* Darren Spruell  [2007-10-24 21:48]:

quoted text
> Remember back 10-ish years ago when VLANs were being touted as the

> ultimate network segmentation technology by marketers of managed

> switches? And now everyone hopefully realizes that while VLANs

> technically do offer network segmentation, it's really rudimentary and

> cannot be relied on for truly reliable security due to various layer 2

> attacks that subvert them?

err, that is a very bad comparision. I am not aware of any "layer2

attacks" (you probably mean vlan hopping things) that work against any

half reasonable configured switch from the last 10 years.

heck, these days even everybody except cisco has sane defaults.

(well, I dunno about those cheap switches, admittedly)
this comparision is wrong on another basis: vlans are dead simple, just

a tiny and simple header before the ethernet segment. virtualization is

certainly not.
> That simply segmenting networks with

quoted text
> VLANs can't be considering to fully isolate them?

without bad config errors (that are getting harder to make, except on

cisco, they got the semantics completely wrong and stupid defaults) and

usedcorrectly, yes, VLANs perfectly isolate network segments.
--

Henning Brauer, hb@bsws.de, henning@openbsd.org

BS Web Services, http://bsws.de

Full-Service ISP - Secure Hosting, Mail and DNS Services

Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam