On 10/24/07, Henning Brauer <[EMAIL PROTECTED]> wrote: > * Darren Spruell <[EMAIL PROTECTED]> [2007-10-24 21:48]: > > Remember back 10-ish years ago when VLANs were being touted as the > > ultimate network segmentation technology by marketers of managed > > switches? And now everyone hopefully realizes that while VLANs > > technically do offer network segmentation, it's really rudimentary and > > cannot be relied on for truly reliable security due to various layer 2 > > attacks that subvert them? > > err, that is a very bad comparision. I am not aware of any "layer2 > attacks" (you probably mean vlan hopping things) that work against any > half reasonable configured switch from the last 10 years. > heck, these days even everybody except cisco has sane defaults. > (well, I dunno about those cheap switches, admittedly)
I agree, the key is the reasonably configured part. Vlan hopping, STP attacks, etc. and Cisco particularly. Even if Cisco is (now) one of the few to not have sane defaults, they're common enough for it to be a concern. And consider all the devices (even from good vendors) that are behind on firmware (where the defaults weren't yet sane). If this wasn't the case, Yersinia wouldn't be nearly as interesting as it is. > this comparision is wrong on another basis: vlans are dead simple, just > a tiny and simple header before the ethernet segment. virtualization is > certainly not. Yeah, I was commenting mainly on the flawed "silver bullet" mentality that some LAN admins have with the "if I have VLANs, my hosts are automatically perfectly segmented" mindset rather than the implementation/design itself. Sadly, the average LAN admin these days, at least in the states, isn't smart enough to understand the nuances. DS
