undefined | Better HN

0 pointsdavisr3y ago0 comments

I respectfully disagree. Are you suggesting everyone just rolls over and forgets about making decisions to the best of their ability to ensure security? The switches on the outside of your network do not matter. The traffic doesn't matter.

If you lose trust in your own switching equipment then it's all over. Management network? Compromised. Segmented traffic? Compromised. IPMI/BMC interfaces? Compromised. Anybody else's malformed traffic could breach your defense, and breach the very sanctity of the traffic your network is spitting out. It doesn't matter if your computer encrypts its traffic because a breached switch can just silence it.

A company selling switches/routers/firewalls should _not_ have these liabilities, and as these liabilities are known, nobody should buy Cisco equipment, ever. Buy the equipment that you know is the safest. Don't just give up and roll over!

0 comments

2 comments · 2 top-level

sneak3y ago

> If you lose trust in your own switching equipment then it's all over.

What is all over? The security boundary is when packets leave the machine with private information. VLANs and management networks and whatever aren't it. Proper security assumes an insecure network and uses cryptography for privacy and authentication.

teleforce3y ago

Internet packet switching architecture is an attempt to provide reliable networks over unreliable (low cost) components, and very successful on that.

Similarly, network or cyber security should be able to provide secure networks over insecure (untrusted) components.

j / k navigate · click thread line to collapse