Hi Beside common weaknesses of Cisco devices and common exploits on VLAN on catalysts or pix series (just try googling about this), in my opinion it's NOT a good idea to make VLANs on a secure environment. Basically your traffic will be routed and controlled by a tag on a packet, this makes it exploitable by any kind of "man in the middle" attack. On the other hand, it could be very confortable for your lazy network collegues (just kidding).
Lorenzo -----Messaggio originale----- Da: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] Per conto di David CALLEBAUT [AEMS Be] Inviato: venerdì 10 febbraio 2006 8.28 A: [email protected] Oggetto: [FW-1] Common knowledge question Hi Gurus, Perhaps a bit off-topic: Can anybody advice me if using VLAN tagging on Nokia/Checkpoint is a *secure* thing to do? I'm not convinced but my Cisco colleagues are convinced that using VLAN's on Cisco is evenly secure as physically splitting up in seperate switches. I found some (very old) articles describing VLAN hopping & spanning-tree attacks (dated 2003). Could someone point me to (recent) articles/papers that describe the issues with VLAN's? Thanks in advance, David Callebaut www.aemarketsolutions.com -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of David CALLEBAUT [AEMS Be] Sent: vrijdag 10 februari 2006 7:48 To: [email protected] Subject: Re: [FW-1] Need help with configuring OSPF on the Nokia to work w ith Cisco device HI Janis/Cisc4ng, To be precise you can force Nokia NOT to be DR or BDR by setting the "election priority" to 0 in the OSPF configuration page of voyager. 0 means: never be elected in this case. David Callebaut -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of cisco4ng Sent: donderdag 9 februari 2006 22:21 To: [email protected] Subject: Re: [FW-1] Need help with configuring OSPF on the Nokia to work with Cisco device Hi Janis, I could be wrong but I don't think you can control the Nokia NOT to be either a DR or BDR. You can, however, do that with cisco router via "ip ospf priority 0" on the interface. You said that that you didn't have problems with failover. Well, that's is because you did NOT reboot the Active Firewall. Had you reboot the Active firewall, after the primary firewall comes back online, your routes would disappear because the Cisco routers get confused. I currently have a Nokia TAC case opened just for this. We can talk more about it if you like. The other thing is that the cisco devices should see ONLY the NOKIA neighbor via it VRRP IP address. In other words, when you do "show ip ospf neighbor" on the cisco router, it should be neighbor ONLY with VRRP IP address, NOTHING ELSE. NO physcial IP adres whatsoever. In IPSO 3.9 or higher, in ospf you have to enable ospf for VRRP. Anyway, Nokia acknowledged that it is a problem and they are trying to fix this in later release of IPSO. If I am not making any senses, you can contact me offline and we can talk more about this. But it seems to me, and I could wrong, that you still have problems with OSPF, you just do not it yet. regards, cisco4ng Janis Myers <[EMAIL PROTECTED]> wrote: Hi cisco4ng, As mentioned long time before - here comes our feedback: We did the installation today with two Nokia IP330 with IPSO 3.9 Build 045 using OSPF and VRRP/Monitored Circuits and four Cisco routers (2 on each firewall side, one router of each side is DR, the Nokia's don't become DR or BDR). OSPF works well (OSPF routing table can be seen on both firewalls). We are able to see the ip address of the physical firewall interface from the active firewall node (vrrp master) in the routing tables of the routers. Switching from one Nokia to the other takes less than 2 seconds. After this time new connections are working fine. Existing connections are broken during the switch but in the specific customer environment that's acceptable. Best Regards, Janis __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Brings words and photos together (easily) with PhotoMail - it's free and works with Yahoo! Mail. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
