Firewall Wizards mailing list archives
Re: Firewalls and 802.1q trunking
From: "Pearsall, Jim" <Jim.Pearsall () hp com>
Date: Wed, 27 Nov 2002 12:59:05 -0600
My concern is that the "fan-out" boxes are typically run-of-the-mill switches, like Cisco Catalysts, that probably have been design
without
any security aspirations. I wouldn't be surprised if those switches could be attacked and tricked into leaking packets between VLANs.
A valid concern. My attitude is simple: * If the switches are secure enough to keep VLANs seperated for normal traffic then they're secure enough to use as interfaces to your firewall * If they're not, well, they're not!
I would submit that secure enough to manage traffic inside your trusted network is quite different from secure enough to define a security boundary. Also, what about resistance to DOS attacks? Trusting your switch administrators? Configuration errors? I just see a bunch of possibilities that I do not need to worry about with discrete (The dumber the better) network devices over big switches connecting border subnets. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewalls and 802.1q trunking Steffen Kluge (Nov 26)
- Re: Firewalls and 802.1q trunking Two Dog Flats (Nov 26)
- Re: Firewalls and 802.1q trunking Carson Gaspar (Nov 26)
- Re: Firewalls and 802.1q trunking David Pick (Nov 27)
- Re: Firewalls and 802.1q trunking ark (Nov 27)
- Re: Firewalls and 802.1q trunking R. DuFresne (Nov 27)
- Re: Firewalls and 802.1q trunking Jonn Martell (Nov 27)
- <Possible follow-ups>
- Re: Firewalls and 802.1q trunking Pearsall, Jim (Nov 27)
- Re: Firewalls and 802.1q trunking David Pick (Nov 27)
- Re: Firewalls and 802.1q trunking Stephen Gill (Nov 27)