Re: How Secure is Layer 2 ???

From: Chuck Church (ccie8776@rochester.rr.com)
Date: Wed Feb 12 2003 - 19:27:21 GMT-3

• Next message: Chuck Church: "Re: Ip Packet Magazine"
• Previous message: Dan Lockwood: "RE: IP addressing strategies"
• Maybe in reply to: Trevor Angus: "How Secure is Layer 2 ???"
• Next in thread: Todd A. Kaczorowski: "RE: How Secure is Layer 2 ???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Tagging the native vlan and configuring port security with x number allowed
per port fixes a couple of these vulnerabilities. Out of the box, a switch
is vulnerable to an attached host that has been compromised. But with the
various features added to the IOS-based switches lately, you can lock it
down pretty good.

Chuck Church
CCIE #8776, MCNE, MCSE

----- Original Message -----
From: "Stong, Ian C [GMG]" <Ian.C.Stong@mail.sprint.com>
To: "Richard Davidson" <rich@myhomemail.net>; "Trevor Angus"
<trevor.angus@t-systems.co.za>; <security@groupstudy.com>
Cc: <ccielab@groupstudy.com>
Sent: Wednesday, February 12, 2003 3:17 PM
Subject: RE: How Secure is Layer 2 ???

> Would pvlans (private vlans) address these problems. Also the trunk
> vulnerability is addressed by assigning the trunk to it's own vlan.
> Additional security can be implemented with port security, specific mac
> filtering to each port, acl's, shutting down ports not used, using out of
> band management, etc. Seems you can secure a switch if you really
try.....
>
>
> Ian
>
> www.ccie4u.com
> Rack Rentals and Lab Scenarios
>
>
>
> -----Original Message-----
> From: Richard Davidson [mailto:rich@myhomemail.net]
> Sent: Wednesday, February 12, 2003 2:41 PM
> To: Trevor Angus; security@groupstudy.com
> Cc: ccielab@groupstudy.com
> Subject: Re: How Secure is Layer 2 ???
>
>
> when the cam table is full the switch will foward
> traffic out all ports. So if a hacker was able to
> fillup the cam table the vlan would do nothing.
>
>
> --- Trevor Angus <trevor.angus@t-systems.co.za> wrote:
> > Here is an interesting question. I want to configure
> > a Pix FW to provide a
> > controlled connection between 2 Vlans on a switch
> > (Cisco 3550 or 6500).
> > There is no layer 3 routing enabled for the
> > "outside" interface vlan so in
> > theory there should be no way to break out of that
> > vlan.
> >
> > In theory I can't see a problem but perhaps I'm
> > missing something???
> >
> > Cheers
> > Trevor
> > .
> >
> __________________________________________________________________
> > To unsubscribe from the CCIELAB list, send a message
> > to
> > majordomo@groupstudy.com with the body containing:
> > unsubscribe ccielab
> .
.

• Next message: Chuck Church: "Re: Ip Packet Magazine"
• Previous message: Dan Lockwood: "RE: IP addressing strategies"
• Maybe in reply to: Trevor Angus: "How Secure is Layer 2 ???"
• Next in thread: Todd A. Kaczorowski: "RE: How Secure is Layer 2 ???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:20 GMT-3