From owner-freebsd-security Fri Mar 29 12:28:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id 33AFE37B400 for ; Fri, 29 Mar 2002 12:28:10 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020329202808.RJDR2928.rwcrmhc53.attbi.com@blossom.cjclark.org>; Fri, 29 Mar 2002 20:28:08 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g2TKS7p34374; Fri, 29 Mar 2002 12:28:07 -0800 (PST) (envelope-from cjc) Date: Fri, 29 Mar 2002 12:28:06 -0800 From: "Crist J. Clark" To: Dmitry Shupilov Cc: security@FreeBSD.ORG, roam@ringlet.net Subject: Re: SSH or Telnet? Message-ID: <20020329122806.V97841@blossom.cjclark.org> References: <20020328201100.E6672-100000@cactus.fi.uba.ar> <72250498197.20020329133335@ns.tb.by> <20020329143538.B340@straylight.oblivion.bg> <192258005672.20020329153842@ns.tb.by> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <192258005672.20020329153842@ns.tb.by>; from root@ns.tb.by on Fri, Mar 29, 2002 at 03:38:42PM +0200 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Mar 29, 2002 at 03:38:42PM +0200, Dmitry Shupilov wrote: > Friday, March 29, 2002, 2:35:38 PM, you wrote: > > PP> Other than that, IPSec is a step towards a solution. > If you don't like IPSec you can try VLAN's. VLAN's are what I use in > my office to connect to critical hardware (routers, servers etc). But > this solution is accomplished though the Cisco switches. The new Cisco > switch support access lists per port (this is not Cisco advertisement:). Please repeat after me... 1) Switching is not a security feature. Switching is not a security feature. Switching... 2) VLANs are not a security feature. VLANs are not a security feature. VLANs... Both switching and VLANs were meant to increace _performance._ Switching never was and still is not a good security feature in any managable sense on any hardware I've seen. Cisco has tried to tack security onto VLAN implementations as an afterthought, but unless things have changed recently, they were just that, not very well implemented afterthoughts. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message