have to go through the firewall. If Cisco recommends and companies
> like Microsoft and Excite are implementing it, I don't see how it can be
> a security risk. See this link for a really good document on setting up
> a e-commerce co-location network, it also has router and pix configs
>
> http://www.microsoft.com/TechNet/ecommerce/ciscomef.asp
>
>
> -----Original Message-----
> From: Carroll Kong [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, May 08, 2001 1:44 PM
> To: [EMAIL PROTECTED]
> Subject: Re: security opinions please [7:3666]
>
>
> At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote:
> >Let me lay out the basic topology of a network first:
> >
> >A 6500 has several VLANS configured on it. Among these are an external
> >internet vlan, a dmz, and several internal vlans. The internal vlans
> are
> >routed by an MSFC in the 6500. Routing between the internal, dmz, and
> >external are handled by a firewall external to the 6500.
> >
> >Are there any security issues with having all of these VLANS in the
> same
> >box? Someone in our organization is concerned that someone can hack
> the
> >switch just because the connection from the internet is plugged into
> it.
> >The switch's management address is on one of the internal vlans, and an
> >access list is on the telnet access that restricts access from only the
> >internal vlans.
>
> Oh boy, the big security button. IF you really want to be secure, you
> are
> NOT going to be using VLANs at all. You want hard, cold, old fashioned
> separate layer 2 networks, by HARDWARE. However, realize security is
> really a layering process and hopefully warding off attackers of a
> particular experience level by making the task seem like "too much
> trouble", or "beyond their ability." A true pro can penetrate "VLAN"
> based
> security. A novice and probably most intermediates, will not. You
> decide
> and weigh out your costs in choosing the far less flexible hard switches
> on
> the side method, or using the far more flexible Catalyst VLAN style.
>
> That is the security cost analysis you must do. i.e. If you are
> guarding
> the Fort Knox of the computer realm, I'd probably go hardcore. If you
> are
> not, you may want to stick with VLANs. Security is always a balance
> between convenience and security. :( The sad truth is, the ultimate
> security is, the wire cutters. (and perhaps a Faraday Cage if wireless
> takes off). :)
>
>
>
> -Carroll Kong
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3702&t=3666
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
