Firewall Wizards mailing list archives
Re: Switching between FW Segs Still a NOT?
From: "Ryan Russell" <ryanr () sybase com>
Date: Wed, 28 Oct 1998 22:39:45 -0800
I have to recommend against it. I work with Cisco Catalysts. With an out-of-the box config, I know of about 4 ways to get between VLANs without involving a seperate layer-3 device. There have been a few bugs with the Cats that let you push code onto them via a login prompt. I have zero confidence that, even with what I do know, I could configure one down to the point that it would be safe. I believe a couple of the problems I'm aware of can't be turned off. It's been a while, but I used to work with Cabletron MMAC+'s. In the versions I worked with, one could turn off all the VLAN features and turn the box into one big bridge with a magic password that was embedded in the code and couldn't be changed. The password was entered into a login prompt that couldn't be blocked or turned off. FWIW, if you're a fan of Mudge and the L0pht crew, I've heard him say the same. Ryan There was some discussion of this issue back in August, but it's come around to me in real life now and I'm checking. The company has an Internet firewall with multiple interfaces supporting a couple of DMZs as well as the usual inside network and outside connection to an ISP. The question has arisen as to whether it is advisable to use a high-end switch acquired through an acquisition to provide connectivity to "both sides" (actually "all sides") of the various segments. Vendor sales rep says its ok as long as we define the VLANs properly. That was debunked quickly here in August. Anybody know of any white papers or other literature dealing with this subject that I could show management?
Current thread:
- Switching between FW Segs Still a NOT? Kleber Borran (Oct 23)
- <Possible follow-ups>
- Re: Switching between FW Segs Still a NOT? Robert Graham (Oct 28)
- Re: Switching between FW Segs Still a NOT? Ryan Russell (Oct 29)