Re: [Full-disclosure] vswitches: physical networks obsolete?

[phocean <0x90@xxxxxxxxxxx>]

> For instance, the switch software isolates the communication betwenn port A, 
> B,
> and C, that is if you send an unicast packet from A to B, C cannot read it. 
> But
> the switching engine is not "hardware", is software, so you could not trust 
> it.

This is the same when you compare physical switches with vswitches in
the SAME zone.
In that case, we have L2 adjacency, wich I agree is almost the same if
managed by software or hardware.

But my point is DMZ, where in the traditional physical network you
usually separate L2 in two zones (with multiple vlans inside each) and
enforce L3 (up to L7) filtering at the boundary. And this with different
hardwares.

In the case of a vswitches architecture, you can still have a firewall
somewhere. However, you have a single L2 area. At the end, you entire
network is as secure as the L2 is, which is a totally different picture
than the classic architecture.
It would look more like (which I don't want):
Internet--|fw|--[vlan/vswitches]

So my worries remain... how do they address this?
You don't mean that we have to wait for the next 0-day for the VMware
claim to be proved false? There are coding vulnerabilities everywhere.

> 
> 
> 
> Ciao,
> luigi
> 
> - -- 
> /
> +--[Luigi Rosa]--
> \
> 
> If you need n items of anything, you will have n-1 in stock.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk1OvhMACgkQ3kWu7Tfl6ZTkeQCcCYHuMd1v8AIGNJwio2XXrR7S
> TTQAoMrRYFgv5WI26czAoeyTHWB35h+N
> =FUmm
> -----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/