RE: VALN hopping

["Payton, Zack" <Zack.Payton () MWAA com>]

Use separate devices, not VLANs to segregate your DMZ from your internal
network.  What if I was able to establish a trunk link with the switch
from the dmz and just hop past your firewall (DTP makes this trivial).
What if I was able to flood your cam table with bogus addresses to the
point where it gives up and starts acting as a hub (an older attack
doesn't really work against newer devicess).  What if I was able to find
a buffer overflow in ciscos CDP parser  (I'd have to be good but it's
possible).   What if I could shut down your internal network by DOS
attacking the DMZ switch (DOS attacks against cisco devices are the most
common exploit found for them).   The advent of newer switches that have
things like dhcp rogue server detection and arp inspection merely serve
to add more points where your Ethernet frames get run against more code
in the switches... Meaning more opportunity for exploitation and fun and
profit.

No seriously though if I see a client using one switch for their
internal and external networks I ask for more money as I know it's going
to be a rough job.  See Cisco's SAFE implementation diagrams and
propaganda.

Zack Payton