Vulnerability Development mailing list archives
Re: Vlans
From: Carson Sweet <csweet () SECURITYMETHODS COM>
Date: Mon, 22 Jan 2001 08:50:12 -0500
One item for consideration on the crossover cable theory: while it certainly is difficult to subvert at the physical layer, it's also a challenge to drop a sniffer onto a crossover cable, as well, requiring rewiring and some brief downtime (is there such a thing?) as you replace the crossover with standard 10x-B-T cables and a hub to plug the sniffer into. In addition, many organizations that I have worked with have chosen to use a single more intelligent switch, segmented into VLANs, in lieu of several dumb hubs; this can save money on IDS by allowing you to span traffic from multiple DMZ subnetworks to a single span port for IDS / sniffer troubleshooting purposes. The point is well stated, however, that this is another device that must be protected; in addition, cabling integrity becomes much more important to prevent accidental physical connection of two subnets. As always, the added complexity and risk must be worth the gains. Hope this is helpful. Cheers! -----Original Message----- From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Lincoln Yeoh Sent: Saturday, January 20, 2001 7:27 AM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: Vlans At 09:02 AM 1/17/01 -0800, you wrote:
I am not certain if this is the place to ask this and if not please let me know where to send it. I have a client who has the following configuration Internet -> router -> firewall -> load balancer The connection from the router to the firewall is on a switch and the connection from the inside interface of the firewall is on the same switch. The separation is done using VLANS.
Why not Internet | router |cross-over cable firewall | switch/hub That's similar to what we have here. How much does it cost to make/get a cross-over cable? It's a lot harder for a hacker subvert a cross-over cable remotely e.g. social engineering for instance but you should take care of that as well. Personally when secure network equipment is required I like cross-cables and really "dumb" hubs and switches. Putting those newfangled switches with built-in webservers on the "insecure" side sounds silly to me. Actually putting those particular type of switches anywhere sounds silly too, esp when you have curious people in your network. As for reliability and management: how often do "dumb" hubs fail? They're practically wires hooked together. Seems to me that it's the smart switches which fail. One of our ISPs apparently had a problem with their "advanced" switches and had to firmware patch it. International connectivity was < 22kbps at one point. Doh. And I had to point out the problem to them- doh^2. Cheerio, Link.
Current thread:
- Re: Vlans, (continued)
- Re: Vlans Akatosh (Jan 18)
- Re: Vlans Lincoln Yeoh (Jan 22)
- Re: Vlans Carson Sweet (Jan 22)
- Re: Vlans Philipp Buehler (Jan 23)
- Re: Vlans Carson Sweet (Jan 22)
- Vlans Tim Salus (Jan 18)
- Re: Vlans Shawn Davenport (Jan 18)
- Re: Vlans TabascoJack (Jan 19)
- Re: Vlans Rainer Enders (Jan 22)
- Re: Vlans Shawn Badolian (Jan 23)
- Vlans Timothy L. Salus (Jan 23)