Re: switches in a fw environment

[Gerhard Mezger <Gerhard.Mezger () mail inuco ch>]

I understand and agree with your technical concerns. And as somebody
else pointed out using switches the way I described would certainly
violate our security policy. So, from a security perspective this should
definitely be a no-go.
Given your arguments and the fact that security isn't a main design
criterion when building switches how comes that there are only a few
(??) known security breaches? (The one you mentioned is the only one I
am aware of). 

cheers
Gerhard Mezger

Mark Coleman wrote
 My opinion was this: the
> ...this puts you at the mercy of trusting the
> switch manufacturer's code to prevent someone from getting in and
> joining up the VLANs thus bypassing the firewall altogether.  Not just
> via management but also through back doors and manufacturer-specific
> exploits in the operating code.  (Remember those default passwords in
> the ROMs of the other vendors switches?)  My opinion: don't do it.
>
> Also remember that it is known that you can get around the layer 2
> segragation by flooding a switch's tables forcing it into a "forwarding
> mode" that starts passing all data everywhere.  Just get an independant
> switch or a standalone hub for your DMZ.