Hi Jim
On 2014-04-05 20:32, Jim Thompson wrote:
On Apr 5, 2014, at 8:53 AM, Thinker Rix <thinke...@rocketmail.com
<mailto:thinke...@rocketmail.com>> wrote:
On 2014-04-05 07:00, Ryan Coleman wrote:
And you cannot eliminate three of this with a switch?
I don't know any method how a network switch could replace the NICs
of my firewall - other than by operating with VLANs.
But I do not trust VLANs for this. This is not the correct purpose of
VLANS, IMO.
Using VLAN for segregating networks that should live in physically
different network zones because they have fundamental differing
security levels, is like placing your firewall into a VM - You can,
but you should not.
Sounds like you should look at your design.
No, I don't think so.
I think you should audit your security policy.
Regards
Thinker Rix
'Rix',
.... why do you do this?
Please don't be rude. Your message contains only non-informed opinion
backed by hostile invective, and such is not welcome on the list.
"hostile invective" in my posting? Interesting. Could not find anything
of that in my posting, though.
Oh, no! Now I remember: Jim Thompson! Once again in his starring role:
"the bully of the pfsense list", threatening, ridiculing, insulting and
bullying other users who ask questions he does not like (e.g. about if
NSA or others have approached pfSense (yet)) or who have another opinion
as he has...
If you don't trust VLANs, don't use them.
Thank you, for the approval.
.... <snip some extensive text that tries to ridicule me. BTW: This is
a common strategy that many propagandists use to avert suspicion and
the same strategy that you used the other time when I asked
unconmfortable questions about NSA and pfsense>
But VLANs have their place.
Yes, in networks of homogeneous security level.
They do not have their place when it comes to segment networks with
vastly diverging security level, IMO.
It is the same discussion as about virtualizing a firewall. Some do it
claiming that virtualization is rock solid, others avoid it, because
they won't risk it just to save some bucks on hardware.
But everyone can decide that for himself. I don't ridicule you for
deciding differently. But you try to ridicule me, once again. Why?
They're used a lot in security applications. Not for very
high-security applications (military networks, financial trading
networks, etc), but they are effective enough for the network
segmentation requirements of PCI DSS.
This SANS paper has a description of the common attacks against a VLAN
segmentation architecture, as well as countermeasures to same. It
includes code to demonstrate several of the attacks.
https://www.sans.org/reading-room/whitepapers/networkdevs/virtual-lan-security-weaknesses-countermeasures-1090
IMO the greatest weakness of VLAN is user error such as
misconfiguration, bugs in software/firmware, etc.
Cheers
Thinker Rix
--
*Thinker Rix*, an internet user.
Please avoid TOFU in newsgroups and mailing lists
(https://en.wikipedia.org/wiki/Posting_style#Top-posting)
Bitte vermeidet TOFU in Newsgroups und Mailing-Listen
(https://de.wikipedia.org/wiki/TOFU)
_______________________________________________
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list