Date: Fri, 29 Mar 2002 12:28:06 -0800 From: "Crist J. Clark" <cjc@FreeBSD.ORG> To: Dmitry Shupilov <root@ns.tb.by> Cc: security@FreeBSD.ORG, roam@ringlet.net Subject: Re: SSH or Telnet? Message-ID: <20020329122806.V97841@blossom.cjclark.org> In-Reply-To: <192258005672.20020329153842@ns.tb.by>; from root@ns.tb.by on Fri, Mar 29, 2002 at 03:38:42PM %2B0200 References: <20020328201100.E6672-100000@cactus.fi.uba.ar> <72250498197.20020329133335@ns.tb.by> <20020329143538.B340@straylight.oblivion.bg> <192258005672.20020329153842@ns.tb.by>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Mar 29, 2002 at 03:38:42PM +0200, Dmitry Shupilov wrote:
> Friday, March 29, 2002, 2:35:38 PM, you wrote:
>
> PP> Other than that, IPSec is a step towards a solution.
> If you don't like IPSec you can try VLAN's. VLAN's are what I use in
> my office to connect to critical hardware (routers, servers etc). But
> this solution is accomplished though the Cisco switches. The new Cisco
> switch support access lists per port (this is not Cisco advertisement:).
Please repeat after me...
1) Switching is not a security feature. Switching is not a security
feature. Switching...
2) VLANs are not a security feature. VLANs are not a security
feature. VLANs...
Both switching and VLANs were meant to increace _performance._
Switching never was and still is not a good security feature in any
managable sense on any hardware I've seen. Cisco has tried to tack
security onto VLAN implementations as an afterthought, but unless
things have changed recently, they were just that, not very well
implemented afterthoughts.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020329122806.V97841>