> I'm finishing a project @ work & have an opportunity to recommend
multiple
> > 3500 series switches or VLAN configuration. The placement of these
boxes
> > will
> > be before a firewall, coming off of a BGP router (for IDS's,
SwitchProbes,
> > DMZ, etc.,). Can anyone think of an argument either way ???
> >
> > Thanks Everyone
> > Phil
Phil,
There has been a lot of work on the security of layer two security devices
- firewalls etc - note that the PIX is not a router. Basically boiling down
to the point that if you cannot get to it at layer three it is very hard to
control remotely. VLANs are fine in this situation and you do not need
seperate switches, but I suggest you follow a path I did. First make sure
that there is no IP address on the switch. If you choose to have one it may
inadvertantly let someone gain access. Second, make the password some very
long string of string of characters, fill the buffer if you can on that one.
Next make sure and do a screen copy of that to somewhere you can get to it
later so you can paste it in if you every have to modify the switch in
service. There are other ways to do this if you must set and IP, but out of
band management is the best solution with a terminal server connected to the
console of firewall equipment.
Regards,
Jim
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=18227&t=18203
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
