Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Vlan's as effective security measures?

From: Jeremiah Cornelius <jeremiah () nur net>
Date: Tue, 17 Feb 2004 08:33:38 -0800
On Friday 13 February 2004 08:58, hugh_fraser () dofasco ca wrote:
<SNIP>

Policies controlling access to VLANs depend upon some method of
identifying the client, and it's usually either a MAC address or a
switch port. MAC addresses are readily obtained and almost as easily
forged as IP addresses, allowing access to a MAC-based VLAN. Port-based
identification relies on restricted access to the ports themselves, or
to the drop connected to the port.

<SNIP>

Enterasys does this really well.  They establish an identity for the port 
(integrates w/ AD - LDAP) and assign VLAN accordingly.  I haven't tested this 
solution myself. I know that it is being looked at by the US Veteran's 
Administration - they have their own "ITSCAP" style accreditation process.

It /seems/ that this woud be resistant to MAC / Cam table attacks and other 
dsniff-style tricks.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: