Skip to main content

DMZ hopping gobbledygook

On the theme of leaky VLANS, I noticed Ron Trunk's IOS Security Features presentation over at Netcraftsman:


I don't agree with the reasoning.
  • The assumptions are that the switches are poorly configured and that a hacker has local access. Unlikely!
  • Why would the switch be more likely compromised in one scenario over the other? Switches are managed with a separate management VLAN and the traffic carrying VLANs are unable to break into the management VLAN.
  • The switches in the second scenario still need to be managed. If the reasoning is to replace managed switches with unmanaged switches then this is nuts!!! How is that more secure? (Eer, we can't see the high traffic load so it does not exist? Of course, not!!!)
  • The Internet facing router requires ACLs to bin internal addresses and any type of management traffic. A switch compromise would require firstly a router compromise, then a firewall compromise before it would be vulnerable.
  • If you don't trust your network people on the switch then fire them. A network bloke can do whatever he wants in a wiring closet.
  • The comment about network folks affecting security is depreciating. It is more likely to be security folks affecting security.
My real beef is the heading, "A More Secure Alternative". A more secure alternative is to do real time monitoring of the network, introduce application security, have appropriate security agents on the servers, lock down your servers, patch them for vulnerabilities, etc. I have the impression that individuals who implement seperate switches instead of VLANs will feel they have done enough, which is far from the truth.
 

Comments

Popular posts from this blog

LDWin: Link Discovery for Windows

LDWin supports the following methods of link discovery: CDP - Cisco Discovery Protocol LLDP - Link Layer Discovery Protocol Download LDWin from here.

easywall - Web interface for easy use of the IPTables firewall on Linux systems written in Python3.

Firewalls are becoming increasingly important in today’s world. Hackers and automated scripts are constantly trying to invade your system and use it for Bitcoin mining, botnets or other things. To prevent these attacks, you can use a firewall on your system. IPTables is the strongest firewall in Linux because it can filter packets in the kernel before they reach the application. Using IPTables is not very easy for Linux beginners. We have created easywall - the simple IPTables web interface . The focus of the software is on easy installation and use. Access this neat software over on github: easywall

STG (SNMP Traffic Grapher)

This freeware utility allows monitoring of supporting SNMPv1 and SNMPv2c devices including Cisco. Intended as fast aid for network administrators who need prompt access to current information about state of network equipment. Access STG here (original site) or alternatively here .