Re: vswitches: physical networks obsolete?

["Albert R. Campa" <abcampa () gmail com>]

vmware has come out with their vshield virtual firewall product.
Altor/Juniper has had a virtual firewalling product for a while now.



On Sun, Feb 6, 2011 at 11:24 AM, phocean <0x90 () phocean net> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > phocean said the following on 06/02/11 16:58:
> >
> > > So my worries remain... how do they address this?
> > > You don't mean that we have to wait for the next 0-day for the VMware
> > > claim to be proved false? There are coding vulnerabilities everywhere.
> >
> > We could wait for the next 0day of HP procurve, Cisco Catalyst or Dell
> > PowerConnect firmware as well ;)
>
> That's exactly why I used to use physical separation and mixed various
> hardware in each area.
> What do you do if your infrastructure rely 100% on VMware code?
>
> > The history of software bugs so far tells us that, until now, the chance to have
> > a 0day of a firewall is greater than the chance of the 0day of a switch firmware.
> I disagree. Not only you can't compare a switch and an firewall (neither
> in terms of functionality, complexity, exploitation or impact), but L2
> has always been vulnerable by design. Easy to attack, huge impact, game
> over.
>
> > I am not telling that switches are bulletproof, I am only talking about probability.
>
> Ok but I would like we get back to the point. Thanks for your feedback,
> I took note of it.
>
> You are just expressing your opinion, as I did. Opinions don't have much
> value, neither mine nor yours.
> I am expecting facts, deep studies or specifications.
>
> We are talking about major changes in the way we design architectures.
>
> It is not something to take lightly, relying only on "right until proven
> wrong" or "the editor says it's great".
> Once an architecture has been designed for a company, it is supposed to
> stay there 10 years or even more.
>
> I want to read more answers here. Maybe there have not been any serious
> research on the topic yet. In that case, I would take the safe side :
> waiting a few more years until the industry has enough experience on the
> technology before deploying any full virtual network.
>
> - phocean
>
> > Ciao,
> > luigi
> >
> > - --
> > /
> > +--[Luigi Rosa]--
> > \
> >
> > Any small object that is accidentally dropped will hide under a larger object.
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.10 (GNU/Linux)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> >
> > iEYEARECAAYFAk1O0GkACgkQ3kWu7Tfl6ZTahgCfWVHLy/OD/58XOgN2ovanl/dT
> > LJgAnjtPyYCRujnL/3tzZJ/4K9CcTCF8
> > =xaty
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/