On 10/24/07, Henning Brauer  wrote:

quoted text
> * Darren Spruell  [2007-10-24 21:48]:

> > Remember back 10-ish years ago when VLANs were being touted as the

> > ultimate network segmentation technology by marketers of managed

> > switches? And now everyone hopefully realizes that while VLANs

> > technically do offer network segmentation, it's really rudimentary and

> > cannot be relied on for truly reliable security due to various layer 2

> > attacks that subvert them?

>

> err, that is a very bad comparision. I am not aware of any "layer2

> attacks" (you probably mean vlan hopping things) that work against any

> half reasonable configured switch from the last 10 years.

> heck, these days even everybody except cisco has sane defaults.

> (well, I dunno about those cheap switches, admittedly)

I agree, the key is the reasonably configured part. Vlan hopping, STP

attacks, etc. and Cisco particularly. Even if Cisco is (now) one of

the few to not have sane defaults, they're common enough for it to be

a concern. And consider all the devices (even from good vendors) that

are behind on firmware (where the defaults weren't yet sane).
If this wasn't the case, Yersinia wouldn't be nearly as interesting as it is.
> this comparision is wrong on another basis: vlans are dead simple, just

quoted text
> a tiny and simple header before the ethernet segment. virtualization is

> certainly not.

Yeah, I was commenting mainly on the flawed "silver bullet" mentality

that some LAN admins have with the "if I have VLANs, my hosts are

automatically perfectly segmented" mindset rather than the

implementation/design itself. Sadly, the average LAN admin these days,

at least in the states, isn't smart enough to understand the nuances.
DS