On the theme of leaky VLANS, I noticed Ron Trunk's IOS Security Features presentation over at Netcraftsman:
I don't agree with the reasoning.
- The assumptions are that the switches are poorly configured and that a hacker has local access. Unlikely!
- Why would the switch be more likely compromised in one scenario over the other? Switches are managed with a separate management VLAN and the traffic carrying VLANs are unable to break into the management VLAN.
- The switches in the second scenario still need to be managed. If the reasoning is to replace managed switches with unmanaged switches then this is nuts!!! How is that more secure? (Eer, we can't see the high traffic load so it does not exist? Of course, not!!!)
- The Internet facing router requires ACLs to bin internal addresses and any type of management traffic. A switch compromise would require firstly a router compromise, then a firewall compromise before it would be vulnerable.
- If you don't trust your network people on the switch then fire them. A network bloke can do whatever he wants in a wiring closet.
- The comment about network folks affecting security is depreciating. It is more likely to be security folks affecting security.
My real beef is the heading, "A More Secure Alternative". A more secure alternative is to do real time monitoring of the network, introduce application security, have appropriate security agents on the servers, lock down your servers, patch them for vulnerabilities, etc. I have the impression that individuals who implement seperate switches instead of VLANs will feel they have done enough, which is far from the truth.