Re: Vlans

[Philipp Buehler <lists () fips de>]

On 23/01/2001, Carson Sweet <csweet () SECURITYMETHODS COM> wrote To VULN-DEV () SECURITYFOCUS COM:
> One item for consideration on the crossover cable theory: while it certainly
> is difficult to subvert at the physical layer, it's also a challenge to drop
> a sniffer onto a crossover cable, as well, requiring rewiring and some brief
> downtime (is there such a thing?) as you replace the crossover with standard
> 10x-B-T cables and a hub to plug the sniffer into. In addition, many
Either you have IDS or not :P "part-time" IDS makes no sense to me, if you
plan it, a hub [or two if it's the only SPOF] is better of course.
I really disagree on a switch which is a potential short-cut between
external and internal interface of the firewall.
It has been mentioned, that it's not feasible to ensure the VLAN Segmentation
is always ok, or there is any other weakness, like error in administration
of the switch. Too many drawbacks for me.

> intelligent switch, segmented into VLANs, in lieu of several dumb hubs; this
> can save money on IDS by allowing you to span traffic from multiple DMZ
Saving money should really be not the first point in designing such an
construct. In my eyes 2 hubs and a bunch of cables is cheaper and provides
more failover capabilities than some 'we make all network around FW'-switch.
For IDS the switch must be able for some monitoring, which could be
possible abused from remote [like from the router]

> purposes. The point is well stated, however, that this is another device
> that must be protected; in addition, cabling integrity becomes much more
And I repeat that protecting a switch is pretty difficult.


ciao
--
Philipp Buehler, aka fIpS | sysfive.com GmbH | BOfH | NUCH | <double-p>
%SYSTEM-F-TOOEARLY, please contact your sysadmin at a sensible time.
Artificial Intelligence stands no chance against Natural Stupidity.
           [X] <-- nail here for new monitor