Date: Mon, 09 Apr 2001 10:04:56 -0400 From: Mikel <mikel@ocsinternet.com> To: John Howie <JHowie@msn.com> Cc: James Wyatt <jwyatt@rwsystems.net>, freebsd-security@FreeBSD.ORG Subject: Re: Theory Question Message-ID: <3AD1C188.F34164C7@ocsinternet.com> References: <Pine.BSF.4.10.10104072029260.31820-100000@bsdie.rwsystems.net> <05dd01c0c00d$657a8510$0101a8c0@development.local>
next in thread | previous in thread | raw e-mail | index | archive | help
I've heard this as well; and seem to remember hearing it while attending some cisco training or something. I fully agree, that they aren't very good for security, and truthfully I don't think they're very good for a busy network either... Ok that's my $0.01. Thanks to all for a very thought provoking thread... Cheers, Mikel John Howie wrote: > ----- Original Message ----- > From: "James Wyatt" <jwyatt@rwsystems.net> > To: "John Howie" <JHowie@msn.com> > Cc: "Jacques A. Vidrine" <n@nectar.com>; "Crist Clark" > <crist.clark@globalstar.com>; <lee@kechara.net>; > <freebsd-security@FreeBSD.ORG> > Sent: Saturday, April 07, 2001 8:16 PM > Subject: Re: Theory Question > > > If you have a large network to protect, maintaining a separate monitoring > > network for out-of-band control (of the main network which is subject to > > attack) can be pretty costly. I've seen VLANs suggested for large outfits, > > but that can be attacked at the switch level. You can use voice channels > > and PPP over serial, but filter the heck out of it and don't set a default > > route. At some point you will have to network to your IDS box if you want > > much functionality from it. If you simply have the box set to log out the > > serial port, it can be easily overrun (DoSed) if you have a good net > > connection. > > > > James, > > I have had so many people suggest VLANs as an acceptable security solution > that it makes me wonder... Is there someone out there (presumably a hacker) > pushing them? I agree with you, they are not secure. That is why I always > push for a separate physical network. And I always say that if it should > ever be compromised you just blow it away and reconstruct it. In fact, I use > the term "Victim Network" to describe an IDS/monitoring network. > > john... > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AD1C188.F34164C7>