interesting thread, and on a subject that crops up again and again...
sure it's possible to compromise VLANs, but as has been said, thru
misconfiguration rather than anything else. Say you have a switch in a
hosting centre that customers can plug into - set your ports to anything
other than "trunk off" and you're in big trouble :-(
Interestingly a place I worked at had a network design submitted by a *VERY*
well known and respected organisation (acting as consultants for an ASP-type
deal), with 26 (count-'em) switches so as to avoid these apparent security
flaws. Having laughed them out of the building, guess what eventually got
installed? A pair of 6509s - so go figure
Andy
----- Original Message -----
From:
To:
Sent: Tuesday, May 08, 2001 11:32 PM
Subject: Re: security opinions please [7:3666]
> From a pure security perspective, this design is not as secure as
> having separate switches for the outside, dmz and inside networks.
> The reasoning is very simple, yes, you can put lots of software in
> place to prevent people from telneting to the switch, but in the
> event of just the right failure/misconfiguration, someone could
> theoretically re-configure the switch to do bad things.
>
> I have had long discussions with people about this issue and the
> bottom line is that while a compromise in this configuration is
> highly improbable, it is not impossible. When you have physical
> separation of switches, it is impossible for a software
> failure/misconfiguration in the switch to lead to an internal
> compromise, it is therefore a more secure configuration to use
> multiple switches.
>
> It is, however, very convenient to use a single switch. As a
> compromise, I recommend a single external switch and a common
> internal switch for the dmz's and internal segments. As there are
> normally very few connections on the outside, this is a reasonable
> compromise at a very small incremental cost.
>
> HTH,
> Kent
>
> On 8 May 2001, at 15:42, [EMAIL PROTECTED] wrote:
>
> > Let me lay out the basic topology of a network first:
> >
> > A 6500 has several VLANS configured on it. Among these are an
> > external internet vlan, a dmz, and several internal vlans. The
> > internal vlans are routed by an MSFC in the 6500. Routing between the
> > internal, dmz, and external are handled by a firewall external to the
> > 6500.
> >
> > Are there any security issues with having all of these VLANS in the
> > same box? Someone in our organization is concerned that someone can
> > hack the switch just because the connection from the internet is
> > plugged into it. The switch's management address is on one of the
> > internal vlans, and an access list is on the telnet access that
> > restricts access from only the internal vlans.
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html Report misconduct and
> > Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3732&t=3666
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]