Try not to use VLANs as a mechanism for enforcing security policy. They are great for segmenting networks, reducing broadcasts and collisions and so forth, but not as a security tool.
If you MUST use them in a security context, ensure that the trunking ports have a unique native VLAN number.
Zdroj:
Intrusion Detection FAQ: Are there Vulnerabilites in VLAN Implementations? VLAN Security Test Report
http://www.sans.org/security-resources/idfaq/vlan.php
The security of VLAN technology has proven to be far more reliable than its detractors had hoped for and only user misconfiguration or improper use of features have been pointed out as ways to undermine its robustness.
The most serious mistake that a user can make is to underestimate the importance of the Data Link layer, and of VLANs in particular, in the sophisticated architecture of switched networks. It should not be forgotten that the OSI stack is only as robust as its weakest link, and that therefore an equal amount of attention should be paid to any of its layers so as to make sure that its entire structure is sound.
Zdroj:
VLAN Security White Paper
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml
Prihlásiť na odber:
Zverejniť komentáre (Atom)
Príspevky
Žiadne komentáre:
Zverejnenie komentára