VLAN-Hopping is a potential using only VLAN security to isolate an insecure network segment - a previous version of CatOS code had such a vulnerability. Another issue is misconfiguration (more likely) - i.e. placing a trusted host on the VLAN, misconfiguring layer 3 routing, etc.
A better approach is to use a separate switch (off the core) for DMZ/Extranet/untrusted segments. The potential for compromise exists, but your risk may be reduced by securing the core devices from compromise. It's the best blend of $$ vs. Security. chrisls -----Original Message----- From: Mike Shaw [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 06, 2002 1:26 PM To: [EMAIL PROTECTED] Subject: VLAN as a DMZ There are definitely textbook reasons (secondary compromize issues, etc), but does anyone know of a specific technical reason why using a VLAN for a DMZ segment is a bad idea (cisco 5500 switch)? The VLAN would have no telnet interface living on it, and no level 3 switching/routing going to/from it. It'd be just an isolated segment. The only thing I could think of would be that someone could spoof the frame-tagging or something. Any input is appreciated. -Mike