Firewall Wizards mailing list archives
Re: MAC blocking
From: "Patrick M. Hausen" <hausen () punkt de>
Date: Mon, 28 Nov 2005 23:33:57 +0100 (CET)
Hi, Chuck!
I would say it's not safe to assume that VLANs can be trusted to separate traffic with complete reliability, especially if it is possible for a malicious machine to gain access to a trunk port:
But you can eliminate the latter. Disable VTP and even STP for all ports that are connected to hosts - regardless if trusted or untrusted. OTOH this implies that you are in control of the physical environment, i.e. cabling. A datacenter is quite diffent from an office or, say, a school or library network. I tend to recommend using 802.1q to establish many different zones if it's "either separate on layer 3 cheaply or don't seperate at all". There are no absolutes in network security beyond Marcus' proverbial ultimate firewall ;-) I learned from Bruce Schneier that security is always about tradeoffs to make. I used to believe in absolutes, when I was a lot younger than today. Kind regards, Patrick M. Hausen Leiter Netzwerke und Sicherheit -- punkt.de GmbH Internet - Dienstleistungen - Beratung Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100 76137 Karlsruhe http://punkt.de _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- MAC blocking Eric Appelboom (Nov 28)
- Re: MAC blocking Patrick M. Hausen (Nov 28)
- Re: MAC blocking Chuck Swiger (Nov 28)
- Re: MAC blocking Patrick M. Hausen (Nov 28)
- Re: MAC blocking Chuck Swiger (Nov 28)
- Re: MAC blocking Paul D. Robertson (Nov 28)
- Re: MAC blocking Chris Byrd (Nov 28)
- Re: MAC blocking Patrick M. Hausen (Nov 28)