On 2010-06-28 at 12:26 -0700, Brent Chapman wrote: > Everybody says "but what if the switch somehow leaks packets from one VLAN > to another?" Well, what if the switch ACLs didn't work, and passed traffic > that it shouldn't? Those would both be major security bugs, drawing a quick > response from the vendors in question.
You might think that. For us, at $former_employer, it just led us to stop buying Alcatel switches when we couldn't get them to see the problem with having broadcast traffic leak across all VLANs. In this day and age, I'm inclined to agree that switches should do as you say, but I'd still want to stress-test before trusting their VLAN logic to be an unreinforced part of a security periphery. -Phil _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
