[nsp] PIX 535 stateful failover
Daniel Roesen
dr at cluenet.de
Mon Jun 14 07:15:40 EDT 2004
On Mon, Jun 14, 2004 at 01:06:46PM +0200, Arnold Nipper wrote:
> > http://www.securityfocus.com/archive/1/26008
> > http://www.securityfocus.com/archive/1/27062
> >
> > Just for ONE publicly known VLAN hopping problem.
>
> Which only is a problem if not properly fixed.
I was just pointing out that VLANs have/had some documented security
problems in the past. It is usually NOT meant to be a security facility,
but just a method to minimize L2 broadcast domains.
> > Other techniques involve e.g. flooding the switch which then becomes
> > essentially a single broadcast domain hub.
>
> Which would not happen if you have two non-trunked connections??
I'm not sure what setup you have in mind exactly. And I don't remember
all the details of this attack. IIRC it just involved flooding the
switch, and the packets may leak into other VLANs because the switch
goes into hub-mode because of an overload situation.
My point is: be VERY cautious considering VLANs as a strong security
technique. People were and are being bitten by this.
Regards,
Daniel
More information about the cisco-nsp
mailing list