Firewall Wizards mailing list archives
Re: Firewalls and 802.1q trunking
From: Luca Berra <bluca () comedia it>
Date: Wed, 04 Dec 2002 20:14:47 +0100
Eric Vyncke wrote:
First, have a look at my IP address to remove possible bias ;-) Second, @stakes made some extended research on VLAN hopping against a Catalyst switch. They were unable to actually hop between VLAN on a well configured switch. See their paper on: http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/stake_wp.pdf Having said this, I've seen two different points of view: - misconfiguration happens: an Infosec or network operator can make a mistake in the VLAN configuration - probabilty of faulty switch configuration by an educated network/infosec operator is less than the probability of a wrong cable patching in the datacom room by a uneducated engineer. I guess that the decision really belongs to _your_ security policy and requirements.
I have another one to add to the list:it happened twice here that after a power f**k-up a catalyst rebooted with default configuration (which means all port in default vlan)
since the default for a catalyst in this case is to switch traffic this situation (even if rare) is another point of concern.
btw wrong cable patching can in part be prevented by mac-address checks on the switch.
Regards, Luca _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls and 802.1q trunking Eric Vyncke (Dec 04)
- Re: Firewalls and 802.1q trunking Luca Berra (Dec 04)
- <Possible follow-ups>
- Re: Firewalls and 802.1q trunking Steffen Kluge (Dec 04)
- RE: Firewalls and 802.1q trunking Steve Evans (Dec 10)
- RE: Firewalls and 802.1q trunking Marcus J. Ranum (Dec 11)
- Re: Firewalls and 802.1q trunking Dragos Ruiu (Dec 12)
- RE: Firewalls and 802.1q trunking Bill Royds (Dec 13)
- Re: Firewalls and 802.1q trunking t (Dec 13)
- Re: Firewalls and 802.1q trunking Dragos Ruiu (Dec 12)
- RE: Firewalls and 802.1q trunking Sloane, David (Dec 11)
- RE: Firewalls and 802.1q trunking Marcus J. Ranum (Dec 12)
- RE: Firewalls and 802.1q trunking R. DuFresne (Dec 13)
- RE: Firewalls and 802.1q trunking Marcus J. Ranum (Dec 12)
- Re: Firewalls and 802.1q trunking Mike Hoskins (Dec 14)
(Thread continues...)