On Oct 24, 2007, at 4:16 PM, Henning Brauer <[EMAIL PROTECTED]>
wrote:
* Darren Spruell <[EMAIL PROTECTED]> [2007-10-24 21:48]:
Remember back 10-ish years ago when VLANs were being touted as the
ultimate network segmentation technology by marketers of managed
switches? And now everyone hopefully realizes that while VLANs
technically do offer network segmentation, it's really rudimentary
and
cannot be relied on for truly reliable security due to various
layer 2
attacks that subvert them?
err, that is a very bad comparision. I am not aware of any "layer2
attacks" (you probably mean vlan hopping things) that work against any
half reasonable configured switch from the last 10 years.
heck, these days even everybody except cisco has sane defaults.
(well, I dunno about those cheap switches, admittedly)
this comparision is wrong on another basis: vlans are dead simple,
just
a tiny and simple header before the ethernet segment. virtualization
is
certainly not.
That simply segmenting networks with
VLANs can't be considering to fully isolate them?
without bad config errors (that are getting harder to make, except on
cisco, they got the semantics completely wrong and stupid defaults)
and
usedcorrectly, yes, VLANs perfectly isolate network segments.
Why does this continue to pop up in misc@ every year?
---
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
