Firewall Wizards mailing list archives
Re: switches in a fw environment
From: Gerhard Mezger <Gerhard.Mezger () mail inuco ch>
Date: Thu, 02 Jul 1998 00:03:24 +0000
I understand and agree with your technical concerns. And as somebody else pointed out using switches the way I described would certainly violate our security policy. So, from a security perspective this should definitely be a no-go. Given your arguments and the fact that security isn't a main design criterion when building switches how comes that there are only a few (??) known security breaches? (The one you mentioned is the only one I am aware of). cheers Gerhard Mezger Mark Coleman wrote My opinion was this: the
...this puts you at the mercy of trusting the switch manufacturer's code to prevent someone from getting in and joining up the VLANs thus bypassing the firewall altogether. Not just via management but also through back doors and manufacturer-specific exploits in the operating code. (Remember those default passwords in the ROMs of the other vendors switches?) My opinion: don't do it. Also remember that it is known that you can get around the layer 2 segragation by flooding a switch's tables forcing it into a "forwarding mode" that starts passing all data everywhere. Just get an independant switch or a standalone hub for your DMZ.
Current thread:
- Re: switches in a fw environment Mark Coleman (Jul 02)
- Re: switches in a fw environment Gerhard Mezger (Jul 02)
- <Possible follow-ups>
- Re: switches in a fw environment Bennett Todd (Jul 07)