Re: MAC blocking

["Patrick M. Hausen" <hausen () punkt de>]

Hi, Chuck!

> I would say it's not safe to assume that VLANs can be trusted to  
> separate traffic with complete reliability, especially if it is  
> possible for a malicious machine to gain access to a trunk port:

But you can eliminate the latter. Disable VTP and even STP
for all ports that are connected to hosts - regardless if trusted
or untrusted.

OTOH this implies that you are in control of the physical environment,
i.e. cabling. A datacenter is quite diffent from an office or, say,
a school or library network.

I tend to recommend using 802.1q to establish many different zones
if it's "either separate on layer 3 cheaply or don't seperate at all".
There are no absolutes in network security beyond Marcus' proverbial
ultimate firewall ;-)

I learned from Bruce Schneier that security is always about tradeoffs
to make. I used to believe in absolutes, when I was a lot younger than
today.

Kind regards,

Patrick M. Hausen
Leiter Netzwerke und Sicherheit
-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe       http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards