- While I don't have a tool handy which generates trunked traffic, as a cascaded switch would, running such a tool on a compromised host would allow one to monitor, and inject traffic into, any other VLAN on the cluster. Basically, the encapsulation of traffic for multiple VLANs onto a single physical datalink between switches occurs so far down the protocol stack that there is not generally any provision for authenticating the connections.
- MAC address-based VLANning is likely (almost certain!) to be vulnerable to spoofing -- see the thread earlier this week. That's two, one (possibly) theoretical but I think plausible, and one relying on a particular type of VLAN configuration but eminently doable. DG On 14 Feb 2002, at 22:04, [EMAIL PROTECTED] wrote: > > Hello, > > > > [EMAIL PROTECTED] wrote: > > 2. Is it okay to use a VLAN to implement my DMZ, sharing the switch > > hardware with my trusted network? > > > Also no, for two basic reasons: > > > (a) The VLAN feature is not intended as a security barrier; it may be > > subject to compromise. > > Care to elaborate on that, especially wrt Cisco switches ? I've seen > this argument every now and then, but usually unsubstantiated. > > To the contrary, aside of broadcast domain (and thus fault) isolation > Security is probably the most prominent argument listed in switching > vendor literature wrt VLANs (which of course doesn't imply > the existence of actual security in the first place, but sheds some > light on its developer's design goals (aka what VLANs are > "intended" as). > > > (b) A large switch with VLANs is often more expensive than two > > smaller switches. VLANs are of limited utility unless you are also > > trunking together multiple switches, in which case they allow you to > > define a logical division into subnets that is independent of your > > physical distribution across switches. > > But in the case of the DMZ, the logical and physical partitioning > > of the network really ought to match. > > Given a number of other constraints, this may or may not be correct. > > If this guy has a good reason to want his DMZ to be a VLAN on a > Switch cluster, it should be possible to implement it safely, given > appropriate switching technology and well thought configuration. > > Regards > > Christoph Weber-Fahr > > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
