On Mon, 10 Sep 2001 [EMAIL PROTECTED] wrote:
> I agree that it's a security issue -- my tone was meant to be
> mildly sarcastic. (Probably a bad idea, in hindsight....)
Sorry, spent the weekend futzing with kernel code, so my sarcasm detector
is out of sync ;)
> I'm not comfortable with the suggestion that people *should* be
> relying on switches to provide security, and this is only one of the
> reasons why. While this issue might be addressable by selecting a
> siwtch whose behaviour in this case is as desired, I don't think it's
> prudent to assume that that approach scales well to all of the
> possible security concerns with switches.
I (hopefully obviously) agree that switches shouldn't be (mis)used in
this manner either- however, I think that it's important to knock out all
the "yeahbut" people's objections up-front and clearly by examining the
failure modes completely. I've known enough people who *really try* to
take advantage of the capabilities of their currently deployed equipment
who've missed failure modes such as this to make it worth-while to be
explicit.
I'm a huge fan of buying more small routers and dumb hubs if possible
rather than switches, because I really, really, really like layer 3
seperation- I think it provides significant protection, which is why you'll
often see me ranting about things like VLANs being bad.
Since it's next to impossible to get people not to deploy switches and
VLANs, I think it's the best we can do to at least ensure they know that
they're assuming some quantifyable risk to trivial exploits.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
