> -----Original Message----- > From: Ben Nagy [mailto:[EMAIL PROTECTED]] > Sent: Monday, April 15, 2002 01:27 > To: 'Noonan, Wesley' > Cc: [EMAIL PROTECTED] > Subject: RE: VLANs and security... was RE: Cisco IDS > > Hi Wes, > > I'm a young pup, too, and I wouldn't ever use a VLAN in a small > environment where I had the option to use a separate, dumb switch.
I have seen a couple of responses like this, and I want to take a second to clarify something (I'm not singling you out, yours just happens to be the one I am using). At no point have I ever recommended to use VLANs. In fact, if one reads through the thread, I have said that I would not use VLANs and in fact would prefer to use hubs in many cases, for many reasons. Hell, I am *right now* trying to convince a customer to get rid of the use of VLANs on their perimeter (in addition to replacing IOS/FW with a full featured firewall in front of it, but that's another fight). My dispute is not whether VLANs can be exploited. My dispute is what I perceive as a <napster james hetfield> VLANs bad </napster james hetfield> position that seems to be so prevalent on this list. I think it is bad practice to make such blanket generalizations. > Why? Well, there _are_ proven VLAN exploits, in certain circumstances. > This is fact. Knowing this, and given a viable alternative that fulfills > all my functionality requirements, I would have no choice but to avoid > the VLAN solution. Agreed. > If I had to firewall between _hundreds_ of different networks in one > core box, for some reason, I'd almost certainly use VLANs. Why? Because > IMNSHO it would be management-stupid to try and do it with physical > switches. Bingo!!! This is what I have been trying to get across. Everything has it's place, and in many cases VLANs have their place as an aspect of a perimeter design. Is it the "best" design? Maybe, maybe not. Can it be the best design for the circumstances and requirements? Absolutely. > I believe that we're seeing a philosophical argument - Paul (and I) and > others will tend to make arbitrary sounding decisions about the "best" > ways to proceed, based on how we perceive certain classes of solution. > This may not be backed up by any current factual arguments, but I have > personally had it pay off when I vetoed a solution that smelt bad (NTPd > on a Solaris box) two weeks before a brand new NTP r00t exploit was > released. The point I'm making is that it's _not_ bogus to make > decisions and ad hoc risk assessments based on circumstantial evidence. Certainly not. However, chasing boogeymen isn't a good practice either. As security people, and in opinions expressed on this list many times, people seem to forget that business still has to get done. Security is, and should be, secondary to making money. This is, after all, business and capitalism. Security policies and practices that prevent business are BAD. > I am specifically NOT saying that VLANs are always bad, and if I had a > specific function for which I felt that there was a compelling reason to > use VLANs then I'd do research, get the right platform, implement them > carefully, and buy red and green patch cables. However, if I have a > customer that just doesn't feel like springing for $200 for a new > switch, then I'll tell them to go spank their monkey elsewhere. Agreed. Again, this is the point that I was trying to make. It's not cookie cutter. There are a LOT of variables to weigh, and I just think it is bad practice to make statements like I have seen from others on this list. Wes Noonan, MCSE/MCT/CCNA/CCDA/NNCSS Senior QA Rep. BMC Software, Inc. (713) 918-2412 [EMAIL PROTECTED] http://www.bmc.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
