Jim, Please excuse my ignorance, but can you give me examples of the risks posed by this scenario? It serves as a basis to explain to the client that even in the previous solution with Linux, the setting was already correct.
Thank you! Ivanildo Galvão - MCP, MCT, MCSA, VSP Consultor de Tecnologia Tel. (84) 3201 2146 | Cel. (84) 9111 8873 [email protected] | www.itservices.com.br Twitter: @ivanildogalvao -----Mensagem original----- De: Jim Pingle [mailto:[email protected]] Enviada em: sexta-feira, 2 de setembro de 2011 08:59 Para: [email protected] Assunto: Re: RES: [pfSense Support] Static ARP On 9/2/2011 7:46 AM, Ivanildo Galvão - IT Services wrote: > a) The previous configuration was made by a former business consultant here, > the guy made the business work well, is round, but no VLAN is vulnerable, he > may have done this way just to give a customer satisfaction that have > hitherto switch that supports VLAN. Which can be defeated simply by hardcoding your system's address into one of the other subnets. Zero security gain. > c) Under Firewall Rules, created rules that isolate these networks, works > well, had already tested. Which can be defeated simply by hardcoding your system's address into one of the other subnets. Zero security gain. > e) You can not reach the client and say, buy with VLAN switch, buy this or > that, it will say "But his predecessor did it work in Linux and had no > problems," some customers for certain things are complicated to explain, he > may think you are wanting to sell or wind, so friends I have total agreement > that this is more or less security, the firewall rules insulates networks in > fact as I said before, but a scenario with VLANS or even 802.1x, would be > better, but it does not now, the least I can do is leave the scene no less > than it was before, either with Linux or pfSense. So I'm sending this text to > explain the more because at least on this account, I'm insisting on doing > something that from the beginning is not 100% correct. Which can be defeated simply by hardcoding your system's address into one of the other subnets. Zero security gain. What was done there does not isolate the networks at all. It appears to isolate them, but in fact does not. It only "protects" you from people who don't know enough to need protecting from. By continuing to use this method, you are exposing your client to potential attacks and actually doing them real harm by giving them a false sense of security. Jim --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
