call me naive, but how can a hacker know you are connected to a switch?
Let alone find the IP address of the switch if it is on the internal
address? Yes the switch is separating traffic by software, but isn't
very firewall doing the same thing? PIX, CheckPoint, Cisco IOS Firewall
feature set, are all software, so should we usenone of these products,
because no software is perfect. Think about the PIX, the inside traffic
and outside traffic is handled all in ONE box. Whats the differnce?
First of all, anyone that has set up a co-location or web server on a
DMZ knows that your firewall is not your first line of defense. The
first line is your Internet Router. Here you only allow web,smtp,dns,
and ftp (if you want) traffic in. The hacker has to get through this
first. You can also put an access-list on this router to prevent any
traffic to hit the actual outside interface of the pix, so it cannot be
directly attached. Then we have the PIX which provides additional
security from out inside network. How can a hacker telnet into a switch
it the IP address is inside the the PIX prohibits this? Last time I
check you can't use a MAC address to telnet. And besides, don't Cisco
switches have over a 1000 MAC addresses in the Supervisor Engine? How
can you over flow a switch with MAC addresses or traffic? You should use
a highed switch for your web traffic. Most of these switches can switch
billions of packets per second. Your Internet connection will crash
before anyone can even come close to this. In addition most companies
set up their web server in a co-location where space is a premium. You
cannot put in 3 4000 or 5000 switches in one rack and your servers also.
And then these companies have internal routers connecting their internal
network to this co-location where they put more access-lists. I think
any hacker would give up before trying to continue on. Yes no software
is perfect, but every firewall is software. The only secure way it to
have no Internet access.
-----Original Message-----
From: Jim Gillen [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 08, 2001 4:42 PM
To: [EMAIL PROTECTED]
Subject: Re: FW: security opinions please [7:3666]
Have you ever looked into how a switch can be compromised by an
experienced
hacker?
Even though, theoretically, VLANS can't talk to each other except
through a
router you are still having external and internal traffic on the same
physical
box running OS software, which is not perfect.
Cheers
Jim Gillen
Snr Communications Engineer
AUSTRAC
Ph: 9950 0842
Fax: 9950 0074
>>> "Brian" 9/05/01 8:59:56 >>>
This message has been scanned by MAILSweeper.
************************************************************
Echoing these sentiments here, the whole point of vlans is traffic
separation.
Brian "Sonic" Whalen
Success = Preparation + Opportunity
On Tue, 8 May 2001, Eric Rivard wrote:
> If you look at all of Cisco's documentation on their website it
> recommends you use VLANs just like this. They even did a study with
> Microsoft and posted it on Microsoft's website suggesting to use VLANS
> to distinguish between outside, dmz, and internal networks. I have
seen
> many big companies do it this way. For example, last month Cisco had
> Exciter's network diagram on its site, saying how they used VLANS,
they
> also had an Oracle example. I have set up quite a bit of co locations
> using only a 5500 with 3 VLANs, one for the outside, one for the
inside,
> and one for the DMZ. I don't see how a hacker can break into a
different
> VLAN from the outside. Switches see VLANs as logical switches inside
of
> it. If a hacker wants to get to the internal VLAN from the Outside he
> would have to go through the firewall. If Cisco recommends and
companies
> like Microsoft and Excite are implementing it, I don't see how it can
be
> a security risk. See this link for a really good document on setting
up
> a e-commerce co-location network, it also has router and pix configs
>
> http://www.microsoft.com/TechNet/ecommerce/ciscomef.asp
>
>
> -----Original Message-----
> From: Carroll Kong [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, May 08, 2001 1:44 PM
> To: [EMAIL PROTECTED]
> Subject: Re: security opinions please [7:3666]
>
>
> At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote:
> >Let me lay out the basic topology of a network first:
> >
> >A 6500 has several VLANS configured on it. Among these are an
external
> >internet vlan, a dmz, and several internal vlans. The internal
vlans
> are
> >routed by an MSFC in the 6500. Routing between the internal, dmz,
and
> >external are handled by a firewall external to the 6500.
> >
> >Are there any security issues with having all of these VLANS in the
> same
> >box? Someone in our organization is concerned that someone can hack
> the
> >switch just because the connection from the internet is plugged into
> it.
> >The switch's management address is on one of the internal vlans, and
an
> >access list is on the telnet access that restricts access from only
the
> >internal vlans.
>
> Oh boy, the big security button. IF you really want to be secure, you
> are
> NOT going to be using VLANs at all. You want hard, cold, old
fashioned
> separate layer 2 networks, by HARDWARE. However, realize security is
> really a layering process and hopefully warding off attackers of a
> particular experience level by making the task seem like "too much
> trouble", or "beyond their ability." A true pro can penetrate "VLAN"
> based
> security. A novice and probably most intermediates, will not. You
> decide
> and weigh out your costs in choosing the far less flexible hard
switches
> on
> the side method, or using the far more flexible Catalyst VLAN style.
>
> That is the security cost analysis you must do. i.e. If you are
> guarding
> the Fort Knox of the computer realm, I'd probably go hardcore. If you
> are
> not, you may want to stick with VLANs. Security is always a balance
> between convenience and security. :( The sad truth is, the ultimate
> security is, the wire cutters. (and perhaps a Faraday Cage if
wireless
> takes off). :)
>
>
>
> -Carroll Kong
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3718&t=3666
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
