re: switch recommendations

On Sun, 28 Aug 2005, Arthur Corliss wrote:

> On Sat, 27 Aug 2005, lee wrote:
>
> > As far as VLANs go, they're useful, but it's easy to go overboard on
> > them (I did <g>). And I'm not sure I'd do a DMZ or a red zone on the
> > same box I had safe vlans on. The literature has howtos on how to sniff
> > the packets (particularly if the bad guys can get on a trunk). Plus I'm
> > more 'warm and phuzzy' with physical separation. YMMV, of course.
>
> Yes, you need a *good* implementation of VLANs if you want real security, but
> that is available on the marketplace (and not just from Cisco). And, yes,
> physical separation is always the best way to go if you want to be absolutely
> sure there's no attack vectors you're not aware of. However, physical
> separation doesn't scale when you factor in rackspace, power, cooling, not to
> mention support and maintenance contracts. And how about mere flexibility?
> Sucks to have a lot of idle ports on a switch and still have to buy more
> *just* to maintain physical separation.
>
> Network management needs to be very cognizant of security implications, but it
> also needs to be practical (especially given the budgets we all have to work
> within). I believe that VLANs can be useful, and that the security issues are
> manageable.
>
> --Arthur Corliss
> Bolverk's Lair -- http://arthur.corlissfamily.org/
> Digital Mages -- http://www.digitalmages.com/
> "Live Free or Die, the Only Way to Live" -- NH State Motto

To skip a bit further on. :)

Each specific network, or subset thereof should have a particular
function/role. Be it general interconnect, access for X, DMZ, etc.
Overloading roles just makes everything harder to deal with/plan for/keep
secure.

VLANS are a great way to shoot yourself in the foot repeatedly, but they
are also a cost effective way to properly segment things.

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Aug 30 08:59:28 2005