Also, doesn't the SANS Institute publish the papers that their certification candidates write? In other words, this may not have been written by a security guru. It may have been written by someone trying to pass the certification hurdles, one of which is the requirement to write a white paper. On the other hand, the testing seems quite valid (if old) and the paper is well written with good implications and recommendations (if a bit obvious). SANS is very strict, from what I hear.
Priscilla At 02:39 PM 6/4/02, Rik Guyler wrote: >Pete, bear in mind that this document is 2 years old. The IOS version on >the switch was 11.2. Anybody care to speculate on how much has changed >since 11.2? How about the changes in Dot1Q since then? > >Nonetheless, I don't get a warm and fuzzy feeling with separating external >and internal traffic with VLANs. I like physical separation coupled with >firewall protection. I believe it's not just protecting what has been >hacked already but minimizing what can be hacked in the future. > >Rik > >-----Original Message----- >From: Peter van Oene [mailto:[EMAIL PROTECTED]] >Sent: Tuesday, June 04, 2002 1:18 PM >To: [EMAIL PROTECTED] >Subject: RE: Security hazard?? [7:45731] > > >Interesting indeed. I hadn't seen that before. This is obviously an >architecturally flawed implementation. Ideally, the CAM (MAC) table should >be fully isolated to prevent unwanted forwarding and ports not considered >trunks shouldn't accept tagged packets. I assume folks are working on >this, but at this time, it would look like securing a topology of this >nature requires some additional effort. > >Thanks for the link > >Pete > > >At 12:31 PM 6/4/2002 -0400, Eric Rivard wrote: > >if you do not have Ip routing on the VLANs you can still hope from one VLAN > >to another. See this artical for more info: > >http://www.sans.org/newlook/resources/IDFAQ/vlan.htm > > > >-----Original Message----- > >From: Peter van Oene [mailto:[EMAIL PROTECTED]] > >Sent: Tuesday, June 04, 2002 8:41 AM > >To: [EMAIL PROTECTED] > >Subject: RE: Security hazard?? [7:45731] > > > > > >Assuming the untrusted VLAN offers no IP connectivity to it's control > >engine (ie the routed aspects are not reachable therein) what > >vulnerabilities exist here? With no routing on the VLAN, I'm not exactly > >sure how one gets from untrusted to trusted without traversing the > >Firewall. The only limitation I see here would be one of either poorly > >implemented VLAN technology on the part of the vendor, and fat fingering on > >the part of the admimistrator. > > > >Pete > > > > > > > > > >At 11:06 AM 6/4/2002 -0400, Robert A. McIntire wrote: > > >If I understand what you're describing, it sounds like you've pretty well > > >by-passed the firewall. As a general comment, it seems pointless to have >a > > >firewall if you're not going to utilize it with sound network security > > >design. > > >I think I understand what you're trying to do, but you may want to >rethink > > >the reasoning. > > >You're VLANs ( on the same devices ) are a very thin security veil >between > > >the trusted and untrusted networks. Without a net diagram, we can only > > >speculate. But, I'm guessing that the most secure you can be with this > > >physical config is to pin strong ACLs to the outside interfaces of the >3640 > > >access routers. You could also pin ACLs to the VLAN interfaces to filter > > >unwanted traffic. What kind of capability do these switches have? Have >you > > >considered the IOS firewall ( CBAC ) for the edge routers? > > > > > >I think a tech support call to your firewall vendor may be an eye-opening > > >experience. Send them a diagram of what you've got and see if it's a > > >network design scenario that they support. I assume the 2 3640s are >being > > >used redundantly with HSRP? If so, why not consider a second, redundant > > >firewall and place them both in-line between the edge routers and the > > >internal LANs? > > > > > > HTH, Bob McIntire > > > > > > > > >-----Original Message----- > > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > > >Craig Columbus > > >Sent: Tuesday, June 04, 2002 9:42 AM > > >To: [EMAIL PROTECTED] > > >Subject: Re: Security hazard?? [7:45731] > > > > > > > > >Do I understand you correctly that your 6808s have both internal (secure) > > >and external (unsecure) traffic on them, separated only by VLAN? > > > > > >At 09:30 PM 6/3/2002 -0400, you wrote: > > > >All, > > > > > > > >We have two 3640's and two Extreme Black Diamond 6808's (aka 6509's). > > > >The two 3640's are doing IBGP between them on each of their eth0's. I > > > >have created a vlan on the Extremes called 'unsecure'(there are only 2 > > > >ports on each Extreme in this vlan... one coming in from the 3640 and > > > >the other going into the firewall). I am getting some complaints from > > > >the 'uppers' that bringing the 3640's into the Extreme's is a security > > > >hazard. > > > > > > > >I am sure someone is now working on a way to hack from one vlan to the > > > >next, but for now, I don't see the difference between putting a hub in > > > >there and using a couple of ports on these monster > > > >'almost-never-go-down' switches. I just don't want another unmanaged > > > >piece of equipment in the flow. > > > > > > > >Has anyone ever heard of this being a leak. I worked in a datacenter > > > >before and this is what we did with 6509's and we didn't blink! I know > > > >these are Extreme switches... which is probably taboo in the group, but > > > >I am pretty sure this would be platform independent... right???? > > > > > > > >Thanks, > > > > > > > >bk ________________________ Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45771&t=45731 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]