[linux-security] Re: A switch? A router? What am I looking for??

[Woody Weaver <woody wiltelnsi com>]

At 09:52 AM 6/30/98 -0500, you wrote:
>A switch can be used as a security device. Many of the newer switches can be
>configured to support multiple VLANs which prohibit machines on one VLAN
[...]

You know, I considered talking about vlans when I started writing up
definitions.  But I figured that if the guy didn't know what a switch was,
a vlan would just further confuse him.

imho, a vlan is a device to manipulate broadcast domains (and by
implication collision domains) and again *not* a security device.  The
"best" use of vlans is when you have distributed users and want to share
resources among just those users, e.g. engineering is IP network X, sales
is IP network Y, but their cubes are distributed among half a dozen floors
-- I can now plug-n-play among the switch community without regard for
physical location.  Now I can have broadcast level services, such as DHCP,
without extensive configuration of user machines.

Will vlan enabled switches be part of a security design?  Perhaps.  Right
now, I just don't know how hardened the switch will be against security
attacks -- they weren't _designed_ with security in mind.  Has cisco ever
fixed the syn-loop attack against their catalyst switches?  Does this give
you a warm and fuzzy feeling that other problems won't be found?  Do you
want to use an appliance with potentially unknown characteristics in your
security implementation?

Please note that I very much accept the answer that in some designs the
answer is YES!  Security is always something personal to a specific site,
and a particular time and computation.

--woody
--
Robert Wooddell Weaver           email:  woody weaver wiltelnsi com
Network Engineer                 voice:  510.358.3972
Williams Communication Solutions pager:  510.702.4334