[Full-disclosure] vswitches: physical networks obsolete?
Albert R. Campa
abcampa at gmail.com
Sun Feb 6 19:48:25 GMT 2011
vmware has come out with their vshield virtual firewall product.
Altor/Juniper has had a virtual firewalling product for a while now.
On Sun, Feb 6, 2011 at 11:24 AM, phocean <0x90 at phocean.net> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > phocean said the following on 06/02/11 16:58:
> > > So my worries remain... how do they address this?
> > > You don't mean that we have to wait for the next 0-day for the VMware
> > > claim to be proved false? There are coding vulnerabilities everywhere.
> > We could wait for the next 0day of HP procurve, Cisco Catalyst or Dell
> > PowerConnect firmware as well ;)
> That's exactly why I used to use physical separation and mixed various
> hardware in each area.
> What do you do if your infrastructure rely 100% on VMware code?
> > The history of software bugs so far tells us that, until now, the chance to have
> > a 0day of a firewall is greater than the chance of the 0day of a switch firmware.
> I disagree. Not only you can't compare a switch and an firewall (neither
> in terms of functionality, complexity, exploitation or impact), but L2
> has always been vulnerable by design. Easy to attack, huge impact, game
> > I am not telling that switches are bulletproof, I am only talking about probability.
> Ok but I would like we get back to the point. Thanks for your feedback,
> I took note of it.
> You are just expressing your opinion, as I did. Opinions don't have much
> value, neither mine nor yours.
> I am expecting facts, deep studies or specifications.
> We are talking about major changes in the way we design architectures.
> It is not something to take lightly, relying only on "right until proven
> wrong" or "the editor says it's great".
> Once an architecture has been designed for a company, it is supposed to
> stay there 10 years or even more.
> I want to read more answers here. Maybe there have not been any serious
> research on the topic yet. In that case, I would take the safe side :
> waiting a few more years until the industry has enough experience on the
> technology before deploying any full virtual network.
> - phocean
> > Ciao,
> > luigi
> > - --
> > /
> > +--[Luigi Rosa]--
> > \
> > Any small object that is accidentally dropped will hide under a larger object.
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.10 (GNU/Linux)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> > iEYEARECAAYFAk1O0GkACgkQ3kWu7Tfl6ZTahgCfWVHLy/OD/58XOgN2ovanl/dT
> > LJgAnjtPyYCRujnL/3tzZJ/4K9CcTCF8
> > =xaty
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure is hosted and sponsored by Secunia.