Re: MAC blocking

[Chuck Swiger <chuck () codefab com>]

On Nov 28, 2005, at 5:33 PM, Patrick M. Hausen wrote:
> Hi, Chuck!

Hi--

> > I would say it's not safe to assume that VLANs can be trusted to
> > separate traffic with complete reliability, especially if it is
> > possible for a malicious machine to gain access to a trunk port:
>
> But you can eliminate the latter. Disable VTP and even STP
> for all ports that are connected to hosts - regardless if trusted
> or untrusted.
>
> OTOH this implies that you are in control of the physical environment,
> i.e. cabling. A datacenter is quite diffent from an office or, say,
> a school or library network.

Yes, certainly, if you aren't in control of the physical environment,  
your ability to maintain security is greatly compromised.

As you've said, you can mitigate against VLAN hopping by disabling  
trunk ports and STP for anything connected to a host, and doing so  
will work reasonably well, but I do not trust that two machines  
connected to one switch are truly isolated from each other, because  
the switch keeps too much state (such as the ARP table, the MAC to  
port mapping database).

With ARP-spoofing, you can generally confuse the switch about which  
port a host/MAC addr is actually on and gain access to a VLAN you're  
not supposed to be on, or at least create a denial-of-service  
condition....

--
-Chuck

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards