DMZ hopping gobbledygook
I don't agree with the reasoning.
- The assumptions are that the switches are poorly configured and that a hacker has local access. Unlikely!
- Why would the switch be more likely compromised in one scenario over the other? Switches are managed with a separate management VLAN and the traffic carrying VLANs are unable to break into the management VLAN.
- The switches in the second scenario still need to be managed. If the reasoning is to replace managed switches with unmanaged switches then this is nuts!!! How is that more secure? (Eer, we can't see the high traffic load so it does not exist? Of course, not!!!)
- The Internet facing router requires ACLs to bin internal addresses and any type of management traffic. A switch compromise would require firstly a router compromise, then a firewall compromise before it would be vulnerable.
- If you don't trust your network people on the switch then fire them. A network bloke can do whatever he wants in a wiring closet.
- The comment about network folks affecting security is depreciating. It is more likely to be security folks affecting security.