From owner-freebsd-security Mon Apr 9 6:57:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from ra.upan.org (ra.upan.org [204.107.76.19]) by hub.freebsd.org (Postfix) with ESMTP id 50C3937B422 for ; Mon, 9 Apr 2001 06:57:14 -0700 (PDT) (envelope-from mikel@ocsinternet.com) Received: from ocsinternet.com (thoth.upan.org [204.107.76.16]) by ra.upan.org (8.11.1/8.11.1) with ESMTP id f39DuTZ50788; Mon, 9 Apr 2001 09:56:29 -0400 (EDT) (envelope-from mikel@ocsinternet.com) Message-ID: <3AD1C188.F34164C7@ocsinternet.com> Date: Mon, 09 Apr 2001 10:04:56 -0400 From: Mikel X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en,it MIME-Version: 1.0 To: John Howie Cc: James Wyatt , freebsd-security@FreeBSD.ORG Subject: Re: Theory Question References: <05dd01c0c00d$657a8510$0101a8c0@development.local> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've heard this as well; and seem to remember hearing it while attending some cisco training or something. I fully agree, that they aren't very good for security, and truthfully I don't think they're very good for a busy network either... Ok that's my $0.01. Thanks to all for a very thought provoking thread... Cheers, Mikel John Howie wrote: > ----- Original Message ----- > From: "James Wyatt" > To: "John Howie" > Cc: "Jacques A. Vidrine" ; "Crist Clark" > ; ; > > Sent: Saturday, April 07, 2001 8:16 PM > Subject: Re: Theory Question > > > If you have a large network to protect, maintaining a separate monitoring > > network for out-of-band control (of the main network which is subject to > > attack) can be pretty costly. I've seen VLANs suggested for large outfits, > > but that can be attacked at the switch level. You can use voice channels > > and PPP over serial, but filter the heck out of it and don't set a default > > route. At some point you will have to network to your IDS box if you want > > much functionality from it. If you simply have the box set to log out the > > serial port, it can be easily overrun (DoSed) if you have a good net > > connection. > > > > James, > > I have had so many people suggest VLANs as an acceptable security solution > that it makes me wonder... Is there someone out there (presumably a hacker) > pushing them? I agree with you, they are not secure. That is why I always > push for a separate physical network. And I always say that if it should > ever be compromised you just blow it away and reconstruct it. In fact, I use > the term "Victim Network" to describe an IDS/monitoring network. > > john... > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message