> -----Original Message----- > From: Ron DuFresne [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 12, 2002 17:39 > To: Noonan, Wesley > Cc: 'Paul Robertson'; Gary Flynn; [EMAIL PROTECTED] > Subject: RE: VLANs and security... was RE: Cisco IDS > > On Fri, 12 Apr 2002, Noonan, Wesley wrote: > > > > > Sure, but passing FUD isn't really helpful either. People need to make > > informed, insightful and proven statements. Not "well this could happen, > so > > it's bad". > > Much of security is related to this might happen so don't do this. Much > is also based upon what has happened in the past. Thus many folks have > moved awa from sendmail, wu_ftpd, BIND and other aplpications that have > 'bad histories', it matters not to those that have removed these tools > from their tool boxes that newer versions have fixed known issues, the > fact remains they have bad *histories* and so they are either removed or > notably tamed and neutered.
<snip> > > Until then though, FUD winds up getting passed around as fact. > > > > I see no FUD, I do see an experienced security person passing knowledge he > has gleened from years in the field and many years in the security related > lists. Well tempered knowledge being shared. I do. I see speculation of this might happen passed as this will happen. That is FUD. > Of course closed source QA has worked well for the likes of M$ and others > through the years. How long did it take for the most secure version of > windows ever to have issues posted to bugtraq? Did it take a full week? Controlled accountable QA is *always* going to be better than non-controlled non-accountable QA. Who cares how long it took? There are bugs in virtually all code. When Linux takes as much market share as MS has, you will see Linux bugs posted all the time... wait... you already see that. > > No, I'm not. > > Then some of us would really like to know what you are seriously claming > concerning switches as security devices. I'm saying show me proof of this statement that using VLANs is always a bad thing. I'm thinking there is a reason why no one does, but rather points to historical anecdotes... > > Paul, I am not focusing in on any one statement of yours, but rather a > > general observation of the way you present information. > > > > <shakes his head in puzzlement> Let's see... you have the crap that went on between him and Laura, then you have him presenting this "VLAN bad" position. There are pros and cons to both sides, but those seem to get lost in the "VLAN bad" message. > Paul is not stating anything that has not been stated by countless others > in this list and other lists you probably do not read Wesley. Switches > are not security devices, and those using them in any security context > need to do so with extreme caution at the least. Anyone using anything in a security context needs to do so with extreme caution. Are you getting what I am saying yet? > What it's boiling down to then is you just want to argue with Paul and his > 'style', it's not that you have any serious information on the topic to > share? No, I am saying "You and others here (you Ron being one of them) have long presented this 'VLANs are bad around firewalls' statement for quite sometime, but none of you seem to be able to point to anything that says it really is the problem you make it out to be". I can't find anything that says using VLANs and DMZ's is some horrible atrocious security design. Show me where you guys are drawing your conclusions from, because I am just not seeing it. > I have on record here a cisco advisory on their switch products dating > back to as early as January, hardly ancient history as some have suggested > here affecting these devices at least: > > * Catalyst 6000 series > * Catalyst 5000 series > * Catalyst 4000 series > * Catalyst 2948G > * Catalyst 2900 > > Cisco Security Advisory: Cisco CatOS Telnet Buffer Vulnerability > ================================================================ There is nothing VLAN specific to this exploit. Once again, this looks like FUD to me. This above and beyond the fact that, as you proclaim if you are using something in a security context, you should be using SSH, ACLs and restricting that traffic in the first place. Come on now Ron, peddle that shit to someone else. > and I have here stuff on arp spoofing and CAM table flooding only dating > back to 1998, mudge's stuff on how he and the l0pht folks misplayed > switches dating to 2000, neither of those dates being -=ancient=- in > historical terms, even in IT/Internet terms. Nor does it mean that each > site employing switches has patched and updated those vulnerabilites that > might have been corrected, by cisco and other vendors. I do have > advisories for other vendors on hand more current the this past January. I have read that same article. I don't dispute it. I don't dispute that it *can* be an issue. I dispute the blanket "VLAN bad" position I see being presented. > Just because Paul does not keep on hand all the advisories or postings of > folks that have worked switch exploits for easy retrieval to enhance his > recollections and premisses each time this topic pops up in this list, > does not invalidate those recollections and his premisses. > > This is an old repeated topic on this and other lists, do some reaserch. Exactly, and every time it comes up some "old guard" folks say "do some research there young pup". I wonder why they keep coming back to that answer? Maybe it's because the design isn't a flawed as they would like you to believe (or at least not for the reasons they claim). _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
