Date: Sun, 8 Apr 2001 02:22:12 -0700 From: "John Howie" <JHowie@msn.com> To: "James Wyatt" <jwyatt@rwsystems.net>, <freebsd-security@freebsd.org> Subject: Re: Theory Question Message-ID: <05dd01c0c00d$657a8510$0101a8c0@development.local> References: <Pine.BSF.4.10.10104072029260.31820-100000@bsdie.rwsystems.net>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "James Wyatt" <jwyatt@rwsystems.net> To: "John Howie" <JHowie@msn.com> Cc: "Jacques A. Vidrine" <n@nectar.com>; "Crist Clark" <crist.clark@globalstar.com>; <lee@kechara.net>; <freebsd-security@FreeBSD.ORG> Sent: Saturday, April 07, 2001 8:16 PM Subject: Re: Theory Question > If you have a large network to protect, maintaining a separate monitoring > network for out-of-band control (of the main network which is subject to > attack) can be pretty costly. I've seen VLANs suggested for large outfits, > but that can be attacked at the switch level. You can use voice channels > and PPP over serial, but filter the heck out of it and don't set a default > route. At some point you will have to network to your IDS box if you want > much functionality from it. If you simply have the box set to log out the > serial port, it can be easily overrun (DoSed) if you have a good net > connection. > James, I have had so many people suggest VLANs as an acceptable security solution that it makes me wonder... Is there someone out there (presumably a hacker) pushing them? I agree with you, they are not secure. That is why I always push for a separate physical network. And I always say that if it should ever be compromised you just blow it away and reconstruct it. In fact, I use the term "Victim Network" to describe an IDS/monitoring network. john... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?05dd01c0c00d$657a8510$0101a8c0>