On Fri 27 May 2016 04:53:12 NZST +1200, RB wrote: > > http://seclists.org/fulldisclosure/2016/Jan/77 > > > > http://seclists.org/fulldisclosure/2016/Mar/25 > > I see, but that has nothing to do with the security of the VLAN > implementation, rather of the switch as a whole.
Uhhmm, very moot point. They can't even make a secure switch, how secure their VLAN is becomes irrelevant. And the switch manufacturer couldn't care less about fixing anything - what's your trust value in the VLAN implementation? How different are other manufacturers? > Nor does it mean we avoid using an entire technology because there > "might" be vulnerabilities in what has otherwise remained a stable and > useful paradigm for decades. As "stable and useful" a paradigm as the Internet was before Snowden? > The question of VLAN jumping remains open, in my mind. An > appropriate, well-configured switch fabric should have no problem True - as you say, "should", but it's utopic. Which means reducing critical firmware entirely increases security a lot. No matter where you buy your VLAN, it doesn't come close to the security of an extra port on the firewall you already trust. VLAN is just being lazy. > vulnerabilities in its management software notwithstanding. This is a laughable argument! You can only use the whole. You're arguing it's safe to use a (potentially!) safe fragment of VLAN firmware that by necessity is embedded in whatever management, of which you know it's a piece of rubbish. I'm increasingly getting the impression that network device manufacturers only ever fix anything if there is sufficient public backlash to make it financially worth fixing - no other reason to fix anything exists. The logical conclusion is that such "technology" is unsafe. VLAN switch with 100% open source firmware please... Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
