From owner-freebsd-security Sun Apr 8 2:18: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from cpimssmtpoa03.msn.com (cpimssmtpoa03.msn.com [207.46.181.113]) by hub.freebsd.org (Postfix) with ESMTP id 6F82537B422 for ; Sun, 8 Apr 2001 02:18:00 -0700 (PDT) (envelope-from JHowie@msn.com) Received: from cpimssmtpu13.email.msn.com ([207.46.181.88]) by cpimssmtpoa03.msn.com with Microsoft SMTPSVC(5.0.2195.3225); Sun, 8 Apr 2001 02:17:58 -0700 Received: from x86w2kw1 ([216.103.48.12]) by cpimssmtpu13.email.msn.com with Microsoft SMTPSVC(5.0.2195.3225); Sun, 8 Apr 2001 02:17:58 -0700 Message-ID: <05dd01c0c00d$657a8510$0101a8c0@development.local> From: "John Howie" To: "James Wyatt" , References: Subject: Re: Theory Question Date: Sun, 8 Apr 2001 02:22:12 -0700 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-OriginalArrivalTime: 08 Apr 2001 09:17:58.0436 (UTC) FILETIME=[CD636E40:01C0C00C] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- From: "James Wyatt" To: "John Howie" Cc: "Jacques A. Vidrine" ; "Crist Clark" ; ; Sent: Saturday, April 07, 2001 8:16 PM Subject: Re: Theory Question > If you have a large network to protect, maintaining a separate monitoring > network for out-of-band control (of the main network which is subject to > attack) can be pretty costly. I've seen VLANs suggested for large outfits, > but that can be attacked at the switch level. You can use voice channels > and PPP over serial, but filter the heck out of it and don't set a default > route. At some point you will have to network to your IDS box if you want > much functionality from it. If you simply have the box set to log out the > serial port, it can be easily overrun (DoSed) if you have a good net > connection. > James, I have had so many people suggest VLANs as an acceptable security solution that it makes me wonder... Is there someone out there (presumably a hacker) pushing them? I agree with you, they are not secure. That is why I always push for a separate physical network. And I always say that if it should ever be compromised you just blow it away and reconstruct it. In fact, I use the term "Victim Network" to describe an IDS/monitoring network. john... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message