Re: Switching between FW Segs Still a NOT?

["Ryan Russell" <ryanr () sybase com>]

I have to recommend against it.

I work with Cisco Catalysts.   With an out-of-the box config,
I know of about 4 ways to get between VLANs without involving
a seperate layer-3 device.  There have been a few bugs
with the Cats that let you push code onto them via a login prompt.

I have zero confidence that, even with what I do know, I could
configure one down to the point that it would be safe.  I believe
a couple of the problems I'm aware of can't be turned off.

It's been a while, but I used to work with Cabletron MMAC+'s.
In the versions I worked with, one could turn off all the VLAN
features and turn the box into one big bridge with a magic
password that was embedded in the code and couldn't be changed.
The password was entered into a login prompt that couldn't be blocked
or turned off.

FWIW, if you're a fan of Mudge and the L0pht crew, I've heard him
say the same.

                         Ryan







There was some discussion of this issue back in August, but it's come
around to me in real life now and I'm checking.

The company has an Internet firewall with multiple interfaces supporting
a couple of DMZs as well as the usual inside network and outside
connection to an ISP.  The question has arisen as to whether it is
advisable to use a high-end switch acquired through an acquisition to
provide connectivity to "both sides" (actually "all sides") of the
various segments.  Vendor sales rep says its ok as long as we define the
VLANs properly.  That was debunked quickly here in August.  Anybody know
of any white papers or other literature dealing with this subject that I
could show management?