Whie I agree that by compriming the switch, the intruder can bypass the firewall, I dont feel that it is of siginificant concern to warrant the purchase of an addiitianal switch to seperate the two.
The big drive here is that you must secure your switch at L2, and if you do so, I feel that is is perfectly adequate. In the last Cisco Packet maganize there was an article addressing exactly this issue. And listed some of the common exploits and how to circumvent then. Obvious ones are, by default all ports are left on autop (with regard to runks),.so a user could jack in, request to form a trunk port and then captures all the VLAN etc details, and in effect be able to vlan hop. Enabling port security and restricting the nunber of ACL's seen on one port ia another way to do it. Look at using 802.11x for MAC based port sauthentication, especially on server vlans! You can even go as far as private vlans and ACL's to stipulate which ports and MAC's are allowed to speak to each other .. very usefull when using your switch for a simple connection point (eg /30 between firewall and router or something). http://www.cisco.com/en/US/about/ac123/ac114/ac173/ac222/about_cisco_packet_feature09186a0080142deb.html and make your own mind up. GO and check out the article # Andrew Dorsett wrote: > > On Fri, 21 Mar 2003, Paulo Roque wrote: > > > I usually separate firewall zone with different physical LAN > in different > > switches. > > What do you think of separating firewall zone with VLANs in > the same > > switch/chassis? > > Generally a very bad idea! I fully agree with physical > seperation. > Because if it's based on VLANs then they only have to > compromise the > switch to compromise the entire network. Also because there > are new layer > 2 techniques that can allow a packet to hop across VLANs. > These are the > only things that worry me about the FW module for the 6500 > chassis. It's > based on VLANs. So if I can hop VLANs somewhere then I can > bypass the > firewall. > > Andrew > --- > > http://www.andrewsworld.net/ > ICQ: 2895251 > Cisco Certified Network Associate > > "Learn from the mistakes of others. You won't live long enough > to make all of them yourself." > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66064&t=65938 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
