Hi Tobias, here in my company the management decided to use VLANs to separate nets of different security levels. (Not implemented yet) Therefore i would very much like to get you started on VLANs... ;-) Did you have security-related problems with VLAN? karl
-----Ursprüngliche Nachricht----- Von: Reckhard, Tobias [mailto:tobias.reckhard@secunet.com] Gesendet: Mittwoch, 20. März 2002 07:32 An: suse-security@suse.com Betreff: RE: [suse-security] What to do against ARP-Poisoning?
...
One can even argue that it is a Bad Idea (TM) to use managed switches in sensitive environments, because the switch constitutes a further point of attack and often a single point of failure. The point is strengthened by the fact that the OS on switches is generally not designed with security a top priority, it usually supports a number of services (Cisco switches, e.g. support NTP, SNMP, TFTP, Telnet, CDP) that can be exploited. And more often than not, I wager, the personnel is pretty clueless with regards to the switch configuration, since these boxes are typically plug'n'play.
Now don't get me started on VLANs. Just this much: don't use VLANs to 'separate' networks of (more or less substantially) different trust. Instead, implement physical separation.
Tobias
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here