[ previous ] [ next ] [ threads ]
 From:  jonr at destar dot net
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Virtual LAN?
 Date:  Tue, 16 Nov 2010 10:00:04 -0900
Quoting Lee Sharp <leesharp at hal dash pc dot org>:

>> Question 1: Yes, get yourself a couple of new switches that support
>> VLAN. Let your boss know that he will need to pony up and buy new
>> switches to achieve what he wants. Otherwise all the traffic will be
>> able to be sniffed and you will have no real security, just packets with
>> vlan tags that dont do anything. This is a perfect time for you to get
>> these switches and be able to expand your networking knowledge by being
>> able to play with better hardware at no expense to you. :)
> In most cases, arp poisoning will bust the vlan segmentation, and I  
> can still sniff whatever I want.  Vlan is a lot of things (easy,  
> convenient, quieter) but secure ain't one of them.  The best  
> security is alwayse physical security.
> 			Lee

Thanks Lee for showing that it is not real security, if I said that  
then I misspoke. A determined cracker will be able to cause trouble on  
any network that they have physical access to.

  What VLANs do afford is separation of traffic less noise on the wire  
and doesn't show ALL the traffic on the network just the VLAN segment,  
and ease of management.

  Still, like you say, there are ways to bust a VLAN and see all  
traffic but most users don't know how to accomplish this. And if  
physical security is not in place then all bets are off and you have  
no security at all.