From owner-freebsd-security  Sun Apr  8  2:18: 3 2001
Delivered-To: freebsd-security@freebsd.org
Received: from cpimssmtpoa03.msn.com (cpimssmtpoa03.msn.com [207.46.181.113])
	by hub.freebsd.org (Postfix) with ESMTP id 6F82537B422
	for <freebsd-security@freebsd.org>; Sun,  8 Apr 2001 02:18:00 -0700 (PDT)
	(envelope-from JHowie@msn.com)
Received: from cpimssmtpu13.email.msn.com ([207.46.181.88]) by cpimssmtpoa03.msn.com with Microsoft SMTPSVC(5.0.2195.3225);
	 Sun, 8 Apr 2001 02:17:58 -0700
Received: from x86w2kw1 ([216.103.48.12]) by cpimssmtpu13.email.msn.com with Microsoft SMTPSVC(5.0.2195.3225);
	 Sun, 8 Apr 2001 02:17:58 -0700
Message-ID: <05dd01c0c00d$657a8510$0101a8c0@development.local>
From: "John Howie" <JHowie@msn.com>
To: "James Wyatt" <jwyatt@rwsystems.net>,
	<freebsd-security@freebsd.org>
References: <Pine.BSF.4.10.10104072029260.31820-100000@bsdie.rwsystems.net>
Subject: Re: Theory Question
Date: Sun, 8 Apr 2001 02:22:12 -0700
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
X-OriginalArrivalTime: 08 Apr 2001 09:17:58.0436 (UTC) FILETIME=[CD636E40:01C0C00C]
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


----- Original Message -----
From: "James Wyatt" <jwyatt@rwsystems.net>
To: "John Howie" <JHowie@msn.com>
Cc: "Jacques A. Vidrine" <n@nectar.com>; "Crist Clark"
<crist.clark@globalstar.com>; <lee@kechara.net>;
<freebsd-security@FreeBSD.ORG>
Sent: Saturday, April 07, 2001 8:16 PM
Subject: Re: Theory Question


> If you have a large network to protect, maintaining a separate monitoring
> network for out-of-band control (of the main network which is subject to
> attack) can be pretty costly. I've seen VLANs suggested for large outfits,
> but that can be attacked at the switch level. You can use voice channels
> and PPP over serial, but filter the heck out of it and don't set a default
> route. At some point you will have to network to your IDS box if you want
> much functionality from it. If you simply have the box set to log out the
> serial port, it can be easily overrun (DoSed) if you have a good net
> connection.
>

James,

I have had so many people suggest VLANs as an acceptable security solution
that it makes me wonder... Is there someone out there (presumably a hacker)
pushing them? I agree with you, they are not secure. That is why I always
push for a separate physical network. And I always say that if it should
ever be compromised you just blow it away and reconstruct it. In fact, I use
the term "Victim Network" to describe an IDS/monitoring network.

john...




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message