Could you explain this a bit more.
I two just implemented a network somewhat like this. I had 2 7206VXRs
each connected to 1 PIX 535 each which were then connected to 2 6509s with
IDS. All running 1000FX
In my current implementation of the same network I have replaced the
7206VXRs and 6509s with Foundry ServerIrons using Span with ISS RealSecure
for the IDS running 100BaseT. I haven't had any VLAN issues thus far. Let
me guess, you are using the 6808s for FW loadbalancing right? If yes,
that is a great design if the customer will pay for it. Highly scalable
and there are all sorts of cool things you can do with it.
I can't see a security problem as long as you properly secure the machines
ie disable unused ports physically if possible, don't insert a GBIC card,
shut down unnecessary services on the router and switch and secure the
VLAN. I would be interested in what your uppers are concerned about for
my own designs.
You are right that is should be platform independent. Of course people
are going to say that each vendor is different requiring a different
approach in security but I know you were not born yesterday so you are
probably taking care of that :-)
Theo CISSP
CSS1
"ipguru1"
Sent by: [EMAIL PROTECTED]
06/04/2002 10:30 AM
Please respond to "ipguru1"
To: [EMAIL PROTECTED]
cc:
Subject: Security hazard?? [7:45731]
All,
We have two 3640's and two Extreme Black Diamond 6808's (aka 6509's).
The two 3640's are doing IBGP between them on each of their eth0's. I
have created a vlan on the Extremes called 'unsecure'(there are only 2
ports on each Extreme in this vlan... one coming in from the 3640 and
the other going into the firewall). I am getting some complaints from
the 'uppers' that bringing the 3640's into the Extreme's is a security
hazard.
I am sure someone is now working on a way to hack from one vlan to the
next, but for now, I don't see the difference between putting a hub in
there and using a couple of ports on these monster
'almost-never-go-down' switches. I just don't want another unmanaged
piece of equipment in the flow.
Has anyone ever heard of this being a leak. I worked in a datacenter
before and this is what we did with 6509's and we didn't blink! I know
these are Extreme switches... which is probably taboo in the group, but
I am pretty sure this would be platform independent... right????
Thanks,
bk
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45734&t=45731
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
