On Mon, 28 Jun 2010, Brent Chapman wrote:
On Mon, Jun 28, 2010 at 12:05 PM, A. Dreyer (LOPSA) wrote:
On 28/06/10 15:51, Jeremy Charles wrote:
From: Jeff Wasilko [mailto:je...@smoe.org]
Why not build a dedicated VLAN that carries only iSCSI traffic to your
DMZ and only has the required server
On 28/06/10 20:26, Brent Chapman wrote:
> On Mon, Jun 28, 2010 at 12:05 PM, A. Dreyer (LOPSA)
> I assume you both know that VLANs are just an administrative tool not a
> security measurement and that for "real" security the switches with
> external/DMZ VLANs should be *physically* sepa
On Mon, Jun 28, 2010 at 12:26:58PM -0700, Brent Chapman spake thusly:
> On Mon, Jun 28, 2010 at 12:05 PM, A. Dreyer (LOPSA)
> wrote:
> > I assume you both know that VLANs are just an administrative tool not a
> > security measurement and that for "real" security the switches with
> > external/DMZ
If a switch is leaking broadcast traffic across all VLANs, the issue
isn't with VLAN technology, it's with a (very) stupid implementation.
On Mon, Jun 28, 2010 at 3:36 PM, Phil Pennock wrote:
> On 2010-06-28 at 12:26 -0700, Brent Chapman wrote:
>> Everybody says "but what if the switch somehow le
On 2010-06-28 at 12:26 -0700, Brent Chapman wrote:
> Everybody says "but what if the switch somehow leaks packets from one VLAN
> to another?" Well, what if the switch ACLs didn't work, and passed traffic
> that it shouldn't? Those would both be major security bugs, drawing a quick
> response fro
On Mon, Jun 28, 2010 at 12:05 PM, A. Dreyer (LOPSA) wrote:
> On 28/06/10 15:51, Jeremy Charles wrote:
> > From: Jeff Wasilko [mailto:je...@smoe.org]
> >> Why not build a dedicated VLAN that carries only iSCSI traffic to your
> >> DMZ and only has the required servers on that network?
> >
> > That
On 28/06/10 15:51, Jeremy Charles wrote:
> From: Jeff Wasilko [mailto:je...@smoe.org]
>> Why not build a dedicated VLAN that carries only iSCSI traffic to your
>> DMZ and only has the required servers on that network?
>
> That would also require separate iSCSI storage hardware (the targets).
>
From: Jeff Wasilko [mailto:je...@smoe.org]
> Why not build a dedicated VLAN that carries only iSCSI traffic to your
> DMZ and only has the required servers on that network?
That would also require separate iSCSI storage hardware (the targets). That's
more expensive, so it's Plan C.
__
On Mon, Jun 28, 2010 at 08:45:38AM -0500, Jeremy Charles wrote:
> We have servers in the DMZ that the server admins and storage guys would like
> to use iSCSI with. The problem that us network/security guys see is that the
> iSCSI network is connected to a bunch of servers that are on the inside
We have servers in the DMZ that the server admins and storage guys would like
to use iSCSI with. The problem that us network/security guys see is that the
iSCSI network is connected to a bunch of servers that are on the inside
network. Since the OS of the server can see the iSCSI network (soft
10 matches
Mail list logo
