[nsp] PIX 535 stateful failover

Arnold Nipper arnold at nipper.de
Mon Jun 14 07:48:09 EDT 2004


On 14.06.2004 13:15 Daniel Roesen wrote:

>>> Other techniques involve e.g. flooding the switch which then
>>> becomes essentially a single broadcast domain hub.
>> 
>> Which would not happen if you have two non-trunked connections??
> 
> 
> I'm not sure what setup you have in mind exactly.

We were talking about it 5 min. ago :-)

> And I don't remember all the details of this attack. IIRC it just
> involved flooding the switch, and the packets may leak into other
> VLANs because the switch goes into hub-mode because of an overload
> situation.
> 

The statement was that two physical connection from the *same* switch to
a firewall don't buy you more than a trunkened connection.

> My point is: be VERY cautious considering VLANs as a strong security 
> technique. People were and are being bitten by this.
> 

Be very cautious if you cross a road. People were are being hit by cars
 :-) I wouldn't call VLAN a security technique either. But it's much
cheaper and easier to install than a couple of fibre/copper links.


Arnold



More information about the cisco-nsp mailing list