re: switch recommendations

I'm with you on this. OpenBSD rules!

I should mention that I don't know much about VLAN's. Having said that I still stand by my previous statement. "Most networks don't need them."

It may add a layer of security but it's also one more thing you have to manage. A simple DMZ solution is 2 OpenBSD firewalls with a DMZ in the middle.

INET<----->[Firewall #1]<----->[SWITCH]<----->[Firewall #2]<----->[LAN]
                                                                  |
                                                                   |
                                                                  |
                                                             [DMZ]

For me it comes down to two things. How much security will it give me? How much management do I have to do to get that security?

In this case were talking about a 48 port switch. Lets say we have 40 workstations. That leaves us with a few extra ports for servers etc... Lets say they have one file server that they all have access to. No amount of VLAN's is going to prevent someone on the inside from hacking the server and accessing data they shouldn't have access to.

This is just my take on VLAN's. If someone can give me a reason for using VLAN's on a network with 40 workstations let me know. Again, I don't no a lot about VLAN's.

-------Original Message-------
> From: lee <lee@afabco.com>
> Subject: re: switch recommendations
> Sent: Aug 27 '05 10:22
>
> Well, I'll throw my .02 in this discussion.=20=20=20
>
> This is one of the few times I'll go ahead and say something like this.=20=
> =20
>
> For anything more sophisticated than a dumb linksys can handle (and the
> vlan requirement tells me that this falls into that category), well,
> Cisco owns the world' *shrug*. end of story.=20=20
>
> I have not, on balance been displeased with their switches (we have a
> number of 3550's and some other ones. Be aware tho that cisco loves to
> dollar and ten you to death. No question that they are in it for the
> money.=20=20
>
> Plus, there's plenty of cisco expertise floating around.=20
>
> Of course, as always, there may be specific technical requirements or
> other requirements that indicate something other than cisco.
>
> Firewalls are a different story. I'm a bit more suspicious of the
> PIX'es. I come from the school of "if it ain't open, it ain't secure".=20
> When I have a choice, I use openbsd. None of my stuff is high enough
> traffic that that'll matter.=20=20
>
> On the other hand, most of the managerial technopeasantry is more
> comfortable with the 'warm and fuzzy' that comes with the "cisco" name.
>
> As far as VLANs go, they're useful, but it's easy to go overboard on
> them (I did <g>). And I'm not sure I'd do a DMZ or a red zone on the
> same box I had safe vlans on. The literature has howtos on how to sniff
> the packets (particularly if the bad guys can get on a trunk). Plus I'm
> more 'warm and phuzzy' with physical separation. YMMV, of course.
>
> In any case, let us know what you decide, and why.
> --=20
> AFABCO
> afabco.com
>
> --=20
> http://www.fastmail.fm - Same, same, but different=85
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
>
-------Original Message-------
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sat Aug 27 14:23:34 2005