On Sat, 27 Aug 2005, lee wrote:
> As far as VLANs go, they're useful, but it's easy to go overboard on
> them (I did <g>). And I'm not sure I'd do a DMZ or a red zone on the
> same box I had safe vlans on. The literature has howtos on how to sniff
> the packets (particularly if the bad guys can get on a trunk). Plus I'm
> more 'warm and phuzzy' with physical separation. YMMV, of course.
Yes, you need a *good* implementation of VLANs if you want real security, but
that is available on the marketplace (and not just from Cisco). And, yes,
physical separation is always the best way to go if you want to be absolutely
sure there's no attack vectors you're not aware of. However, physical
separation doesn't scale when you factor in rackspace, power, cooling, not to
mention support and maintenance contracts. And how about mere flexibility?
Sucks to have a lot of idle ports on a switch and still have to buy more
*just* to maintain physical separation.
Network management needs to be very cognizant of security implications, but it
also needs to be practical (especially given the budgets we all have to work
within). I believe that VLANs can be useful, and that the security issues are
manageable.
--Arthur Corliss
Bolverk's Lair -- http://arthur.corlissfamily.org/
Digital Mages -- http://www.digitalmages.com/
"Live Free or Die, the Only Way to Live" -- NH State Motto
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sun Aug 28 00:03:49 2005
This archive was generated by hypermail 2.1.8 : Sun Aug 28 2005 - 00:03:49 AKDT