RE: How Secure is Layer 2 ???

From: Copleston Daniel (Daniel.Copleston@ukomfs.com)
Date: Wed Feb 12 2003 - 17:23:52 GMT-3

• Next message: Sanfilippo, Ted: "OSPF Load Balancing"
• Previous message: Georg Pauwen: "Re: CPU_MONITOR-6-NOT_HEARD"
• Maybe in reply to: Trevor Angus: "How Secure is Layer 2 ???"
• Next in thread: Chuck Church: "Re: How Secure is Layer 2 ???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I generally think it is good practice not to have hosts in the native VLAN,
and having hosts in the native trunk VLAN should not be required if all the
switches involved support dot1q. If you avoid this the nyou will not suffer
from security issues caused by any quirks of switch architecture. If you
really want to tighten down VLANs and your are using 3550s or 6500s with
PFCs you can look into using private VLANs (PVLANS) these can be used
restrict access between hosts in the same VLAN. Some good info on these can
be found at:
http://www.cisco.com/warp/public/473/90.shtml

Thanks,
Daniel

-----Original Message-----
From: Sam Munzani [mailto:sam@munzani.com]
Sent: 12 February 2003 19:52
To: Bob Sinclair; Trevor Angus; security@groupstudy.com
Cc: ccielab@groupstudy.com
Subject: Re: How Secure is Layer 2 ???

Very good document to have handy when your managers wants to cut corners on
hardware purchase.

Sam

> Trevor,
>
> Here is a link that might be relevant:
>
> http://www.sans.org/resources/idfaq/vlan.php
>
>
> -Bob Sinclair
> CCIE #10427, MCSE
> Senior Network Engineer
> Networking For Future, Inc.
> www.nffinc.com
> ----- Original Message -----
> From: "Trevor Angus" <trevor.angus@t-systems.co.za>
> To: <security@groupstudy.com>
> Cc: <ccielab@groupstudy.com>
> Sent: Wednesday, February 12, 2003 1:45 PM
> Subject: How Secure is Layer 2 ???
>
>
> > Here is an interesting question. I want to configure a Pix FW to provide
a
> > controlled connection between 2 Vlans on a switch (Cisco 3550 or 6500).
> > There is no layer 3 routing enabled for the "outside" interface vlan so
in
> > theory there should be no way to break out of that vlan.
> >
> > In theory I can't see a problem but perhaps I'm missing something???
> >
> > Cheers
> > Trevor
> .
.
************************************************************************
The contents of this message and any attachments are confidential and
are intended solely for the attention and use of the addressee only.
Information contained in this message may be subject to legal,
professional or other privilege or may otherwise be protected by other
legal rules. This message should not be copied or forwarded to any other
person without the express permission of the sender. If you are not the
intended recipient you are not authorised to disclose, copy, distribute
or retain this message or any part of it.

If you have received this message in error, please notify the sender by
telephone (+44-20-7002-4000) and destroy the original message.

We reserve the right to monitor all e-mail messages passing through our
network.
************************************************************************
.

• Next message: Sanfilippo, Ted: "OSPF Load Balancing"
• Previous message: Georg Pauwen: "Re: CPU_MONITOR-6-NOT_HEARD"
• Maybe in reply to: Trevor Angus: "How Secure is Layer 2 ???"
• Next in thread: Chuck Church: "Re: How Secure is Layer 2 ???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:20 GMT-3