Ahasome great reading here:
http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
http://rr.sans.org/switchednet/switch_security.php
http://online.securityfocus.com/archive/1/26008
http://security-archive.merton.ox.ac.uk/bugtraq-199909/0223.html
http://lists.synfin.net/Archives/firewall-wizard
If I understand your question correctly...
Ultimately, avoid giving external access to an internal switch. It's a bad
idea. There are a number of attacks that can be done, either from the
outside or if a machine that resides on the VLAN were to be compromised.
Not factoring in redunancy, I wou
Note: Cisco's new-fangled private VLAN stuff may change this
picture, but
some years ago, I bounced the question off a cisco engineer, and he
strongly agreed with this statement:
VLANs were divised when switch ports were exceedingly expensive, and
sold in units of 16 or more. At that point i
- Original Message -
From: Mike Shaw <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 07, 2002 06:25
Subject: VLAN as a DMZ
> There are definitely textbook reasons (secondary compromize issues, etc),
> but does anyone know of a specific technical reaso
ailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 06, 2002 1:26 PM
To: [EMAIL PROTECTED]
Subject: VLAN as a DMZ
There are definitely textbook reasons (secondary compromize issues, etc),
but does anyone know of a specific technical reason why using a VLAN for a
DMZ segment is a bad idea (cisco
>There are definitely textbook reasons (secondary compromize issues, etc),
>but does anyone know of a specific technical reason why using a VLAN for a
>DMZ segment is a bad idea (cisco 5500 switch)?
>The VLAN would have no telnet interface living on it, and no level 3
>switching/routing going
There are ways and tools available to do ARP spoofing
and basically jam up the cam table of the switch. I'm
not sure offhand how susceptible the 5500 is to this
kind of attack though. You're probably aware of this
though.
The Cat 6000 series has Private VLANs which let you
have Isolated or Commun
Hallo Mike Shaw,
am Mittwoch, 6. März 2002 um 21:25:37 schrieben Sie:
MS> There are definitely textbook reasons (secondary compromize issues, etc),
MS> but does anyone know of a specific technical reason why using a VLAN for a
MS> DMZ segment is a bad idea (cisco 5500 switch)?
MS> The VLAN wou
There are definitely textbook reasons (secondary compromize issues, etc),
but does anyone know of a specific technical reason why using a VLAN for a
DMZ segment is a bad idea (cisco 5500 switch)?
The VLAN would have no telnet interface living on it, and no level 3
switching/routing going to/fr