Skip to main content

DMZ hopping gobbledygook

On the theme of leaky VLANS, I noticed Ron Trunk's IOS Security Features presentation over at Netcraftsman:


I don't agree with the reasoning.
  • The assumptions are that the switches are poorly configured and that a hacker has local access. Unlikely!
  • Why would the switch be more likely compromised in one scenario over the other? Switches are managed with a separate management VLAN and the traffic carrying VLANs are unable to break into the management VLAN.
  • The switches in the second scenario still need to be managed. If the reasoning is to replace managed switches with unmanaged switches then this is nuts!!! How is that more secure? (Eer, we can't see the high traffic load so it does not exist? Of course, not!!!)
  • The Internet facing router requires ACLs to bin internal addresses and any type of management traffic. A switch compromise would require firstly a router compromise, then a firewall compromise before it would be vulnerable.
  • If you don't trust your network people on the switch then fire them. A network bloke can do whatever he wants in a wiring closet.
  • The comment about network folks affecting security is depreciating. It is more likely to be security folks affecting security.
My real beef is the heading, "A More Secure Alternative". A more secure alternative is to do real time monitoring of the network, introduce application security, have appropriate security agents on the servers, lock down your servers, patch them for vulnerabilities, etc. I have the impression that individuals who implement seperate switches instead of VLANs will feel they have done enough, which is far from the truth.
 
Labels:

Comments

Post a Comment

Popular posts from this blog

easywall - Web interface for easy use of the IPTables firewall on Linux systems written in Python3.

Firewalls are becoming increasingly important in today’s world. Hackers and automated scripts are constantly trying to invade your system and use it for Bitcoin mining, botnets or other things. To prevent these attacks, you can use a firewall on your system. IPTables is the strongest firewall in Linux because it can filter packets in the kernel before they reach the application. Using IPTables is not very easy for Linux beginners. We have created easywall - the simple IPTables web interface . The focus of the software is on easy installation and use. Access this neat software over on github: easywall
Post a Comment
Read more

No Scrubs: The Architecture That Made Unmetered Mitigation Possible

When building a DDoS mitigation service it’s incredibly tempting to think that the solution is scrubbing centers or scrubbing servers. I, too, thought that was a good idea in the beginning, but experience has shown that there are serious pitfalls to this approach. Read the post of at Cloudflare's blog: N o Scrubs: The Architecture That Made Unmetered Mitigation Possible
Post a Comment
Read more

Should You Buy A UniFi Dream Machine, USG, USG Pro, or Dream Machine Pro?

 
Post a Comment
Read more