Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewalls and 802.1q trunking

From: ark () eltex ru
Date: Wed, 27 Nov 2002 19:59:12 +0300
And they are not.

There is another good point: generic secure network design common sense
requires that there should NOT be any hardware connection point between 
networks except the firewall. Even a switch, a machine with packet forwarding
turned off, NOTHING, even a network printer with two interface cards if one
ever exists.

On Wed, Nov 27, 2002 at 08:00:14AM +0000, David Pick wrote:



My concern is that the "fan-out" boxes are typically run-of-the-mill
switches, like Cisco Catalysts, that probably have been design without
any security aspirations. I wouldn't be surprised if those switches
could be attacked and tricked into leaking packets between VLANs.


A valid concern. My attitude is simple:
  * If the switches are secure enough to keep VLANs seperated for
    normal traffic then they're secure enough to use as interfaces
    to your firewall
  * If they're not, well, they're not!


-- 
                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: