[nsp] PIX 535 stateful failover
Arnold Nipper
arnold at nipper.de
Mon Jun 14 07:48:09 EDT 2004
On 14.06.2004 13:15 Daniel Roesen wrote:
>>> Other techniques involve e.g. flooding the switch which then
>>> becomes essentially a single broadcast domain hub.
>>
>> Which would not happen if you have two non-trunked connections??
>
>
> I'm not sure what setup you have in mind exactly.
We were talking about it 5 min. ago :-)
> And I don't remember all the details of this attack. IIRC it just
> involved flooding the switch, and the packets may leak into other
> VLANs because the switch goes into hub-mode because of an overload
> situation.
>
The statement was that two physical connection from the *same* switch to
a firewall don't buy you more than a trunkened connection.
> My point is: be VERY cautious considering VLANs as a strong security
> technique. People were and are being bitten by this.
>
Be very cautious if you cross a road. People were are being hit by cars
:-) I wouldn't call VLAN a security technique either. But it's much
cheaper and easier to install than a couple of fibre/copper links.
Arnold
More information about the cisco-nsp
mailing list