On Tue, 11 Sep 2001, Ben Nagy wrote:
> Wow, that's amazing, Paul. You managed to write that _entire_ email with
> VLAN cross-wired with VPN in your brain? You must type like lightning. ;)
Oops! Apologies- that one did kind of come out as a braindump and I
didn't check it before sending.
> Seriously, though, how about the equivalent rant for VLANs?
Do I get to call them VPNs to balance out the earlier mistake? ;)
>
> Off the top of my head, I get:
>
> 1. It's too easy to physically misconfigure
1a. Too easy to logically misconfigure.
> 2. Any VLAN that includes a trunking port may be open to attack
> (I've heard rumours that simple tag spoofing can fool some switches
> (no, really!))
2a. Any vendor bugs make the traffic easy to get at.
(yep, I've heard the same thing about tag spoofing- from someone with
clue)
> 3. Some switches flood on all ports in overload situations, despite VLAN
> configs
3a. if VLAN stuff is complex, perhaps even because of them
> 4. AFAIK there is still no decent switch <--> switch authentication in
> 802.1Q
4a. Get your port in multi-MAC mode and you might win despite the VLAN
5. ISL trunking to high-volume servers may make the switch play with them
as a peer switch if they talk nicely. (rumor)
6. VLANs encourage people to build flat networks with lots of switches ,
quickly placing them in spanning tree hell.
7. Moves your layer 2 trust boundary out further- this could induce more
than just increased oppertunity to sniff traffic, it could mean that that
Web-enabled switch installed by the admin in another building on campus
becomes the vector into your core for instance.
8. Too easily confused with VPNs! ;)
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
