Firewall Wizards mailing list archives

Re: Firewalls and 802.1q trunking

From: "Pearsall, Jim" <Jim.Pearsall () hp com>
Date: Wed, 27 Nov 2002 12:59:05 -0600

My concern is that the "fan-out" boxes are typically run-of-the-mill
switches, like Cisco Catalysts, that probably have been design

without

any security aspirations. I wouldn't be surprised if those switches
could be attacked and tricked into leaking packets between VLANs.

A valid concern. My attitude is simple:
* If the switches are secure enough to keep VLANs seperated for
normal traffic then they're secure enough to use as interfaces
to your firewall
* If they're not, well, they're not!


I would submit that secure enough to manage traffic inside your trusted
network is quite different from secure enough to define a security
boundary.

Also, what about resistance to DOS attacks?  Trusting your switch
administrators?  Configuration errors?   I just see a bunch of
possibilities that I do not need to worry about with discrete (The
dumber the better) network devices over big switches connecting border
subnets.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Firewalls and 802.1q trunking Steffen Kluge (Nov 26)
- Re: Firewalls and 802.1q trunking Two Dog Flats (Nov 26)
- Re: Firewalls and 802.1q trunking Carson Gaspar (Nov 26)
- Re: Firewalls and 802.1q trunking David Pick (Nov 27)
  - Re: Firewalls and 802.1q trunking ark (Nov 27)
  - Re: Firewalls and 802.1q trunking R. DuFresne (Nov 27)
- Re: Firewalls and 802.1q trunking Jonn Martell (Nov 27)
- <Possible follow-ups>
- Re: Firewalls and 802.1q trunking Pearsall, Jim (Nov 27)
  - Re: Firewalls and 802.1q trunking David Pick (Nov 27)
- Re: Firewalls and 802.1q trunking Stephen Gill (Nov 27)