Re: Firewalls and 802.1q trunking

[Luca Berra <bluca () comedia it>]

Eric Vyncke wrote:
> First, have a look at my IP address to remove possible bias ;-)
>
> Second, @stakes made some extended research on VLAN hopping against a Catalyst switch. They were unable to actually hop 
> between VLAN on a well configured switch. See their paper on:
> http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/stake_wp.pdf
>
> Having said this, I've seen two different points of view:
>
> - misconfiguration happens: an Infosec or network operator can make a mistake in the VLAN configuration
>
> - probabilty of faulty switch configuration by an educated network/infosec operator is less than the probability of a 
> wrong cable patching in the datacom room by a uneducated engineer.
>
> I guess that the decision really belongs to _your_ security policy and requirements.

I have another one to add to the list:
it happened twice here that after a power f**k-up a catalyst rebooted 
with default configuration (which means all port in default vlan)

since the default for a catalyst in this case is to switch traffic this 
situation (even if rare) is another point of concern.

btw wrong cable patching can in part be prevented by mac-address checks 
on the switch.

Regards,
Luca

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards