Re: information harvesting from within the network

[Henry Anslinger <fortmreza () yahoo com au>]

@Stake security review of VLANs
http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.pdf

VLAN Features
http://www.cisco.com/univercd/cc/td/doc/product/lan/28201900/1928v8x/eescg8x/aleakyv.htm

Layer 2 -- The Weakest Link
http://www.cisco.com/en/US/about/ac123/ac114/ac173/ac222/about_cisco_packet_feature09186a0080142deb.html

http://www.cotse.com/mailing-lists/bugtraq/1999/1397.html


http://www.sans.org/resources/idfaq/vlan.php

cheers
Ivan

--- Micheal Espinola Jr <michealespinola () gmail com>
wrote:
> I haven't heard anything in recent years about
> anyone getting away
> with that - at least not with Cisco equipment.
>
> Do you have any information to support that this is
> still a relevant
> issue?  Thanks!
>
>
> On 5/23/05, Andrew Shore
> <andrew.shore () holistecs com> wrote:
> > VLANs are a management tool not a security tool.
> There are many ways to
> > "jump" vlans with in a switch.
> >
> > Andy
> >
> > -----Original Message-----
> > From: Jason Lopez [mailto:jaylpz () sbcglobal net]
> > Sent: 21 May 2005 03:32
> > To: 'ddjjembe 2'
> > Cc: security-basics () securityfocus com
> > Subject: RE: information harvesting from within
> the network
> > If you have any manage switches, you could put
> them on separate VLans,
> > and
> > deny them access to your private network...
> >
> > My two-cents
> > jay
> > -----Original Message-----
> > From: ddjjembe 2 [mailto:ddjjembe2 () hotmail com]
> > Sent: Thursday, May 19, 2005 7:40 PM
> > To: security-basics () securityfocus com
> > Subject: information harvesting from within the
> network
> > Background:
> > I work in a university that has university typical
> security practices.
> > Currently any authenticated user can scan the
> parts of the network with
> > tools like LANguard or Nessus and obtain a
> considerable amount of
> > information from them.   Most of the computers in
> our network are
> > windows
> > computers.  We also have departments with MACs and
> *nix machines.
> > Goal:
> > If possible, lock down the Windows computers with
> group policies and/or
> > templates to disable this potential unauthorized
> information harvesting
> > users and then restrict scanning ability to the
> security group with LDAP
> > permissions.  Am I on the right track here?
> >
> > I would like to achieve this without using a host
> based firewall.
> > Group policies have large pool of settings to pick
> from.  Narrowing it
> > down
> > to a few that disable at least portions would be
> appreciated.
> > Thanks,
> >
> > ddjembe
_________________________________________________________________
> > Don't just search. Find. Check out the new MSN
> Search!
> >
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
> >
>
>
> -- 
> ME2  <http://www.santeriasys.net/>

Find local movie times and trailers on Yahoo! Movies.
http://au.movies.yahoo.com