It also makes no sense to slam Apple because they 'rely on iPhone and iPad' because the number of phones sold every year totally dwarfs the number of PCs sold every year.
The reason people tout diversification isnt because you cannot be successful without diversifying, its because you take a big risk by not doing so. If iPhones / iPads ever stop being big, does Apple have a backup plan?
This has turned out to be incorrect in a number of my experiences. I suggest LibreOffice because it doesnt cost $100, and then it turns out their documents used some special callout notation that Word had, or they need a specific function that Excel had (and lets be honest, Google Apps / LibreOffice are missing a TON of functionality in spreadsheets), and they end up needing the Microsoft suite.
Heck, I just finished a term paper in LibreOffice, and while I got it done, it was an exercise in frustration due to the way LibreOffice wanted to do endnotes and page numbering and title pages.
Im not trying to make this an us vs them thing. Its just absurd to claim that the US is declining into irrelevancy when a lot of the top tech in the world comes from the US...Intel, AMD, nVidia, Google, Microsoft, Apple-- these are all US companies.
Again, this isnt intended to be a knock on anyone, but the reality is that China's home-grown processors are about 4 generations behind what Intel is doing and about 3 behind AMD. "They" seem to "need" US tech as evidenced by the fact that the Tianhe-2 is built entirely out of US parts and technology.
South Korea is closer to displacing the US as a tech giant than China is, honestly.
Only if its UDP, and only if you dont care about return traffic.
Spoofing an IP is really only useful when you are flooding a target and really dont care about bi-directional communication, or if youre punching a hole in a firewall with the help of an intermediary server.
Please, noone who has business needs use Virtualbox.
There are a lot of free / basically free virtualization products out there suitable for business. Unless VBox has substantially improved in the last year or two, it isnt one of them.... unless you like random hangups / VM corruption.
When the tax man comes, the poor are least able to hide(they have no lawyers, no accountants, and they tend to spend close to what they earn, so even if they are being paid in cash under the table, they still show up in sales taxes); but they also have fuck all money to collect
At least in the US, "the poor" are generally getting far more out of the system, tax wise, than they are putting in.
I have a feeling you arent understanding what Im saying or I am commicating badly. I am saying that you cannot pull these threats off on a non-trunk port, and you seem to be saying there are security issues if a user is on a trunk port. I dont consider that to be a "threat" however, since you are just using trunking mechanisms to escape VLANs.
Having users on a trunk port is a misconfiguration. As i keep saying, you HAVE to have the user on a trunk port for this to be a threat, and that is not the default. DTP auto IS a default, but the first thing every Cisco tech learns is that you never never never keep DTP auto turned on; you explicitly make every port either an access port or a trunk port.
Hope that clarifies what Im saying.
For the OP's question, VLAN security is plenty sufficient, since he will (presumably) not be trunking at all, nor using a router, so none of these attacks are relevant.
You seem to be misunderstanding what VLAN1 vs tagging vs trunking are.
On Cisco hardware, VLAN 1 is a security risk because it is the management VLAN; any clients on there can SSH or telnet to your switch (if an IP has been set) and attempt to log in. It does not allow tagged traffic to traverse the switch any differently than on any other VLAN.
Basically, on trunk ports only, untagged traffic is assumed to be on the native VLAN. The tagging / non-tagging can only occur on a trunk port, and can NOT "span" a VLAN-- even if your PC is set up with trunking software and you are on a trunk port, your traffic will technically "originate" on whatever VLAN you tag / dont tag it as. I suppose if you were MITMing between two trunking switches you could alter the tag, but the IP destination address would then be incorrect for the new VLAN, and would be dropped at the destination.
Without a router (even if its just a layer 3 switch with "ip route" enabled), there really is not a way for traffic to traverse VLANs. Cisco and most other vendors are pretty clear on this. And as I said regarding tagged traffic on non-trunk ports, that traffic is dropped. Pretty good summary here (references the 802.1Q standard) https://supportforums.cisco.com/docs/DOC-17237 You'll note that there is an exception for "hybrid links" which I dont have much experience with, but as I recall this requires specifically desginating a voice VLAN on the switchport.
As for changing the settings on multiple ports.... >Config t >interface range eth 0/1-24 >switchport access vlan 10
Switchports 1-24 are now VLAN 10, and will reject tagged traffic.
You ARE right that there is a little configuration to secure it, but it basically consists of
* Turning off dynamic trunking (the default)
* Setting VTP to transparent
* switching your ports off of the native VLAN, OR not assigning an IP to your switch / only allowing console access, OR changing the native VLAN
Those 3 can be done in about 2 minutes, with maybe 5 commands.
That sounds a lot like ergotism, which has nothing to do with where you get the wheat / rye from and everything to do with the fungus that has infected your stockpile.
There are legitimate concerns with GMO, like, say, the concern mentioned by parent (unexpected mutation, succeeds better in the wild, crowds out other crops, but is less than suitable for human use). The same sort of concerns apply to hybrids (see Africanized Bees), but at least there you can have some degree of confidence that the traits will have existed naturally before; so Africanized bees arent immune to smoke or Raid. These crops, however, are immune to RoundUp (which im gonna guess isnt something that could happen with just hybridizing).
The same sort of concern applies with system patching / updates. Jumping on the "newest" and "best" isnt always a good idea until its had a long period of testing. Non-GMO stuff generally fits that bill; we know how wheat grows, how it spreads, how to control it, etc. GMO crops can be more of an unknown.
It doesn't solve anything, just makes the problem go away for a while (if at all).
While GENERALLY true, this is not always true. Sometimes hardware goes crazy; sometimes a crappy-but-necessary driver freaks out. In some cases it really is necessary to simply power down and let everything re-initialize.
For instance, I have known printers with Fiery boxes on the back of them that have problems every so often, and the fix (known by basically anyone familiar with Fiery boxes) is to power cycle them. You can spend hours trying to figure out what went wrong, but the end answer is that Fiery boxes are crappy, and they go on the fritz every so often.
Ditto with crappy pc hardware. You could spend forever trying to troubleshoot that logitech webcam driver bluescreen, or accept that every 4-5 months youre gonna have a bluescreen "just because".
Right, but at least this "plugin interface" will be maintained by folks with a better security track record than Adobe, and wont be an implementation monoculture.
I didnt say they were as secure as airgap, i said its the next best thing.
There are plenty of scenarios in which an attacker can forge VLAN tags or similar,
Only if you did something ridiculously stupid, like set your access ports to allow trunking. If you set your client-facing ports to access, they will drop tagged packets as invalid (which they are, on a non-trunking port).
hop from one VLAN to another without any restrictions
This is NOT POSSIBLE. The scenario you described involves a trunk port. Tagging traffic, even if you were on a trunk port, would just have traffic on one vlan; you CANNOT get it to cross from one VLAN to another without a layer-3 device somewhere in the mix; the switches simply will not be able to route it because thats not what they do.
, where things like VTP can be exploited,
Generally you either turn VTP off, or you make darn sure its not on access ports. That certainly isnt a flaw with "VLANs" though, since thats a Cisco proprietary management system for VLANs and nothing inherent in the switching concept.
It's such that using VLANs to segregate secured and unsecured networks is simply not allowed by PCI-DSS
Theres a lot of ridiculous requirements set by PCI-DSS; thats neither here nor there. In a lab scenario, and even in the real world, VLAN is sufficient security for the vast majority of cases.
Absolutely they are more secure; the "default" is that no traffic can reach any other VLAN in any circumstance, unless you wire two switch ports together (which would be pretty silly, and would also beat layer 3).
To put it another way, adding the firewall / layer 3 routing is a prerequisite to traffic even crossing that VLAN. Adding the firewall doesnt make it more secure, it makes it less secure, because now there is a mechanism that can route traffic between the VLANs. The "best case" would be adding a "deny any-any" rule on the firewall, which would accomplish the exact same thing as not having a layer-3 device there in the first place (except now you have another possible area for misconfiguration).
"The wheel" is a lot more simple and elegant than the "twisty steaming pile" that is the modern processor; that doesnt mean its the best solution always, or that we should hold back progress for simplicity.
Some times newer, better designs are also more complex; and sometimes there isnt an optimal solution that is also "elegant". See 3d-acceleration vs monochrome graphics, journaling filesystems, virtualization, VLANs, etc etc etc. All are more complex than their predecessors and harder to learn, but thats OK because the additional capabilities are worth it.
I do not think that one of the problems we have today is that people do not have enough opportunities to be irresponsible.
Actions have consequences. In a perfect world, this girl would have been taught that your behavior/reputation has a way of following you, and would have understood that getting drunk in public has ramifications for that.
I really do not buy that for anyone her age you can say "but they didnt know" or "theyre too young to bear any responsibility whatsoever". The kids posting it are jerks and their actions should be punished pretty seriously, but dont pretend that the girl had nothing to do with this.
I think at 14 the girl shares some responsibility. I know it sounds harsh and Im sorry that she felt the need to take her life, but when you get drunk in public people will see it, and theres a good chance someone will video it. While certainly bullying behavior should be dealt with, the ultimate solution isnt to pretend that getting drunk at a party will have 0 consequences.
No, they do not. Crossing a VLAN requires trunking and routing.
The best / most productive way to think of VLANs is to consider each one a separate switch and a separate subnet (cisco actually conflates the two terms; in Cisco-world, a subnet==a VLAN); broadcasts will span the VLAN, but will not leave it. If you are using private VLANs, broadcasts will only be heard by community and public nodes, but not by other isolated nodes.
It also makes no sense to slam Apple because they 'rely on iPhone and iPad' because the number of phones sold every year totally dwarfs the number of PCs sold every year.
The reason people tout diversification isnt because you cannot be successful without diversifying, its because you take a big risk by not doing so. If iPhones / iPads ever stop being big, does Apple have a backup plan?
This has turned out to be incorrect in a number of my experiences. I suggest LibreOffice because it doesnt cost $100, and then it turns out their documents used some special callout notation that Word had, or they need a specific function that Excel had (and lets be honest, Google Apps / LibreOffice are missing a TON of functionality in spreadsheets), and they end up needing the Microsoft suite.
Heck, I just finished a term paper in LibreOffice, and while I got it done, it was an exercise in frustration due to the way LibreOffice wanted to do endnotes and page numbering and title pages.
Like with Linux, the problem with Esperranto is that you can only use it with the kind of people who would learn Esperanto.
I kid.
Im not trying to make this an us vs them thing. Its just absurd to claim that the US is declining into irrelevancy when a lot of the top tech in the world comes from the US...Intel, AMD, nVidia, Google, Microsoft, Apple-- these are all US companies.
Again, this isnt intended to be a knock on anyone, but the reality is that China's home-grown processors are about 4 generations behind what Intel is doing and about 3 behind AMD. "They" seem to "need" US tech as evidenced by the fact that the Tianhe-2 is built entirely out of US parts and technology.
South Korea is closer to displacing the US as a tech giant than China is, honestly.
Except for the fact that all of the tech inside of it is US-originated, sure.
You dont get to respond to an arrest warrant with "Ill come along, but only if you accept these terms."
You know, when i was new to the industry, I would have thought you were full of crap.
But now I find that sadly plausible.
Trivial to defeat,
Only if its UDP, and only if you dont care about return traffic.
Spoofing an IP is really only useful when you are flooding a target and really dont care about bi-directional communication, or if youre punching a hole in a firewall with the help of an intermediary server.
Please, noone who has business needs use Virtualbox.
There are a lot of free / basically free virtualization products out there suitable for business. Unless VBox has substantially improved in the last year or two, it isnt one of them.... unless you like random hangups / VM corruption.
When the tax man comes, the poor are least able to hide(they have no lawyers, no accountants, and they tend to spend close to what they earn, so even if they are being paid in cash under the table, they still show up in sales taxes); but they also have fuck all money to collect
At least in the US, "the poor" are generally getting far more out of the system, tax wise, than they are putting in.
Isnt suspending habeas corpus legit if martial law has been declared?
Just saying, you may want to strike that off the list.
I have a feeling you arent understanding what Im saying or I am commicating badly. I am saying that you cannot pull these threats off on a non-trunk port, and you seem to be saying there are security issues if a user is on a trunk port. I dont consider that to be a "threat" however, since you are just using trunking mechanisms to escape VLANs.
Having users on a trunk port is a misconfiguration. As i keep saying, you HAVE to have the user on a trunk port for this to be a threat, and that is not the default. DTP auto IS a default, but the first thing every Cisco tech learns is that you never never never keep DTP auto turned on; you explicitly make every port either an access port or a trunk port.
Hope that clarifies what Im saying.
For the OP's question, VLAN security is plenty sufficient, since he will (presumably) not be trunking at all, nor using a router, so none of these attacks are relevant.
Just a bit more info / helpful "attacks" paper by cisco.
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39061
Note that the two VLAN-specific attacks they mentioned both indicate that they require either explicit trunking or DTP auto.
You seem to be misunderstanding what VLAN1 vs tagging vs trunking are.
On Cisco hardware, VLAN 1 is a security risk because it is the management VLAN; any clients on there can SSH or telnet to your switch (if an IP has been set) and attempt to log in. It does not allow tagged traffic to traverse the switch any differently than on any other VLAN.
I did a bit of research to see what you referring to with native VLAN tagging, and came across this helpful refresher:
https://learningnetwork.cisco.com/thread/8721
Basically, on trunk ports only, untagged traffic is assumed to be on the native VLAN. The tagging / non-tagging can only occur on a trunk port, and can NOT "span" a VLAN-- even if your PC is set up with trunking software and you are on a trunk port, your traffic will technically "originate" on whatever VLAN you tag / dont tag it as. I suppose if you were MITMing between two trunking switches you could alter the tag, but the IP destination address would then be incorrect for the new VLAN, and would be dropped at the destination.
Without a router (even if its just a layer 3 switch with "ip route" enabled), there really is not a way for traffic to traverse VLANs. Cisco and most other vendors are pretty clear on this. And as I said regarding tagged traffic on non-trunk ports, that traffic is dropped. Pretty good summary here (references the 802.1Q standard)
https://supportforums.cisco.com/docs/DOC-17237
You'll note that there is an exception for "hybrid links" which I dont have much experience with, but as I recall this requires specifically desginating a voice VLAN on the switchport.
As for changing the settings on multiple ports....
>Config t
>interface range eth 0/1-24
>switchport access vlan 10
Switchports 1-24 are now VLAN 10, and will reject tagged traffic.
You ARE right that there is a little configuration to secure it, but it basically consists of
* Turning off dynamic trunking (the default)
* Setting VTP to transparent
* switching your ports off of the native VLAN, OR not assigning an IP to your switch / only allowing console access, OR changing the native VLAN
Those 3 can be done in about 2 minutes, with maybe 5 commands.
That sounds a lot like ergotism, which has nothing to do with where you get the wheat / rye from and everything to do with the fungus that has infected your stockpile.
They are fine for human consumption but some Luddites are worried that their god didn't create the crops
https://yourlogicalfallacyis.com/strawman
There are legitimate concerns with GMO, like, say, the concern mentioned by parent (unexpected mutation, succeeds better in the wild, crowds out other crops, but is less than suitable for human use). The same sort of concerns apply to hybrids (see Africanized Bees), but at least there you can have some degree of confidence that the traits will have existed naturally before; so Africanized bees arent immune to smoke or Raid. These crops, however, are immune to RoundUp (which im gonna guess isnt something that could happen with just hybridizing).
The same sort of concern applies with system patching / updates. Jumping on the "newest" and "best" isnt always a good idea until its had a long period of testing. Non-GMO stuff generally fits that bill; we know how wheat grows, how it spreads, how to control it, etc. GMO crops can be more of an unknown.
It doesn't solve anything, just makes the problem go away for a while (if at all).
While GENERALLY true, this is not always true. Sometimes hardware goes crazy; sometimes a crappy-but-necessary driver freaks out. In some cases it really is necessary to simply power down and let everything re-initialize.
For instance, I have known printers with Fiery boxes on the back of them that have problems every so often, and the fix (known by basically anyone familiar with Fiery boxes) is to power cycle them. You can spend hours trying to figure out what went wrong, but the end answer is that Fiery boxes are crappy, and they go on the fritz every so often.
Ditto with crappy pc hardware. You could spend forever trying to troubleshoot that logitech webcam driver bluescreen, or accept that every 4-5 months youre gonna have a bluescreen "just because".
Right, but at least this "plugin interface" will be maintained by folks with a better security track record than Adobe, and wont be an implementation monoculture.
I didnt say they were as secure as airgap, i said its the next best thing.
There are plenty of scenarios in which an attacker can forge VLAN tags or similar,
Only if you did something ridiculously stupid, like set your access ports to allow trunking. If you set your client-facing ports to access, they will drop tagged packets as invalid (which they are, on a non-trunking port).
hop from one VLAN to another without any restrictions
This is NOT POSSIBLE. The scenario you described involves a trunk port. Tagging traffic, even if you were on a trunk port, would just have traffic on one vlan; you CANNOT get it to cross from one VLAN to another without a layer-3 device somewhere in the mix; the switches simply will not be able to route it because thats not what they do.
, where things like VTP can be exploited,
Generally you either turn VTP off, or you make darn sure its not on access ports. That certainly isnt a flaw with "VLANs" though, since thats a Cisco proprietary management system for VLANs and nothing inherent in the switching concept.
It's such that using VLANs to segregate secured and unsecured networks is simply not allowed by PCI-DSS
Theres a lot of ridiculous requirements set by PCI-DSS; thats neither here nor there. In a lab scenario, and even in the real world, VLAN is sufficient security for the vast majority of cases.
Ive also heard of this thing called "sushi", and "sashimi".
Absolutely they are more secure; the "default" is that no traffic can reach any other VLAN in any circumstance, unless you wire two switch ports together (which would be pretty silly, and would also beat layer 3).
To put it another way, adding the firewall / layer 3 routing is a prerequisite to traffic even crossing that VLAN. Adding the firewall doesnt make it more secure, it makes it less secure, because now there is a mechanism that can route traffic between the VLANs. The "best case" would be adding a "deny any-any" rule on the firewall, which would accomplish the exact same thing as not having a layer-3 device there in the first place (except now you have another possible area for misconfiguration).
"The wheel" is a lot more simple and elegant than the "twisty steaming pile" that is the modern processor; that doesnt mean its the best solution always, or that we should hold back progress for simplicity.
Some times newer, better designs are also more complex; and sometimes there isnt an optimal solution that is also "elegant". See 3d-acceleration vs monochrome graphics, journaling filesystems, virtualization, VLANs, etc etc etc. All are more complex than their predecessors and harder to learn, but thats OK because the additional capabilities are worth it.
I do not think that one of the problems we have today is that people do not have enough opportunities to be irresponsible.
Actions have consequences. In a perfect world, this girl would have been taught that your behavior /reputation has a way of following you, and would have understood that getting drunk in public has ramifications for that.
I really do not buy that for anyone her age you can say "but they didnt know" or "theyre too young to bear any responsibility whatsoever". The kids posting it are jerks and their actions should be punished pretty seriously, but dont pretend that the girl had nothing to do with this.
I think at 14 the girl shares some responsibility. I know it sounds harsh and Im sorry that she felt the need to take her life, but when you get drunk in public people will see it, and theres a good chance someone will video it. While certainly bullying behavior should be dealt with, the ultimate solution isnt to pretend that getting drunk at a party will have 0 consequences.
No, they do not. Crossing a VLAN requires trunking and routing.
The best / most productive way to think of VLANs is to consider each one a separate switch and a separate subnet (cisco actually conflates the two terms; in Cisco-world, a subnet==a VLAN); broadcasts will span the VLAN, but will not leave it. If you are using private VLANs, broadcasts will only be heard by community and public nodes, but not by other isolated nodes.