Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Worms, Air Gaps and Responsibility

From: "Patrick M. Hausen" <hausen () punkt de>
Date: Wed, 5 May 2004 22:22:24 +0200 (CEST)
Hello!

Paul D. Robertson wrote:


Most of the risk
these days comes from desktops, there's no reason the PC in the mail room
needs to be able to hit the CAT scanner in a hospital, for instance.  Even
if your hospital's CAT scanner is VPNed to another hospital's diagnostics
expert.


Which is a point in favor of VLANs, IMHO. If applied with thought,
they are great a great technology. And even though there are
methods to leak packets between VLANs, most of the published attacks
seem rather theoretical to me.

Security is always about balancing the risks. If it's some Uberhacker
jumping VLANs vs. no separation at all, because we would have to buy
another switch (which - by general policy - needs redundant power supplies,
redundant supervisor engines, ...), I've always chosen VLANs as a
method of separation.

Put differently: even if a new technology (VLANs) poses new risks
(they might not work as well as separate devices) - if it mitigates
old and known risks, use it in your favor when possible.

Regards,
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe       http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: