true that! good point.

Where there is a will, there is a way.

I find configuration parameters such as NFP and DAI to be temporary compensating controls. They don’t make you as secure as doing the right thing, but they do reduce risk if implemented properly.

The primary problem is to implement these solutions properly. There are so many mistakes that can be made.

If you happen to be stuck with Cisco, Juniper Networks, or something worse such as Extreme Networks, Foundry Networks, Dell PowerEdge, or D-Link — I suggest moving to Pyramid Linux or Vyatta or something similar. You’ll of course ignore my logic here, so my additional suggestion is to open your manual and start crying. Configuring off-the-shelf routers, switches, and network appliances in order to reduce risk is a losing battle.

then you say:

Much of the information is Cisco-specific (but the concepts apply equally well to any platform). Cisco has recently updated and combined all of these resources to form their Cisco IOS Network Foundation Protection (NFP) program.

and

On the LAN, I think there is something to be said for Cisco’s Dynamic Arp Inspection (DAI), especially when combined with endpoint port-security …

which one is it? Also what do you propose when the architecture is already in place? its not feasable for most people to rip out all their cisco gear and replace it. i checked out the Vyatta site, it looks nice but is it ready to replace CORE routers and switches?