Pete, bear in mind that this document is 2 years old. The IOS version on the switch was 11.2. Anybody care to speculate on how much has changed since 11.2? How about the changes in Dot1Q since then?
Nonetheless, I don't get a warm and fuzzy feeling with separating external and internal traffic with VLANs. I like physical separation coupled with firewall protection. I believe it's not just protecting what has been hacked already but minimizing what can be hacked in the future. Rik -----Original Message----- From: Peter van Oene [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 1:18 PM To: [EMAIL PROTECTED] Subject: RE: Security hazard?? [7:45731] Interesting indeed. I hadn't seen that before. This is obviously an architecturally flawed implementation. Ideally, the CAM (MAC) table should be fully isolated to prevent unwanted forwarding and ports not considered trunks shouldn't accept tagged packets. I assume folks are working on this, but at this time, it would look like securing a topology of this nature requires some additional effort. Thanks for the link Pete At 12:31 PM 6/4/2002 -0400, Eric Rivard wrote: >if you do not have Ip routing on the VLANs you can still hope from one VLAN >to another. See this artical for more info: >http://www.sans.org/newlook/resources/IDFAQ/vlan.htm > >-----Original Message----- >From: Peter van Oene [mailto:[EMAIL PROTECTED]] >Sent: Tuesday, June 04, 2002 8:41 AM >To: [EMAIL PROTECTED] >Subject: RE: Security hazard?? [7:45731] > > >Assuming the untrusted VLAN offers no IP connectivity to it's control >engine (ie the routed aspects are not reachable therein) what >vulnerabilities exist here? With no routing on the VLAN, I'm not exactly >sure how one gets from untrusted to trusted without traversing the >Firewall. The only limitation I see here would be one of either poorly >implemented VLAN technology on the part of the vendor, and fat fingering on >the part of the admimistrator. > >Pete > > > > >At 11:06 AM 6/4/2002 -0400, Robert A. McIntire wrote: > >If I understand what you're describing, it sounds like you've pretty well > >by-passed the firewall. As a general comment, it seems pointless to have a > >firewall if you're not going to utilize it with sound network security > >design. > >I think I understand what you're trying to do, but you may want to rethink > >the reasoning. > >You're VLANs ( on the same devices ) are a very thin security veil between > >the trusted and untrusted networks. Without a net diagram, we can only > >speculate. But, I'm guessing that the most secure you can be with this > >physical config is to pin strong ACLs to the outside interfaces of the 3640 > >access routers. You could also pin ACLs to the VLAN interfaces to filter > >unwanted traffic. What kind of capability do these switches have? Have you > >considered the IOS firewall ( CBAC ) for the edge routers? > > > >I think a tech support call to your firewall vendor may be an eye-opening > >experience. Send them a diagram of what you've got and see if it's a > >network design scenario that they support. I assume the 2 3640s are being > >used redundantly with HSRP? If so, why not consider a second, redundant > >firewall and place them both in-line between the edge routers and the > >internal LANs? > > > > HTH, Bob McIntire > > > > > >-----Original Message----- > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > >Craig Columbus > >Sent: Tuesday, June 04, 2002 9:42 AM > >To: [EMAIL PROTECTED] > >Subject: Re: Security hazard?? [7:45731] > > > > > >Do I understand you correctly that your 6808s have both internal (secure) > >and external (unsecure) traffic on them, separated only by VLAN? > > > >At 09:30 PM 6/3/2002 -0400, you wrote: > > >All, > > > > > >We have two 3640's and two Extreme Black Diamond 6808's (aka 6509's). > > >The two 3640's are doing IBGP between them on each of their eth0's. I > > >have created a vlan on the Extremes called 'unsecure'(there are only 2 > > >ports on each Extreme in this vlan... one coming in from the 3640 and > > >the other going into the firewall). I am getting some complaints from > > >the 'uppers' that bringing the 3640's into the Extreme's is a security > > >hazard. > > > > > >I am sure someone is now working on a way to hack from one vlan to the > > >next, but for now, I don't see the difference between putting a hub in > > >there and using a couple of ports on these monster > > >'almost-never-go-down' switches. I just don't want another unmanaged > > >piece of equipment in the flow. > > > > > >Has anyone ever heard of this being a leak. I worked in a datacenter > > >before and this is what we did with 6509's and we didn't blink! I know > > >these are Extreme switches... which is probably taboo in the group, but > > >I am pretty sure this would be platform independent... right???? > > > > > >Thanks, > > > > > >bk Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45768&t=45731 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
