That I know of, you enter the danger zone here when you cross from Level 2 to Level 3 packet layers. VLANS are typically implemented using 802.1q, which must be encapsulated to pass through a level 3 device, such as a router. There are actually proven attacks for defeating such encapsulation, which would allow you to now 'jump' the vlans. Reference SecurityFocus.org in ~ September, 1999. Strong caution is advised. My apologies here if my terminology isn't perfect. <waits for the flames to come in> ----- Original Message ----- From: "BC" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, November 27, 2000 1:16 PM Subject: multiple VLANs in same physical chassis and firewall integration > Here's an interesting network/firewall integration issue that I am seeing > pop up in multiple areas. > > One Cisco switching chassis, a two ported firewall, and two VLANs. One > VLAN considered untrusted, one considered trusted; X firewall plugged into > each of these logical VLANs with untrusted interface plugged into untrusted > VLAN port, etc. In what way is this secure? I am not fond of this setup, > but can this be documented secure? Can anyone claim to have circumvented > the logical partitioning the VLANs provide (short of having physical access > and moving cables or gaining administrative access to the switch and > reprogramming). > > Looking for fodder to shoot this design spec down and physically seperate > the security domains or for respected background on the security of doing so. > > bc > - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] > > - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
