Re: Re: CISCO Layer 3 switch

[Gary Flynn <flynngn () jmu edu>]

> At 12:01 PM 11/16/2001 -0500, "Ellis Luk" <e_luk () hotmail com> wrote:
> > In term of security, what is the different between a CISCO packet
> > filtering router and a CISCO layer 3 switch with extended ACL ??

A layer 3 switch is functionally the same as a router. Typically,
the routing is done in hardware which makes it faster but I suspect
the difference is becoming moot.

I've noticed that ACL processing overhead impacts CPU more on a
6509 switch than it does on a 7513 router. Both have 200Mhz
main processors. I'm told VLAN ACLs on the switch help but haven't 
tested it yet. My reading of the architecture documents explaining 
where things are processed make me skeptical.

> > Would it be easier to compromise a layer 3 switch than a PF router ??

Whether you mean compromise the device itself or compromise the
access restrictions implemented by the device I would have to
say the answer is no assuming the two devices have no defects in their
implementation.

There have been discussions in the past about flow decisions that are
initially made in the central processor and then delegated to
other processors possibly having vulnerabilities but I haven't heard of
any concrete examples. In any case, both types of devices do some
of this now.

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards