Ooh! Ooh! I know this one! Can I be first?
Switches are not security devices. You may be able to configure them up so
that they _look_ like security devices, but they're not. Honest.
There was an article on bugtraq recently that got all this stirred up again
(turned out that the switch in question was 'misconfigured', but still a
reminder). There's a whole world of tricksy MAC layer chicanery that just
hasn't been looked at enough.
And now I get to use my favourite phrase:
What this problem needs is STRONG CRYPTO.
Take a look at VPN type stuff. If you want 10 high speed connections you may
need something quick to terminate all the VPNs, but that's just a matter of
shopping. Realistically, you're not going to get wirespeed out of 11 100Mb
ethernet links anyway. This would mean that even if one competitor _did_
sniff another's data, it would be no good to them. It also means that _your_
data going to contractor A isn't readable by contractor B, which is possibly
more important. This is even more compelling if the people have anything
like physical access to any of the wire (you mentioned that there was a
concern RE: access to the switch console port).
Cheers,
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
> -----Original Message-----
> From: Ivan Fox [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 22 October 1999 6:56 AM
> To: [EMAIL PROTECTED]
> Subject: VLAN - a semi-firewall related question
>
>
> It is a semi-Firewall related question.
>
> A firewall for the Extranet allows, say 10 vendors,
> contractors, to connect
> to it. There are two options that we can think of:
>
> Option 1:
> Have 10 NICs in the firewall. This option is clumsy, but it
> is secure in
> the sense that competitive suppliers cannot sniff each other's data.
>
> Option 2:
> A smarter approach, one says. Have an intelligent switch
> connecting to a
> NIC in the firewall. Each port of the switch is isolated, a
> VLAN approach.
> Competitive suppliers cannot "peer" into each other's data.
>
> Being a non-router/switch guy. How can I configure and
> secure the switch?
> I have also heard a router guru mentioned that, in order to provide
> security, we should not use intelligent switch as someone
> connect to the
> console of a switch, he/she can sniff the packets.
>
> Any pointers are appreciated.
>
> Thanks,
>
> C.K.
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
