Re: security opinions please [7:3666]

Wed, 09 May 2001 06:55:26 -0700 

Besides security, don't forget this leaves you with a single point of
failure for the entire network....

----- Original Message -----
From: "Robert Nelson-Cox" 
To: 
Sent: Wednesday, May 09, 2001 1:42 AM
Subject: Re: security opinions please [7:3666]


> >
> >Let me lay out the basic topology of a network first:
> >
> >A 6500 has several VLANS configured on it.  Among these are an external
> >internet vlan, a dmz, and several internal vlans.   The internal vlans
are
> >routed by an MSFC in the 6500.  Routing between the internal, dmz, and
> >external are handled by a firewall external to the 6500.
> >
> >Are there any security issues with having all of these VLANS in the same
> >box?  Someone in our organization is concerned that someone can hack the
> >switch just because the connection from the internet is plugged into it.
> >The switch's management address is on one of the internal vlans, and an
> >access list is on the telnet access that restricts access from only the
> >internal vlans.
>
> Cisco switches have been known to 'bleed' traffic between VLANs, esp. when
> carried over older switches through ISL.
>
> I don't know of any issues with the 6500, but that doesn't mean that they
> don't exist.
>
> I would not recommend this solution for exactly the reason that 'someone'
is
> concerned about.  A DMZ, Outside and Inside should be kept physically
> seperate, on one piece of wire each.  What would happen is some 'idiot'
> plugged a connection between the Outside and the Inside VLAN, very uncool.
>
> >From outside to inside should be a connection from an exterior router to
the
> firewall - 100baseTX x-over cable.
>
> DMZ - A hub or switch [1] connecting the port on the FW to DMZ hosts
>
> Inside - Connect to switch for users to access.
>
> That'll be $1,000 please. ;^)
>
> Rob./
>
> [1] Depending on network saturation.
>
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3810&t=3666
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to