Hi Wes, I'm a young pup, too, and I wouldn't ever use a VLAN in a small environment where I had the option to use a separate, dumb switch.
Why? Well, there _are_ proven VLAN exploits, in certain circumstances. This is fact. Knowing this, and given a viable alternative that fulfills all my functionality requirements, I would have no choice but to avoid the VLAN solution. If I had to firewall between _hundreds_ of different networks in one core box, for some reason, I'd almost certainly use VLANs. Why? Because IMNSHO it would be management-stupid to try and do it with physical switches. I believe that we're seeing a philosophical argument - Paul (and I) and others will tend to make arbitrary sounding decisions about the "best" ways to proceed, based on how we perceive certain classes of solution. This may not be backed up by any current factual arguments, but I have personally had it pay off when I vetoed a solution that smelt bad (NTPd on a Solaris box) two weeks before a brand new NTP r00t exploit was released. The point I'm making is that it's _not_ bogus to make decisions and ad hoc risk assessments based on circumstantial evidence. I am specifically NOT saying that VLANs are always bad, and if I had a specific function for which I felt that there was a compelling reason to use VLANs then I'd do research, get the right platform, implement them carefully, and buy red and green patch cables. However, if I have a customer that just doesn't feel like springing for $200 for a new switch, then I'll tell them to go spank their monkey elsewhere. Cheers, -- Ben Nagy Network Security Specialist Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Noonan, Wesley [...] > I'm saying show me proof of this statement that using VLANs > is always a bad thing. I'm thinking there is a reason why no > one does, but rather points to historical anecdotes... [...] > Exactly, and every time it comes up some "old guard" folks > say "do some research there young pup". I wonder why they > keep coming back to that answer? Maybe it's because the > design isn't a flawed as they would like you to believe (or > at least not for the reasons they claim). _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
