On Apr 5, 2014, at 8:53 AM, Thinker Rix <[email protected]> wrote:
> On 2014-04-05 07:00, Ryan Coleman wrote: >> And you cannot eliminate three of this with a switch? > > I don't know any method how a network switch could replace the NICs of my > firewall - other than by operating with VLANs. > > But I do not trust VLANs for this. This is not the correct purpose of VLANS, > IMO. > Using VLAN for segregating networks that should live in physically different > network zones because they have fundamental differing security levels, is > like placing your firewall into a VM - You can, but you should not. > >> Sounds like you should look at your design. > > No, I don't think so. > I think you should audit your security policy. > > Regards > Thinker Rix ‘Rix’, Please don’t be rude. Your message contains only non-informed opinion backed by hostile invective, and such is not welcome on the list. If you don’t trust VLANs, don’t use them. Perhaps your network only runs over fiber inside pressurized tubes with pressure transducers wired into a system that will physically cut the fiber if the pressure in the tube drops. This prevents ‘tapping’ the fiber via mechanical means. The fiber is so your network can’t be tapped via means of sampling the emissions of the cat5 cable you would otherwise use for Ethernet. Perhaps even this physically secure network (I’ll assume you have a 19 year-old with an M-16 standing guard outside the door of each of your secure facilities attached to this network) is not enough, and you also use quantum key distribution (transmission of non-orthogonal photon states using single photons to generate shared key material. Heisenberg ensures that an adversary can neither successfully tap the key transmissions, nor evade detection, as eavesdropping raises the key error rate above a threshold value. ) Using the result of this keying, you encrypt all links with a strong, but fast stream cypher such as SOSEMANUK or Salsa/20/12, because you do not trust hardware cryptographic accelerators. But VLANs have their place. They’re used a lot in security applications. Not for very high-security applications (military networks, financial trading networks, etc), but they are effective enough for the network segmentation requirements of PCI DSS. This SANS paper has a description of the common attacks against a VLAN segmentation architecture, as well as countermeasures to same. It includes code to demonstrate several of the attacks. https://www.sans.org/reading-room/whitepapers/networkdevs/virtual-lan-security-weaknesses-countermeasures-1090 Jim
_______________________________________________ List mailing list [email protected] https://lists.pfsense.org/mailman/listinfo/list
