Paul Robertson wrote:
>VLANs were designed to seperate broadcst domains, *not* to segment
>external and internal traffic.
>
>History has proven that to be at least questionable and sometimes
>disasterous, and that's probably going to be the case again.
>
Paul,
I'm certainly not going to argue with you about other means of
segmentation being more secure but
I'm wondering what the actual risk level is. The only vulnerability
report I've seen requires the
following conditions:
"This is a problem if the following conditions are met:
1. The attacker has access to a switch port on the same VLAN as the
trunk.
2. The target machine is on a different switch.
3. The attacker knows the MAC address of the target machine."
"In a real-life scenario, there may also be a requirement for some
layer 3 device to provide a connection from VLAN 2 back to VLAN 1."
( http://online.securityfocus.com/archive/1/26008 )
Cisco also had a response:
http://online.securityfocus.com/archive/1/27062
Are you aware of any other vulnerabilities or exploits?
thanks,
gary
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
