Have you ever looked into how a switch can be compromised by an experienced
hacker?
Even though, theoretically, VLANS can't talk to each other except through a
router you are still having external and internal traffic on the same
physical
box running OS software, which is not perfect.
Cheers
Jim Gillen
Snr Communications Engineer
AUSTRAC
Ph: 9950 0842
Fax: 9950 0074
>>> "Brian" 9/05/01 8:59:56 >>>
This message has been scanned by MAILSweeper.
************************************************************
Echoing these sentiments here, the whole point of vlans is traffic
separation.
Brian "Sonic" Whalen
Success = Preparation + Opportunity
On Tue, 8 May 2001, Eric Rivard wrote:
> If you look at all of Cisco's documentation on their website it
> recommends you use VLANs just like this. They even did a study with
> Microsoft and posted it on Microsoft's website suggesting to use VLANS
> to distinguish between outside, dmz, and internal networks. I have seen
> many big companies do it this way. For example, last month Cisco had
> Exciter's network diagram on its site, saying how they used VLANS, they
> also had an Oracle example. I have set up quite a bit of co locations
> using only a 5500 with 3 VLANs, one for the outside, one for the inside,
> and one for the DMZ. I don't see how a hacker can break into a different
> VLAN from the outside. Switches see VLANs as logical switches inside of
> it. If a hacker wants to get to the internal VLAN from the Outside he
> would have to go through the firewall. If Cisco recommends and companies
> like Microsoft and Excite are implementing it, I don't see how it can be
> a security risk. See this link for a really good document on setting up
> a e-commerce co-location network, it also has router and pix configs
>
> http://www.microsoft.com/TechNet/ecommerce/ciscomef.asp
>
>
> -----Original Message-----
> From: Carroll Kong [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, May 08, 2001 1:44 PM
> To: [EMAIL PROTECTED]
> Subject: Re: security opinions please [7:3666]
>
>
> At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote:
> >Let me lay out the basic topology of a network first:
> >
> >A 6500 has several VLANS configured on it. Among these are an external
> >internet vlan, a dmz, and several internal vlans. The internal vlans
> are
> >routed by an MSFC in the 6500. Routing between the internal, dmz, and
> >external are handled by a firewall external to the 6500.
> >
> >Are there any security issues with having all of these VLANS in the
> same
> >box? Someone in our organization is concerned that someone can hack
> the
> >switch just because the connection from the internet is plugged into
> it.
> >The switch's management address is on one of the internal vlans, and an
> >access list is on the telnet access that restricts access from only the
> >internal vlans.
>
> Oh boy, the big security button. IF you really want to be secure, you
> are
> NOT going to be using VLANs at all. You want hard, cold, old fashioned
> separate layer 2 networks, by HARDWARE. However, realize security is
> really a layering process and hopefully warding off attackers of a
> particular experience level by making the task seem like "too much
> trouble", or "beyond their ability." A true pro can penetrate "VLAN"
> based
> security. A novice and probably most intermediates, will not. You
> decide
> and weigh out your costs in choosing the far less flexible hard switches
> on
> the side method, or using the far more flexible Catalyst VLAN style.
>
> That is the security cost analysis you must do. i.e. If you are
> guarding
> the Fort Knox of the computer realm, I'd probably go hardcore. If you
> are
> not, you may want to stick with VLANs. Security is always a balance
> between convenience and security. :( The sad truth is, the ultimate
> security is, the wire cutters. (and perhaps a Faraday Cage if wireless
> takes off). :)
>
>
>
> -Carroll Kong
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3713&t=3666
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
