Re: Vlans

[Shawn Badolian <Shawn_Badolian () CANDLE COM>]

Realistically, I have never had a problem unplugging something and popping my
hub/laptop in-line....
Like anyone would pay attention to a network hiccup. Unless you all have
networks that actually never break.  :P
I do agree with you for the most part however.

my $0.01+$0.01
Dr. Sanner






|--------+---------------------------->
|        |          Carson Sweet      |
|        |          <csweet@SECURITYME|
|        |          THODS.COM>        |
|        |                            |
|        |          01/22/01 05:50 AM |
|        |          Please respond to |
|        |          Carson Sweet      |
|        |                            |
|--------+---------------------------->
  >----------------------------------------------------------------------------|
  |                                                                            |
  |       To:     VULN-DEV () SECURITYFOCUS COM                                   |
  |       cc:     (bcc: Shawn Badolian/LA/Candle)                              |
  |       Subject:     Re: Vlans                                               |
  >----------------------------------------------------------------------------|



One item for consideration on the crossover cable theory: while it certainly
is difficult to subvert at the physical layer, it's also a challenge to drop
a sniffer onto a crossover cable, as well, requiring rewiring and some brief
downtime (is there such a thing?) as you replace the crossover with standard
10x-B-T cables and a hub to plug the sniffer into. In addition, many
organizations that I have worked with have chosen to use a single more
intelligent switch, segmented into VLANs, in lieu of several dumb hubs; this
can save money on IDS by allowing you to span traffic from multiple DMZ
subnetworks to a single span port for IDS / sniffer troubleshooting
purposes. The point is well stated, however, that this is another device
that must be protected; in addition, cabling integrity becomes much more
important to prevent accidental physical connection of two subnets. As
always, the added complexity and risk must be worth the gains. Hope this is
helpful. Cheers!


-----Original Message-----
From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of
Lincoln Yeoh
Sent: Saturday, January 20, 2001 7:27 AM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: Vlans


At 09:02 AM 1/17/01 -0800, you wrote:
> I am not certain if this is the place to ask this and if not please let
> me know where to send it.
>
> I have a client who has the following configuration
>
> Internet -> router -> firewall -> load balancer
>
> The connection from the router to the firewall is on a switch and the
> connection from the inside interface of the firewall is on the same
> switch. The separation is done using VLANS.

Why not

Internet
|
router
|cross-over cable
firewall
|
switch/hub

That's similar to what we have here.

How much does it cost to make/get a cross-over cable?

It's a lot harder for a hacker subvert a cross-over cable remotely e.g.
social engineering for instance but you should take care of that as well.

Personally when secure network equipment is required I like cross-cables
and really "dumb" hubs and switches.

Putting those newfangled switches with built-in webservers on the
"insecure" side sounds silly to me. Actually putting those particular type
of switches anywhere sounds silly too, esp when you have curious people in
your network.

As for reliability and management: how often do "dumb" hubs fail? They're
practically wires hooked together.

Seems to me that it's the smart switches which fail. One of our ISPs
apparently had a problem with their "advanced" switches and had to firmware
patch it. International connectivity was < 22kbps at one point. Doh. And I
had to point out the problem to them- doh^2.

Cheerio,
Link.