Quoting Lee Sharp <leesharp at hal dash pc dot org>:
>> Question 1: Yes, get yourself a couple of new switches that support
>> VLAN. Let your boss know that he will need to pony up and buy new
>> switches to achieve what he wants. Otherwise all the traffic will be
>> able to be sniffed and you will have no real security, just packets with
>> vlan tags that dont do anything. This is a perfect time for you to get
>> these switches and be able to expand your networking knowledge by being
>> able to play with better hardware at no expense to you. :)
> In most cases, arp poisoning will bust the vlan segmentation, and I
> can still sniff whatever I want. Vlan is a lot of things (easy,
> convenient, quieter) but secure ain't one of them. The best
> security is alwayse physical security.
Thanks Lee for showing that it is not real security, if I said that
then I misspoke. A determined cracker will be able to cause trouble on
any network that they have physical access to.
What VLANs do afford is separation of traffic less noise on the wire
and doesn't show ALL the traffic on the network just the VLAN segment,
and ease of management.
Still, like you say, there are ways to bust a VLAN and see all
traffic but most users don't know how to accomplish this. And if
physical security is not in place then all bets are off and you have
no security at all.