On Mon, 28 Jun 2010, Brent Chapman wrote:
On Mon, Jun 28, 2010 at 12:05 PM, A. Dreyer (LOPSA) <[email protected]>wrote:
On 28/06/10 15:51, Jeremy Charles wrote:
From: Jeff Wasilko [mailto:[email protected]]
Why not build a dedicated VLAN that carries only iSCSI traffic to your
DMZ and only has the required servers on that network?
That would also require separate iSCSI storage hardware (the targets).
That's more expensive, so it's Plan C.
Hi,
I assume you both know that VLANs are just an administrative tool not a
security measurement and that for "real" security the switches with
external/DMZ VLANs should be *physically* separate from the switching
infrastructure of your internal network..
Bullshit.
As far as I've ever been able to determine, this is just FUD (Fear,
Uncertainty, and Doubt) propagated by folks who want to sell you more switch
hardware.
Everybody says "but what if the switch somehow leaks packets from one VLAN
to another?" Well, what if the switch ACLs didn't work, and passed traffic
that it shouldn't? Those would both be major security bugs, drawing a quick
response from the vendors in question.
As long as your switches and VLANs are properly configured, they're no less
secure than anything else. You just need to understand how they work, and
protect against things like VLAN sniffing and injection attacks (basically,
you need to protect your VLAN trunks between switches).
you have to include the requirement that there are no bugs in the
implementation as well.
I simply don't trust the switch vendors to do the security right. they've
had too many cases of saying "trust us, it's safe" and then discovering
that it's only safe under 'normal' conditions and when things get
overloaded traffic leaks. Many of these things are now understood and
documented (MAC table sizing for example), but their past history doesn't
make me want to trust them when they once again claim that they have
solved all the problems.
the switch vendors are in the business of getting packets from machine A
to machine B, if the packets get there but also get elsewhere it 'works'
from their point of view.
the fact that a misconfigured switch (everything in one VLAN as a extreme
example) is usually undetectable makes misconfigurations less likely to be
detected as they tend to 'fail open'
Because there are failure modes (implementation bugs, misconfiguration to
name a couple) on VLANS that do not exist on separate switches, VLANS on
one switch (or connected set of switches) is not as secure as having
air-gapped switches. The security may be close enough that you are willing
to accept the risk to get the convienience of being able to 're-cable'
without moving wires. But to claim that there is no difference is just
factually incorrect.
This is even if you believe the vendor claims that they are secure.
David Lang
_______________________________________________
Tech mailing list
[email protected]
http://lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
_______________________________________________
Tech mailing list
[email protected]
http://lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
