On Mon, 15 Apr 2002, Noonan, Wesley wrote:
>
> At no point have I ever recommended to use VLANs. In fact, if one reads
> through the thread, I have said that I would not use VLANs and in fact would
> prefer to use hubs in many cases, for many reasons. Hell, I am *right now*
> trying to convince a customer to get rid of the use of VLANs on their
> perimeter (in addition to replacing IOS/FW with a full featured firewall in
> front of it, but that's another fight).
>
Yes, it was merely an arguement made you liked not Paul's style in
presenting information.
> My dispute is not whether VLANs can be exploited. My dispute is what I
> perceive as a
>
> <napster james hetfield>
> VLANs bad
> </napster james hetfield>
>
<quote>
napster bad!
</quote>
> position that seems to be so prevalent on this list. I think it is bad
> practice to make such blanket generalizations.
>
In another list, at another time, on another topic, From: Sun
<[EMAIL PROTECTED]>, Date: Tue, 12 Feb 2002 19:47:04 +0200,
stated the issues well I think:
<quote>
> This is a totally mute point in this context. When you evaluate a
> security product (or indeed, any product) for usefulness, one of the
> things you take into consideration is "how often does it appear on
> BugTraq". Whether those bugs were random acts of negligance, or
> deliberate acts of trojan is meaningless, if only because they are
> indistinguishable as far as your'e concerned. This means that, in a
> perfect world, a security company would have to either give up the
> idea of backdooring their products, or release a product that is less
> secure to begin with, thus risking not only losing money, but also not
> having enough clients to have the back door mean anything. After all,
> a back door is meaningless unless people (victims) are using your
> product.
</quote>
The reference to "how often does it appear on BugTraq" translates pretty
much to: look at the historical evidence.
> > Why? Well, there _are_ proven VLAN exploits, in certain circumstances.
> > This is fact. Knowing this, and given a viable alternative that fulfills
> > all my functionality requirements, I would have no choice but to avoid
> > the VLAN solution.
>
> Agreed.
>
> > If I had to firewall between _hundreds_ of different networks in one
> > core box, for some reason, I'd almost certainly use VLANs. Why? Because
> > IMNSHO it would be management-stupid to try and do it with physical
> > switches.
>
> Bingo!!! This is what I have been trying to get across. Everything has it's
> place, and in many cases VLANs have their place as an aspect of a perimeter
> design. Is it the "best" design? Maybe, maybe not. Can it be the best design
> for the circumstances and requirements? Absolutely.
>
> > I believe that we're seeing a philosophical argument - Paul (and I) and
> > others will tend to make arbitrary sounding decisions about the "best"
> > ways to proceed, based on how we perceive certain classes of solution.
> > This may not be backed up by any current factual arguments, but I have
> > personally had it pay off when I vetoed a solution that smelt bad (NTPd
> > on a Solaris box) two weeks before a brand new NTP r00t exploit was
> > released. The point I'm making is that it's _not_ bogus to make
> > decisions and ad hoc risk assessments based on circumstantial evidence.
>
> Certainly not. However, chasing boogeymen isn't a good practice either. As
> security people, and in opinions expressed on this list many times, people
> seem to forget that business still has to get done. Security is, and should
> be, secondary to making money. This is, after all, business and capitalism.
> Security policies and practices that prevent business are BAD.
>
FUD! The company does no business if their security does not protect
their interests/assets.
> > I am specifically NOT saying that VLANs are always bad, and if I had a
> > specific function for which I felt that there was a compelling reason to
> > use VLANs then I'd do research, get the right platform, implement them
> > carefully, and buy red and green patch cables. However, if I have a
> > customer that just doesn't feel like springing for $200 for a new
> > switch, then I'll tell them to go spank their monkey elsewhere.
>
> Agreed. Again, this is the point that I was trying to make. It's not cookie
> cutter. There are a LOT of variables to weigh, and I just think it is bad
> practice to make statements like I have seen from others on this list.
>
So it's better to just what? say and do nothing and consider nothing in
an evaluation/assesment of a product/potential implimentation? Folks come
to this list to ask others to share theit knowledge and experience. This
is what Paul and others have done, and you mostly just decided Paul's
style in approcahing this was FUD. Do consider, in a busy day, when folks
reply to e-mails here and elsewhere their 'style' differs greatly to that
one might see/percieve when addressing them face up and vocally. I'm sure
Paul is a busy man, and tries to share as quickly as possible those
momnets he can to prvoviding help and knowledge gained throughout the
years to others freely here. As do others, I'm sure this is pretty much
the same with you. Afterall, how many folks get paid to spend time on
this and the other lists they contribute to? I can say, I often find
great humor, as well as insight in Paul's style here <smile>. And have a
few times busted a gut and spewed some coffee about the monitor and
keyboard while gaining some valuable information. Now, if I do not
understand what he's saying, or require deeper clarification of points
he's jotting out here quickly, whose responsibility is it for me to gain
deeper insight? Is it not *my* obligation to request claification and
edification? In like token, if his style does so bug me that I go on a
rant each time he gives advise, whose responsibility is it for me to hit
delete when seeing his name on a post or just killfile his responses so as
to save my attitude for the rest of the day?
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
