Firewall Wizards mailing list archives
Re: Firewalls and 802.1q trunking
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Wed, 27 Nov 2002 14:02:28 -0500 (EST)
On Wed, 27 Nov 2002, David Pick wrote:
My concern is that the "fan-out" boxes are typically run-of-the-mill switches, like Cisco Catalysts, that probably have been design without any security aspirations. I wouldn't be surprised if those switches could be attacked and tricked into leaking packets between VLANs.A valid concern. My attitude is simple: * If the switches are secure enough to keep VLANs seperated for normal traffic then they're secure enough to use as interfaces to your firewall
But, normal traffic is not the only issue here, it's the abnormal traffic and abusive-normal traffic that is going to affect how well they handle issues in a security related context, yes? Documentation[0] and the undocumented *features* are relevant in this context as documentation leads to understanding the keys and weaknesses to known configuration standards, and undocumented, but included weaknesses such as open admin back-channels: SANS NewsBites Vol. 4 Num. 48 ... --22 November 2002 Alcatel Vulnerability CERT/CC has issued a warning about a back door in Alcatel Operating System version 5.1.1. Customers are advised to upgrade their software. http://www.zdnet.com.au/newstech/security/story/0,2000024985,20270140,00.htm http://www.cert.org/advisories/CA-2002-32.html ... ... From: Jacek Lipkowski <sq5bpf () andra com pl> Subject: Undocumented account vulnerability in Avaya P550R/P580/P880/P882 switches Date: Tue, 15 Oct 2002 16:10:26 +0200 (CEST) To: bugtraq () securityfocus com Undocumented account vulnerability in Avaya P550R/P580/P880/P882 switches ... ... From: "COULOMBE, TROY" <TROCOU () SAFECO com> Subject: Catalyst 4000 Date: Mon, 20 May 2002 09:38:25 -0700 To: "'bugtraq () securityfocus com'" <bugtraq () securityfocus com> Issue: Unicast packets flooded out switch ports they shouldn't be. Platform: Cisco Catalyst 4000 OS: 5.5.5; 6.3.5; 7.1.2; probably all others ... Switches of all types, as well as many other devices employed in security infrastructures, are basically, drop and play *feature-rich*[1] *feature-fresh*[1] *appliances*, <to relate back to another thread...>, documented <often tested at> at *best optimal* operating conditions/settings, shipped at *most optimal functionality defaults* 'on' configurations, pushing the responsibility of security back at the enduser <so much for 'top down' perspectivists>. Which those endusers seem to -=inherently feel more warm fuzzies=- about placing into critically hostile exposed environments. Lack of *research* often driving the newer technology tools/toys deployment, the *critical* nature of which, often inhibits proper auditing and maintainance/patching[2]. A perspective perhaps more critically paranoid of these new devices and technologies is the safer approach. It's no wonder it can be pondered that perhaps companies/endusers "get the security they deserve". Too much hurry and rush to get there, and then an awful lot of surprise once you do... Thanks, Ron DuFresne [0] documentation being an ongoing subprocess, from initial R&D *feature* creep, to going over the vendors documents, to documenting how your tools and toys work and protect one another and are configured to do so. [1] similar, but different, rich implying *most*, fresh implying *latest and greatest*, both together imply a *do it all*, even poorly, then rather *do something<s>* right reaction to consumer demand [2] nobody really thinks upgrades/patches/fixes are really importantly formost in the security mindset do they: http://www.rtfm.com/upgrade.pdf http://www.rtfm.com/upgrade.ps SANS NewsBites Vol. 4 Num. 48 : --19 & 20 November 2002 Study Shows Many Haven't Patched OpenSSH Vulnerability A recent study showed that 30% of systems running OpenSSH remained unpatched even after the Slapper worm illuminated the OpenSSH vulnerability. Speculations about why the problem has not been fixed: (1) lack of full time administrators, (2) stringent deadlines that don't allow time for installing patches and (3) server maintenance responsibility being given to people who have little security training. It is also possible that some systems weren't patched because of fears the patch might have an adverse effect on the system. http://news.com.com/2100-1001-966398.html http://www.newscientist.com/news/news.jsp?id=ns99993090 [Editor's Note (Murray): This report is exceptionally well done. An ounce of it is worth a pound of intuition or two pounds of good intentions.] -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewalls and 802.1q trunking Steffen Kluge (Nov 26)
- Re: Firewalls and 802.1q trunking Two Dog Flats (Nov 26)
- Re: Firewalls and 802.1q trunking Carson Gaspar (Nov 26)
- Re: Firewalls and 802.1q trunking David Pick (Nov 27)
- Re: Firewalls and 802.1q trunking ark (Nov 27)
- Re: Firewalls and 802.1q trunking R. DuFresne (Nov 27)
- Re: Firewalls and 802.1q trunking Jonn Martell (Nov 27)
- <Possible follow-ups>
- Re: Firewalls and 802.1q trunking Pearsall, Jim (Nov 27)
- Re: Firewalls and 802.1q trunking David Pick (Nov 27)
- Re: Firewalls and 802.1q trunking Stephen Gill (Nov 27)