[unisog] Network security police no hubs/switches/routers?

Matt McBride Matt.McBride at utah.edu
Fri May 27 15:14:43 GMT 2005


On Friday 27 May 2005 08:30, Clark Gaylord wrote:
> Matt McBride wrote:
> >look is the potential for L2 spanning-tree loops. This threat will
> >undermine any stable network rendering it unavailable if the STP fails
> >to place a port in block state. And, at a minimum, the network will see
>
> This is not justifiable, imho.  STP should prevent the loop.  Period.
> Broken network gear is no excuse.

Yes, STP is obviously designed to prevent L2 loops but the key word here is 
'should'. Whenever a physical loop is introduced the potential for 
spanning-tree to hose things increases. An end-user plugging in a hub/switch 
and creating a physical loop may not only kill that vlan but the switch may 
suffer cpu and memory degradation affecting all other virtual interfaces. 
Let's face it, L2 loop avoidance is not nearly as developed as L3.

-Matt

> The same goes for worms, etc: they are a problem in congesting links,
> etc, but there is never a legitimate reason for saying "we need to
> protect the network".  Anyone who tries to sell you security products
> using this FUD should be clubbed like a seal.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050527/12410bda/attachment.bin


More information about the unisog mailing list