According to Jason Lewis:
>
>While we are on the subject..... Care to go into detail about why VLAN's
>shouldn't be assumed to be secure either? I can't tell you how many
>"discussions" I have had why the firewall shouldn't be in just another VLAN
>off the 6509.
>
Basically, because a carefully crafted packet can be made to jump
vlans. The tagging on the vlan is just a field in the ethernet packet
which can be set by the client, the switch will believe the packet
headers and just dump it on the other vlan for you. VLAN's should
really only be used in a trusted context to control your broadcast
domains, they cannot be trusted to enforce a security policy on an
untrusted network. A properly configured layer 3 device is not
susceptible to this sort of attack (modulo bugs of course ;-)
--
===============================================================================
Brett Lymn, Computer Systems Administrator, BAE SYSTEMS
===============================================================================
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
