On Mon, Jun 28, 2010 at 12:05 PM, A. Dreyer (LOPSA) <[email protected]>wrote:
> On 28/06/10 15:51, Jeremy Charles wrote: > > From: Jeff Wasilko [mailto:[email protected]] > >> Why not build a dedicated VLAN that carries only iSCSI traffic to your > >> DMZ and only has the required servers on that network? > > > > That would also require separate iSCSI storage hardware (the targets). > That's more expensive, so it's Plan C. > > Hi, > > I assume you both know that VLANs are just an administrative tool not a > security measurement and that for "real" security the switches with > external/DMZ VLANs should be *physically* separate from the switching > infrastructure of your internal network.. > Bullshit. As far as I've ever been able to determine, this is just FUD (Fear, Uncertainty, and Doubt) propagated by folks who want to sell you more switch hardware. Everybody says "but what if the switch somehow leaks packets from one VLAN to another?" Well, what if the switch ACLs didn't work, and passed traffic that it shouldn't? Those would both be major security bugs, drawing a quick response from the vendors in question. As long as your switches and VLANs are properly configured, they're no less secure than anything else. You just need to understand how they work, and protect against things like VLAN sniffing and injection attacks (basically, you need to protect your VLAN trunks between switches). -Brent -- Brent Chapman <[email protected]> Netomata, Inc. -- www.netomata.com Making networks more cost-effective, reliable, and flexible by automating network configuration
_______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
