Security Basics mailing list archives
RE: Firewall and VLAN security design
From: "Bryan S. Sampsel" <bsampsel () libertyactivist org>
Date: Wed, 3 Nov 2004 07:50:11 -0700 (MST)
Well, according to the articles, the weakness discovered in Cisco was the default VLAN. Change that, and your exploit goes out the window. Sounds like a default security setting issue. I've seen references in the articles to "Cisco says their competitor has the same problem" but not any tested instances. If there's any Foundry Networks TAC guys on this list, I'd love to know if they've discovered something similar. Though, I usually set the default VLAN ID to something different anyways. But, at least with the first couple of articles, the default VLAN settings appears to be the crux of the whole issue. Fix that and VLANs perform exactly like physically separate switches. As to the issue of VLAN aware firewalls...I'd never take advantage of that particular feature as I like simple, easily clamped down firewall configurations. But that's my particular philosophy. Good info though regarding Cisco. I'm going to file that away. Thanks. Sincerely, Bryan S. Sampsel LibertyActivist.org Ivan Coric said:
I beg to differ, using VLANs to segregate your external and internal network is a bad idea. I don't think even Cisco recommends VLANs as a security mechanism http://www.sans.org/resources/idfaq/vlan.php http://www.spirit.com/Network/net0103.html http://www.terena.nl/conferences/tnc2003/programme/slides/s1c3.ppt http://www.sans.org/rr/whitepapers/networkdevs/1090.php http://www.google.com.au/search?q=vlan+hopping&hl=en&lr=&start=10&sa=N cheers Ivan
Current thread:
- Firewall and VLAN security design Ahmed Ameen (Nov 01)
- RE: Firewall and VLAN security design David Gillett (Nov 01)
- RE: Firewall and VLAN security design Bryan S. Sampsel (Nov 02)
- RE: Firewall and VLAN security design David Gillett (Nov 03)
- RE: Firewall and VLAN security design Bryan S. Sampsel (Nov 02)
- <Possible follow-ups>
- RE: Firewall and VLAN security design Ivan Coric (Nov 03)
- RE: Firewall and VLAN security design Jonathan Loh (Nov 03)
- RE: Firewall and VLAN security design Paul Benedek (Nov 03)
- RE: Firewall and VLAN security design Bryan S. Sampsel (Nov 03)
- RE: Firewall and VLAN security design Ghaith Nasrawi (Nov 12)
- RE: Firewall and VLAN security design Ivan Coric (Nov 03)
- RE: Firewall and VLAN security design David Gillett (Nov 01)