Vulnerability Development mailing list archives
Re: Vlans
From: Philipp Buehler <lists () fips de>
Date: Tue, 23 Jan 2001 11:43:34 +0100
On 23/01/2001, Carson Sweet <csweet () SECURITYMETHODS COM> wrote To VULN-DEV () SECURITYFOCUS COM:
One item for consideration on the crossover cable theory: while it certainly is difficult to subvert at the physical layer, it's also a challenge to drop a sniffer onto a crossover cable, as well, requiring rewiring and some brief downtime (is there such a thing?) as you replace the crossover with standard 10x-B-T cables and a hub to plug the sniffer into. In addition, many
Either you have IDS or not :P "part-time" IDS makes no sense to me, if you plan it, a hub [or two if it's the only SPOF] is better of course. I really disagree on a switch which is a potential short-cut between external and internal interface of the firewall. It has been mentioned, that it's not feasible to ensure the VLAN Segmentation is always ok, or there is any other weakness, like error in administration of the switch. Too many drawbacks for me.
intelligent switch, segmented into VLANs, in lieu of several dumb hubs; this can save money on IDS by allowing you to span traffic from multiple DMZ
Saving money should really be not the first point in designing such an construct. In my eyes 2 hubs and a bunch of cables is cheaper and provides more failover capabilities than some 'we make all network around FW'-switch. For IDS the switch must be able for some monitoring, which could be possible abused from remote [like from the router]
purposes. The point is well stated, however, that this is another device that must be protected; in addition, cabling integrity becomes much more
And I repeat that protecting a switch is pretty difficult. ciao -- Philipp Buehler, aka fIpS | sysfive.com GmbH | BOfH | NUCH | <double-p> %SYSTEM-F-TOOEARLY, please contact your sysadmin at a sensible time. Artificial Intelligence stands no chance against Natural Stupidity. [X] <-- nail here for new monitor
Current thread:
- Re: Vlans, (continued)
- Re: Vlans Akatosh (Jan 18)
- Re: Vlans Lincoln Yeoh (Jan 22)
- Re: Vlans Carson Sweet (Jan 22)
- Re: Vlans Philipp Buehler (Jan 23)
- Re: Vlans Carson Sweet (Jan 22)
- Vlans Tim Salus (Jan 18)
- Re: Vlans Shawn Davenport (Jan 18)
- Re: Vlans TabascoJack (Jan 19)
- Re: Vlans Rainer Enders (Jan 22)
- Re: Vlans Shawn Badolian (Jan 23)
- Vlans Timothy L. Salus (Jan 23)