Wow, that's amazing, Paul. You managed to write that _entire_ email with
VLAN cross-wired with VPN in your brain? You must type like lightning. ;)
Seriously, though, how about the equivalent rant for VLANs?
Off the top of my head, I get:
1. It's too easy to physically misconfigure
2. Any VLAN that includes a trunking port may be open to attack (I've heard
rumours that simple tag spoofing can fool some switches (no, really!))
3. Some switches flood on all ports in overload situations, despite VLAN
configs
4. AFAIK there is still no decent switch <--> switch authentication in
802.1Q
Cheers!
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> -----Original Message-----
> From: Paul D. Robertson [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 11, 2001 11:09 AM
> To: Jason Lewis
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE: Secure lan communication (part 2)?
>
>
> On Mon, 10 Sep 2001, Jason Lewis wrote:
>
> > While we are on the subject..... Care to go into detail about why
> > VLAN's shouldn't be assumed to be secure either? I can't
> tell you how
> > many "discussions" I have had why the firewall shouldn't be in just
> > another VLAN off the 6509.
> >
> > I am sure the list would benefit.
>
> Well, eventually I'll try to get this all written up with
> pictures and formal arguments with more exact language (if
> for nothing else than the sure joy of watching the folks at
> Information Security Magazine cringe at deciding if they
> wanna run it...)
>
> The basic problem with VLANs is that they're trust extenstion
> products, not security products, and anytime you extend
> trust, you open yourself up to misuse of that trust
> relationship. VPNs rely on one thing to function
> properly- that's the integrity of the encryption boundry at
> each endpoint.
>
> For LAN to LAN encryption[...]
[Snip Paul going crazy]
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
