A topic that I blocked about, VLANs
in the DMZ was taken up both by Ivan Pepelnjak
and Colin McNamara
. Colin points out that security is more about what is done in the complete path and not at a single point.
There are a few extra points I would mention:
- Data should not be stored in a DMZ terminating incoming external connections. These should be limited to processing.
- It is a theoretical physical exploit and not a remote one.
- There has been no major security incident attributed to VLAN hopping as a cause.
After all these years, with cloud and virtualization up to our eyeballs, I wonder if Ivan will admit I was right?
Post a Comment