> -----Original Message----- > From: Ron DuFresne [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 19, 2002 10:00 > To: Noonan, Wesley > Cc: [EMAIL PROTECTED] > Subject: RE: VLANs and security... was RE: Cisco IDS > > > > > > position that seems to be so prevalent on this list. I think it is > bad > > > > practice to make such blanket generalizations. > > > > > > > > > > The reference to "how often does it appear on BugTraq" translates > pretty > > > much to: look at the historical evidence. > > > > Sure, I still don't think a blanket "VLANs bad" statement is wise. > > > > And yet you'll caution your own clients with advise against them as you > stated earlier, on what do you base that advise then if not on historical > facts of switches not being security devices as well as past evidence of > their exploitation as well as issues many here have mentioned on VLANs? > I'm sure you have to backup your advise with documented reasoning?
Simplicity of management first. I subscribe to the KISS principle. Unfortunately, as I have noted, much of the security issues are questionable IMHO. I still present the issues to the customer, but I don't spin them as something that is just horribly wrong. For example, as noted by others, I would be much more open to separating DMZs with VLANs, while I would be much less open to separating protected nets and DMZs with them. The king part for me though is simplicity. The simpler things are, bluntly, the stupider the people that have to manage them can be. Ultimately, it comes down to the specifics of the scenario for me to be comfortable with any recommendation of substance. > > If your warehouse is unlocked and I drive in and steal all your product, > how much business can you do? If your warehouse is locked, and you can't get in, how much business can you do? Remember what I said about extreme views Ron? They are not good views to have when designing secure networks IMHO. > Likewaise, if your warehouse software, the > stuff that tracks what's in stock and where it can be found and produces > order for more stock and for client purchases is unsecured and I can get > into it and mess up the whoe database, or worserer, just rm -rf *, how > much business can you do? If your network becomes so congested with code > red/nimda traffic it can't send proper traffic about, how much work can be > done? And if your network is so secure that your line of business apps can't run, how much work can be done? Remember what I said about extreme views Ron? They are not good views to have when designing secure networks IMHO. > Even companies with no securit guard at the front desk, and merely a > receptionist are in fact using her in a semi-security role, she filters > traffic as it arrives. Business has had to maintain and deal with > security since it;s inception, we just do not always equate what the full > spectrum of security is in place. Ah, but see they mitigated risk vs. need vs. money. Risk, slight apparently. Need, something to filter the traffic just in case. Solution, use receptionist thereby saving money (or one could say, making money). *That* is *good* security. It meets the need (one hopes) while doing so in a fashion that brings the most profit (one hopes). > > We tend to be paranoid, it's part of our jobs, it's perhaps not part of > your job, but, it is for us that work in a security role as the prime > focus of our positions. Hehehehe. Here we go again. "You don't know what you are doing". When paranoia interferes with rational decision making, those paranoid people are no longer doing a *good* job IMHO. A healthy degree of paranoia is a good thing. I don't know that what I see on this list often is a healthy degree... > > Wow, I think this is as close as you have come to actually acknowledging > > that I might well be able to differentiate between my ass and a hole in > the > > ground without need of a map... <g> > > > > <smile> I still recall the offline arguements a few months back we had > when I tried to inform you that this is a text based list and your > insistence it was time to move into the html mail world... It is. Dinosaurs die. Adapt or die. Don't spend all your time looking back, spend more time looking forward. Newsflash, *lots* of folks use software from this vendor in Redmond, and they have no problems with HTML, or any other form of RTF mail. Besides, I also remember trying to correct some of your (at least I think it was your) very bad misconceptions about how exchange did/did not work. > It's a big industry, there's much to track and maintain data on. I've > tended over the last few years to build up files of data from various > lists, to go back and review when need arrives, and even that gets to be a > mess. And this is sometimes why information supplied is 'qualified' as > Paul himself tried to point out to you a number of times in this thread. > > Afterall, you had nothing to base your arguements rejecting his on, no > experience to offer on using VLANs in a secure nature, nor no experience > with ISA, only the marketing stuff off their site, and mis-stated it's Just where are you getting the "no experience" from? Because it's not the same as your experience, or because it's not as antiquated... uh, I mean far reaching? I like how pretentious you are. It's like you are afraid some young buck is going to take your spot on skill and talent, so you have to degrade constantly to try to improve your stock. > eposure/exploit issues already on record. And, unlike you (and Paul it seems), when I make a mistake, I acknowledge it and move on. > Caution, your pet-peeve on generalisations was voilated a few times on > your end when infering that I'm clueless to opertating and maintaining > windows systems. I have only the (mis)information that you present with which to base my statements. > I've played with widowns systems a far back as when it > was still a run-time system under DOS <required pagemaker and lacked a > MAC>. Here, let me flatter you. What's DOS? Denial of Service. I really don't know. > I remember when word could be run on two 5.25 inch floppoes and the What's a floppoe? You know, with word as your email editor, you can catch spelling errors. Just wanted to point that out. (see, I can tell that the previous sentence is a fragment that I should consider revising). > whole office package in use now was split into seperate packages and > marketed and sold as such, prior to access even. I remember when win.ini > and sys.ini where the major controls, no registry to deal with. I've What's an ini? > seen little improvement between NT 3.5 and 4.0 nor w2k, just alot more > bulk and tying the browser into the OS was a major catrastrophy <so much > for kiss and seperation of potential exposure>. While at Honeywell our NT > systems required reboots daily to deal with the And therein lies the problem. You seem lack the ability to move forward. You knowledge is stuck pre '92. It's like the folks that go "Microsoft DNS crashes too often and DHCP isn't reliable enough". Yeah, about those problems from Windows NT 3.51... I actually went into a place that was like that. Refused to use MS DNS. They ran over 365 days without a reboot, and then rebooted only for service pack application. > flow <3.5>, at 3M our NT 4.0 DNS/domain servers had to be rebooted every > two days at best to prevent seeing blue, and the bad history on those over > laoded/blaoted systems goes on from there <1991-1995>. I could put in Then 3M should have hired people who knew how to build and maintain their NT systems, instead of relying on folks who had "history" with other OSes. Windows NT circa 1995 ( which is pre NT 4.0) was the early days of a very immature OS. It's 7 years later now. Lot's has changed. > much smaller intel boxes with much less RAM and disk space and do much > more with them, with avareage reboot times *required* at about 365 > days+...I just don't think windows in any of it's flavors even now is > ready for primetime as anything but a desktop system, course, I'm perhaps > the only person in Durham NC that feels the same about redhat...YMMV... > > Of course in some eyes this might well still mark me as an OS bigot... Sure, or it may mark you as someone who needs to learn more about NT/W2K so that you could manage them better. Since apparently, you don't have to do NT/W2K management though, you can always be cut some slack on this point. > Cool. At least it appears we all here in these threads have at least the > skills to debate, as well as subscribe and unsubscribe without letting the > total readerbase of the list know how lacking in clues we really might be > <smirk>. No doubt. It also indicates that we all have a passion for what we do. Hey, can you unsubscribe me? I think my feelings have been hurt... ;-) Wes (who is really going to work now, I'm not letting Ron side track me any more...) <g> _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
